As we discussed in a separate blog post last week, the Ontario legislature enacted Bill 188, the Economic and Fiscal Update Act, 2020 on March 25, 2020. Bill 188 enacts and amends various statutes as part of the provincial government’s response to the emerging needs and issues that have arisen out of the COVID-19 pandemic. Just as the impact of COVID-19 has been wide-ranging and significant, the response that it has necessitated is similarly broad in scope, as illustrated by the expansive reach of Bill 188. This post will discuss Schedule 6 of Bill 188, which amends various provisions of the Personal Health Information Protection Act, 2004 (PHIPA).
PHIPA is Ontario’s health privacy legislation; it establishes the rules surrounding the collection, use, and disclosure of personal health information (PHI). PHIPA was created in 2004 to regulate the exchange of PHI, and has continually evolved as this exchange increasingly occurred electronically.
In light of the coronavirus pandemic, society has suddenly been forced to shift to a more digital existence. While much of the health care industry has long embraced the benefits of digital recordkeeping and information sharing, there are nonetheless a number of health care providers for whom electronic health records and the remote provision of care are uncharted waters. The new amendments contained in Bill 188 are designed to account for the growing reliance on digital health care, and are an attempt to sufficiently protect information, particularly at a time when remote work necessitates that more information than ever be transmitted electronically.
The key amendments, which are of particular interest to health care providers, privacy officers and staff, and providers of technology for health providers, are detailed below.
Health Information Custodians Must Maintain an Electronic Audit Log
PHIPA widely applies to persons and organizations who have custody or control of PHI. These persons or organizations are defined as a Health Information Custodians (HIC). Bill 188 enacts a new section 10.1 of PHIPA, which sets out a new requirement for HICs that use electronic means to collect, use, disclose, modify, retain or dispose of PHI: that they must maintain, audit and monitor an electronic log.
Further, the new section mandates that the electronic audit log must contain a tremendous amount of information about the record, including recording when and by whom a record was created and altered and every time that a record was viewed. In particular, the electronic audit log must include, for every instance in which a record or part of a record of PHI that is accessible by electronic means is viewed, handled, modified or otherwise dealt with:
- The type of information that was viewed, handled, modified or otherwise dealt with;
- The date and time on which the information was viewed, handled, modified or otherwise dealt with;
- The identity of all persons who viewed, handled, modified or otherwise dealt with the PHI;
- The identity of the individual to whom the PHI relates; and
- Any other information that may be prescribed.
The HIC must provide a copy of the electronic audit log to the Information and Privacy Commissioner of Ontario (the “IPC”) upon request, even if it contains PHI.
Information and Privacy Commissioner Afforded Increased Powers
Section 61 of PHIPA is amended to provide the IPC with authority to order a person to pay an administrative penalty if they have contravened PHIPA. The purpose of the penalty is to encourage compliance with PHIPA, and to prevent a person from deriving, directly or indirectly, any economic benefit by contravening PHIPA or any of its regulations.
The amount of the administrative penalty should reflect these purposes, and is to be determined by the IPC in accordance with the regulations under PHIPA. There is a two-year limitation period from the day the contravention comes to the knowledge of the IPC. Further, the power to order an administrative penalty does not prohibit the use of any other enforcement measure or remedy available under PHIPA.
Section 55 of PHIPA is amended to allow the IPC to inspect PHI records, without consent, where the IPC has reasonable grounds to determine that the records have been abandoned. As noted above, the IPC also has the power to order production of electronic audit logs from HICs.
Increased Penalties for Offences Under PHIPA
Penalties for offences under PHIPA have doubled; the maximum penalty has increased from $100,000 to $200,000 for a natural person, and to $1,000,000 if the offender is not a natural person (the previous penalty was $500,000).
In addition to the increased penalty, the amendments provide for the possibility of a maximum one-year term of imprisonment for a natural person guilty of an offence under PHIPA.
Further, Bill 188 enacts section 71.1 of PHIPA, which allows justices to make production orders requiring persons to produce certain documents or data if satisfied that an offence under PHIPA has been or is being committed and that the document or data will provide evidence respecting the offence or suspected offence. The order must be applied for by a provincial offences officer, and the person who is subject to the order must have possession or control of the document/data.
Consumer Electronic Service Providers
Bill 188 enacts a new section 54.1 of PHIPA, identifying a “consumer electronic service provider” as a person who provides electronic services to individuals at their request, primarily for the purpose of allowing those individuals to access, use, disclose, modify, maintain or otherwise manage their PHI records. There will be various prescribed requirements that consumer electronic service providers must comply with, along with requirements that apply to HICs that provide PHI to consumer electronic service providers. These amendments are some of the more explicit examples of how PHIPA is further adapting to the continued emergence of technology is the collection, use, and disclosure of PHI.
Access, Collections and Disclosures
Bill 188 amends Section 52 of PHIPA to allow for the right of access to a record of PHI to include the right to access it in an electronic format.
Section 34 of PHIPA is amended to allow prescribed persons, and HICs that are providing health care to a person, to collect or use the person’s health number, with the person’s consent, for certain verification and linking purposes.
Section 46 is re-enacted to require the disclosure of PHI upon request of the Minister, or other prescribed ministers, by a HIC for the purpose of determining, providing, monitoring or verifying payment for health care funded wholly or in part by the Ministry.
Section 39 of PHIPA is amended to allow for the disclosure of PHI for purposes related to the Immunization of School Pupils Act. Additionally, the Chief Medical Officer of Health or a medical officer of health may collect PHI by means of the electronic health record for purposes related to their duties under the Health Protection and Promotion Act or the Immunization of School Pupils Act.
Much of Bill 188 is a product of the Ontario government’s response to the coronavirus pandemic. However, while some of the above-mentioned amendments to PHIPA detail how HICs can manage data as they increasingly rely on digital platforms, these amendments are more a reflection of a shifting health care landscape than an acute reaction to a crisis. More information than ever is available through digital means; as social and economic interaction shifts online, so to must the laws that regulate it. There is no sector where this need is more prevalent than privacy and in particular, health care privacy. As such, PHIPA is in a constant state of evolution, and one that requires all stakeholders to take continual notice of how the legislation evolves to meet the needs of the industries and individuals it regulates.
The above amendments, although not exhaustive, are indicative of the pressing need to adapt to an increased reliance on digital means of communication, particularly in light of the immediate need to facilitate remote work.
For any questions regarding the changes to PHIPA, or for any assistance with interpreting privacy legislation, please contact us.
The full statute can be found here.
Posted in: Blog