On March 25, 2020, Ontario enacted significant amendments to the Personal Health Information Protection Act (PHIPA). The changes create a more robust enforcement mechanisms and increased regulation of the use of electronic health records. Some amendments took effect immediately upon enactment, while others will come into force on a day to be proclaimed by the Lieutenant Governor.
Notable changes to PHIPA that took effect immediately upon enactment include:
- a new enforcement regime
- allowances for the use of health information for identification and record-linkage purposes
- the right access personal health information records electronically
New Enforcement Regime
Under the new enforcement regime, the Information and Privacy Commissioner of Ontario (“Commissioner”) may make orders to encourage compliance and impose administrative penalties for contraventions of PHIPA or its regulations. The amendments provide the possibility of up to one year of imprisonment and double the maximum administrative penalty for offences to $200,000 for an individual and $1,000,000 for an organization. A limitation period of two years from the date of the most recent contravention first came to the knowledge of the Commissioner applies to the new enforcement regime.
Use of Health Information for Identification and Record-Linkage
Health information custodians and others persons as may be prescribed in the regulations may now also collect, use, and disclose, with proper consent, an individual’s Ontario Health Insurance Plan (“OHIP”) number for identification and record-linkage purposes, even when no provincially funded health care is provided.
Right to Access Personal Health Information Records Electronically
Individuals now have a right to access a record of their personal health information in an electronic format, as set out in the regulations that may prescribed additional requirements, restrictions, or exceptions.
Changes to PHIPA that will come into force on a day to be proclaimed by the Lieutenant Governor include:
- a new definition of “de-identify” and limits on the use of de-identified information
- broader applicability to encompass consumer electronic service providers
- a requirement for an audit log for personal health information held electronically
As these amendments contemplate future regulations setting out requirements and additional obligations, much of the practical details of these amendments remain unclear.
De-Identification Standards and Limits on the Use of De-Identified Information
The amended definition of de-identify will involve specific de-identification requirements, as set out in regulations. The new limits on the use of de-identified information will restrict the use of de-identified information to identify an individual to health information custodians and other narrow classes of prescribed persons.
Consumer Electronic Service Providers
Upon proclamation, consumer electronic service providers that process personal health information (e.g., app developers and other consumer facing health technology companies) will become directly subject to PHIPA and its regulations.
Electronic Audit Log
Health information custodians using electronic means to collect, use, disclose, modify, retain, or disclose personal health information must maintain and monitor an electronic audit log. This log must capture every instance an electronic health record is viewed, handled, modified, or otherwise dealt with. The audit log must contain:
- the type of personal health information dealt with
- the date and time the personal health information is dealt with
- the identity of person dealing with the information
- the identity of the individual to whom the information dealt with relates
- any additional information required by the regulations
If a health information custodian engages an electronic service provider, they must require the service provider to maintain the electronic audit log.
A copy of the electronic audit log must be provided to the Commissioner upon request.