On March 25, 2020, Ontario enacted significant amendments to the Personal Health Information Protection Act (PHIPA). The changes create a more robust enforcement mechanisms and increased regulation of the use of electronic health records. Some amendments took effect immediately upon enactment, while others will come into force on a day to be proclaimed by the Lieutenant Governor.

Notable changes to PHIPA that took effect immediately upon enactment include:

  • a new enforcement regime
  • allowances for the use of health information for identification and record-linkage purposes
  • the right access personal health information records electronically

New Enforcement Regime

Under the new enforcement regime, the Information and Privacy Commissioner of Ontario (“Commissioner”) may make orders to encourage compliance and impose administrative penalties for contraventions of PHIPA or its regulations. The amendments provide the possibility of up to one year of imprisonment and double the maximum administrative penalty for offences to $200,000 for an individual and $1,000,000 for an organization. A limitation period of two years from the date of the most recent contravention first came to the knowledge of the Commissioner applies to the new enforcement regime.

Use of Health Information for Identification and Record-Linkage

Health information custodians and others persons as may be prescribed in the regulations may now also collect, use, and disclose, with proper consent, an individual’s Ontario Health Insurance Plan (“OHIP”) number for identification and record-linkage purposes, even when no provincially funded health care is provided.

Right to Access Personal Health Information Records Electronically

Individuals now have a right to access a record of their personal health information in an electronic format, as set out in the regulations that may prescribed additional requirements, restrictions, or exceptions.

Changes to PHIPA that will come into force on a day to be proclaimed by the Lieutenant Governor include:

  • a new definition of “de-identify” and limits on the use of de-identified information
  • broader applicability to encompass consumer electronic service providers
  • a requirement for an audit log for personal health information held electronically

As these amendments contemplate future regulations setting out requirements and additional obligations, much of the practical details of these amendments remain unclear.

De-Identification Standards and Limits on the Use of De-Identified Information

The amended definition of de-identify will involve specific de-identification requirements, as set out in regulations. The new limits on the use of de-identified information will restrict the use of de-identified information to identify an individual to health information custodians and other narrow classes of prescribed persons.

Consumer Electronic Service Providers

Upon proclamation, consumer electronic service providers that process personal health information (e.g., app developers and other consumer facing health technology companies) will become directly subject to PHIPA and its regulations.

Electronic Audit Log

Health information custodians using electronic means to collect, use, disclose, modify, retain, or disclose personal health information must maintain and monitor an electronic audit log. This log must capture every instance an electronic health record is viewed, handled, modified, or otherwise dealt with. The audit log must contain:

  • the type of personal health information dealt with
  • the date and time the personal health information is dealt with
  • the identity of person dealing with the information
  • the identity of the individual to whom the information dealt with relates
  • any additional information required by the regulations

If a health information custodian engages an electronic service provider, they must require the service provider to maintain the electronic audit log.

A copy of the electronic audit log must be provided to the Commissioner upon request.

Author

Theo heads Baker McKenzie's Canadian Information Technology/Communications practice and is a member of the Firm's Global IP/Technology Practice Group, and Technology, Media & Telecoms and Financial Institutions Industry Groups.

Author

Jessie Sheehan is an Associate in Baker McKenzie's Toronto Office and a member of the Intellectual Property and Technology Practice Group. With a Master of Information from the University of Toronto, Jessie has extensive expertise in information science and emerging technology policy. Before joining the Firm as an Associate, she worked as an information governance specialist providing clients with strategic consulting focused on information management, regulatory compliance, and data privacy and security.

Write A Comment