Recent Changes to PHIPA Affecting Health Information Custodians

PhysiciansPrivacy LawBlog
Written By Rosen Sunshine LLP

On May 18, 2016, the Ontario government passed Bill 119, the Health Information Protection Act, 2016, which we summarized on our blog last fall, shortly after it was introduced in the Ontario Legislature. Bill 119 makes significant amendments to the Personal Health Information Protection Act, 2004 (“PHIPA”) and related pieces of legislation relevant to the health care sector. In this post, we highlight the key provisions of Bill 119 that are now in force and which have significant impacts for health care professionals, institutions and organizations (“health information custodians” or “HICs”) across the province that collect, use and maintain personal health information (“PHI”).

Amendments to PHIPA

The key amendments to PHIPA introduced through Bill 119 that are now in force include:

  • Revised Definition of “Use”: The term “use” now means “to view, handle or otherwise deal with the information”. The inclusion of the word “view” in the revised definition appears to be aimed at preventing unauthorized “snooping” into individuals’ health records.

  • Increased Fines: The maximum fines for privacy offences have doubled from $50,000 to $100,000 for individuals and from $250,000 to $500,000 for organizations. In addition, the 6 month limitation on commencing prosecutions for offences under section 72 of PHIPA has been eliminated.

  • Mandatory Reporting to the IPC: Previously, privacy breaches only had to be reported to affected individuals. HICs are now required to report privacy breaches to the Information and Privacy Commissioner of Ontario (“IPC”), where the circumstances surrounding the theft, loss or unauthorized use or disclosure of PHI meet certain prescribed criteria. At this time, however, the government has not yet passed any regulations with respect to this amendment and therefore, the mandatory duty is not effectively in force.

  • Mandatory Reporting to Regulatory Colleges: HICs are now required to make a report to the health regulatory colleges (or the College of Social Workers and Social Services Workers) in certain circumstances regarding privacy breaches. Specifically, HICs that employ, grant privileges to, or are otherwise affiliated with a member of one of these colleges, are required to notify the relevant regulatory within 30 days of any of the following events:

    • An employee is terminated, suspended or subject to disciplinary action as a result of a privacy breach;

    • An employee resigns, and the HIC has reasonable grounds to believe that the resignation is related to an investigation (or other action) into an alleged privacy breach;

    • An agent’s privileges or affiliation with the HIC are revoked, suspended or restricted as a result of a privacy breach; or

    • An agent relinquishes or voluntarily restricts his or her privileges or affiliation with the HIC, and the HIC has reasonable grounds to believe that it is related to an investigation (or other action) into an alleged privacy breach.

    • Notice Requirements: Prior to these amendments, HICs were required to notify affected individuals of a privacy breach at the first reasonable opportunity. This notice must now include a statement that the individual is entitled to make a complaint to the IPC.

    • Responsibilities of HICs and Agents: HICs are granted increased authority to set conditions or restrictions over the collection, use, disclosure, retention or disposal of PHI by its agent. An agent’s authority to deal with PHI is amended, such that agents are permitted to collect, use, disclose, retain or dispose of PHI only if:

      • the HIC permits it;

      • it is necessary for carrying out the agent’s duties;

      • it is not contrary to PHIPA or another law;

      • any restrictions or conditions imposed by the HIC are met; and

      • any additional obligations set out in regulations are met (of which there are currently none).

Bill 119 also introduces a new Part V.1 to PHIPA to create a privacy framework for Electronic Health Records (“EHR"). EHR is the provincial electronic system that is developed and maintained by eHealth Ontario, to enable HICs to collect, use and disclose PHI for the purpose of providing or assisting in the provision of health care to the individuals whose PHI is in the EHR. eHealth Ontario will also manage and oversee the EHR, including by monitoring and logging access. The provisions of Bill 119 relating to the governance, development and maintenance of the HER are not yet in force, but once they are proclaimed will have significant implications for patients and HICs.

New Quality of Care Information Protection Act

Another main function of Bill 119 is to replace the existing Quality of Care Information Protection Act, 2004 (“QCIPA”) with an entirely new act of the same name. In our blog post last fall, we summarized some of the key elements of the new QCIPA. At this time, however, the provisions of Bill 119 that repeal and replace QCIPA have not been proclaimed into force. We will review the changes implemented by the new QCIPA in greater detail and discuss the implications for health facilities once the new QCIPA becomes law.

Further Information to Come

The full implementation of all of the amendments set out in Bill 119 depends on the development of regulations and the proclamation of the remaining provisions. We will be watching the developments closely and keep you updated as they occur.

It will be important for health care organizations to update their privacy policies and practices in light of these legislative amendments. With our extensive experience and expertise in privacy, we are well equipped to assist health care professionals and organizations with this. Please contact us for further information.

Rosen Sunshine LLP
Previous

Updates to the CPSO’s Physician Behaviour in the Professional Environment Policy
Next

Seek Support from Colleagues to Manage Articling Stress