Under the Economic and Fiscal Update Act, 2020, which received Royal Assent on March 25th, changes to Ontario’s Personal Health Information Protection Act (PHIPA) came into force, with other significant changes coming into force at a later date upon proclamation by the Lieutenant Governor once regulations are in place. This article will review the changes that took effect end of March as well as what we can expect in the near future.
PHIPA CHANGES CURRENTLY IN EFFECT
NEW ADMINISTRATIVE PENALTY REGIME
The amendment to section 61 of PHIPA now states that if a person contravenes the Act or the regulations, the Commissioner can order that an administrative penalty be paid. The Commissioner has authority to decide the amount of the financial penalty in any order, subject to the regulations.
PENALTIES FOR OFFENCES DOUBLED
The amendment to section 72 doubles the maximum penalty for offences under PHIPA. The maximum penalty for an individual is now $200,000 and $1,000,000 for a corporation.
AN INDIVIDUAL’S RIGHT TO ACCESS A RECORD
The amendment to section 52 now includes the right to access one’s own personal health information in electronic format. This is granted as long as the electronic format meets the authorized requirements, subject to certain restrictions, and additional requirements or exceptions that may be prescribed in the regulations.
PHIPA CHANGES NOT YET IN FORCE
CONSUMER ELECTRONIC SERVICE PROVIDERS
Technology companies such as developers of mobile device applications or online portals that process personal health information have never been governed by PHIPA. The new section 54.1 outlines a new requirement for “consumer electronic service providers” (CESPs) who provide electronic services to individuals for the purpose of accessing, using, disclosing, modifying, maintaining, or otherwise managing their electronic records of personal health information”. When the new amendment becomes effective, all companies that provide such consumer-facing services will be directly governed by PHIPA.
It is important to note that the Economic and Fiscal Update Act is the Ontario government’s initial pandemic response legislation. The new regulations to be put in place will give CESPs permission to collect OHIP card numbers for purposes of confirming the identity of individuals. PHIPA originally strictly limited the collection of an OHIP number to healthcare professionals to prevent it from becoming a unique personal identifier that could facilitate linking of health data about an individual. However, under the amendments to PHIPA, a CESP may collect and use a health number to primarily confirm the identity of an individual. This change in direction could have longer term implications that need to be thought through.
NEW DE-IDENTIFICATION STANDARDS
The definition of “de-identify” in relation to personal health information of an individual will involve specific de-identification requirements that will be set out in regulations Currently PHIPA defines in section 4(2) identifying information as “information that identifies an individual or for which it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify an individual”. The regulations will likely build upon existing Commissioner guidance around de-identification of personal health information, with a view to setting minimum legal standards for entities subject to PHIPA. The advantage of imposing de-identification requirements by regulation is that they can more easily adapt with changes in technology.
ELECTRONIC AUDIT LOG
A new section 10.1 will provide that health information custodians maintain, audit, and monitor an electronic audit log when collecting, using, disclosing, modifying, retaining or disposing of personal health information through electronic means. The log must include the following information:
- Type of information viewed, handled, modified or otherwise dealt with;
- Date and time it was viewed, handled, modified or otherwise dealt with;
- Identity of all persons who viewed, handled, modified or otherwise dealt with the personal health information; and
- Identity of the individual to whom the personal health information relates.
Although many of the PHIPA amendments have not yet come into effect, it is important that health information custodians proactively address how these new changes affect their individual or business operations now, and take the necessary steps to update current operations and get ready for these changes.
Written comments from the public regarding the proposed regulations can be submitted under an on-going consultation period until July 1, 2020. For assistance with understanding the PHIPA amendments and ensuring your business can comply with them, contact PRIVATECH.