March 26, 2020 - Health Sector, Public Sector

New Power to Issue Administrative Penalties Among Significant Amendments to Ontario’s Health Privacy Legislation

Significant amendments to Ontario’s Personal Health Information Protection Act (PHIPA) were passed on Wednesday by the Ontario legislature.

The amendments were included in Bill 188, “An Act to enact and amend various statutes”. The short title of the Act is the Economic and Fiscal Update Act, 2020.

Here are a few of the key amendments that may be of particular interest to privacy practitioners in the health care and technology space:  

New Powers for the Information and Privacy Commissioner

  • The Commissioner may order a person to pay an administrative penalty for the purposes of encouraging compliance with PHIPA and preventing a person from deriving any economic benefit as a result of contravening the Act.
  • The amount of the administrative penalty should reflect these purposes and be determined by the Commissioner in accordance with the regulations.
  • The power to order an administrative penalty is subject to a two-year limitation period from the day the contravention comes to the knowledge of the Commissioner and does not preclude any other enforcement measure or remedy.
  • The Commissioner also has a new power to order production of electronic audit logs of health information custodians.
  • The Commissioner may inspect records containing personal health information which he or she has reasonable grounds to believe have been abandoned. 

Higher Penalties for Offences under the Act

  • The  maximum penalty for offences (including snooping) has been increased to $200,000 for a natural person and $1,000,000 if the offender is not a natural person.
  • Justices may order a person, other than a person under investigation for an offence, to produce certain documents or data if there are reasonable grounds to believe that a) an offence under the Act has or is being committed; b) the document or data will provide evidence respecting the offence and c) the person who is subject to the order has possession or control of it.  

New Obligations for Health Information Custodians (HICs)

  • HICs that use electronic means to collect, use, or disclose personal health information must maintain an electronic audit log.
  • The electronic audit log must contain certain information set out in the Act and as may be further prescribed by regulation.
  • HICs shall produce a copy of the log to the Commissioner on request.

“Consumer Electronic Service Providers” and Right of Access

  • The Bill introduces a new concept of “consumer electronic service providers” that provide electronic services to individuals for the purpose of, among other things, allowing them to access, use or manage their records of personal health information.
  • Consumer electronic service providers will have to comply with prescribed requirements; 
  • The Bill provides that HICs who receive access requests from consumer electronic service providers are not required to provide personal health information to the consumer electronic service provider in response to the request.
  • The individual’s right to access their personal health records now explicitly includes the right to access them in electronic format that meets certain prescribed requirements.

New Collections and Disclosures

  • On request, HICs shall disclose personal health information to the Minister for the purpose of determining, providing, monitoring or verifying payment for health care funded wholly or in part by the Ministry.
  • Members of a ministry data integration unit, or an “extra-ministerial data integration unit” (new concept introduced under parallel amendments to Ontario’s Freedom of Information and Protection of Privacy Act) may collect -- and HICs may disclose -- personal health information by means of an electronic health record for purposes of:  a) managing or allocating resources; b) planning the delivery of programs or services; and c) evaluating those programs or services.
  •  The Chief Medical Officer of Health or a medical officer of health may collect personal health information by means of an electronic health record for purposes related to their duties under the Health Protection and Promotion Act or the Immunization of School Pupils Act.

New Definition of “Deidentify”

  •  The concept of “deidentify” has been defined as meaning “to remove, in accordance with such requirements as may be prescribed, any information that identifies the individual or for which it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify the individual”.  This new definition leaves room for further specification of what “deidentification” requires by way of regulation.

Note: Not all of these legislative amendments are yet in force. AccessPrivacy will be monitoring when these new provisions come into force and will provide further information at that time.  

These latest amendments to Ontario’s PHIPA and their practical implications will be discussed in greater detail on our next Monthly AccessPrivacy call on April 22.