CMPA Member Advice: Ontario, Health Information Protection Act, 2016 (Bill 119)
Posted August 2017
Ontario members have contacted the CMPA with questions regarding Bill 119, which amends a number of provisions in the Personal Health Information Protection Act (PHIPA) and repeals and replaces the Quality of Care Information Protection Act (QCIPA). Many of the amendments made to PHIPA are now in force. The new QCIPA is also now in effect.
The amendments to PHIPA include provisions that increase fines for offences for privacy breaches and eliminate the limitation period for the prosecution of offences under PHIPA. In addition, health information custodians (which could be a physician in certain circumstances) are now required to report privacy breaches to the Information and Privacy Commissioner (IPC) in "prescribed circumstances". In some cases, it may be necessary to report a breach to the relevant Regulatory College (e.g., where a custodian takes disciplinary action with respect to a health care professional’s employment or privileges). Notices from health information custodians to individuals following a privacy breach must also include a statement that the individual has the right to make a complaint to the IPC.
New regulations (available at https://www.ontario.ca/laws/regulation/r17224) prescribing the circumstances in which health information custodians must report privacy beaches to the IPC will come into force on October 1, 2017. Health information custodians will be required to notify the Information and Privacy Commissioner (IPC) when, for example, personal health information (PHI) under the custodian’s custody and control has been stolen, the privacy breach is part of a pattern of similar privacy breaches, or the breach is significant, among other circumstances. Members with questions about their obligations should contact the CMPA for further guidance.
The new regulations will also require custodians to provide the IPC with an annual report on or before March 1 of each year, starting in 2019, setting out the number of times in the previous calendar year that PHI in the custodian’s custody and control was stolen, lost, used, or disclosed without authority. The report must be transmitted electronically by the "means and format" determined by the IPC (though details have not yet been published by the IPC).
Regulations may also be made at a later time on a number of other subjects related to PHIPA, including regarding the requirement on healthcare providers to submit data into the provincial electronic health record (EHR), and the requirement on the Colleges to collect specified information from their members necessary for developing and maintaining the EHR.
The remaining amendments to PHIPA made by Bill 119 are not yet in force, including provisions relating to the governance of the EHR, and the development and maintenance of the EHR.
The new QCIPA is very similar to its predecessor in that information meeting the statutory definition of "quality of care information" will continue to be inadmissible in various legal proceedings, including civil and College proceedings. Nevertheless, the following new exceptions have been added to the existing exceptions where QCIPA’s protection does not apply:
- cause(s) of an incident identified by the quality of care committee or health facility;
- consequences of the critical incident for the patient, as they become known;
- actions taken and recommended to address the consequences of the critical incident for the patient;
- systemic steps that a health facility is taking or has taken to avoid or reduce the risk of further similar incidents.
CMPA members who have specific questions regarding the amendments made by Bill 119 to PHIPA and QCIPA, or their obligations, are encouraged to contact the Association for advice.