In light of the global COVID-19 crisis, majority of the world and its businesses have instantaneously inherited the need to become more digital. While things like working from home, online classes, virtual healthcare, and grocery deliveries are quickly becoming the norm, Ontario's leaders and legislators have been hard at work amending various Provincial statutes that the Ontario Government felt needed to be updated and modernized. The result, Bill 188 – The Economic and Fiscal Update Act, 2020.

In particular, Schedule 6 of Bill 188 has made various amendments to Ontario's Personal Health Information Protection Act,2004 (PHIPA), which governs how healthcare providers, specifically Health Information Custodians (HICs) collect, use, and disclose personal health information (PHI).

HICs are defined under the Act as any person or organization that has custody or control of personal health information. This can range anywhere from health care providers, to staff at healthcare facilities, to technology companies that provide services to people or organizations in the healthcare industry.

The specific amendments and new requirements of Bill 188 that directly impact HICs are as follows:

Section 10.1 – Audit Logs

Bill 188 enacts a new Section 10.1 which requires all HICs that collect, use, disclose, modify, retain, or dispose of personal health information though electronic means, to maintain, audit, and monitor an electronic audit log1. Section 10.1(4) enacts very specific requirements for what electronic audit logs must contain. These requirements are as follows2:

"10.1(4) The electronic audit log must include, for every instance in which a record or part of a record of personal health information that is accessible by electronic means is viewed, handled, modified or otherwise dealt with,

(a) the type of information that was viewed, handled, modified or otherwise dealt with;

(b) the date and time on which the information was viewed, handled, modified or otherwise dealt with;

(c) the identity of all persons who viewed, handled, modified or otherwise dealt with the personal health information;

(d) the identity of the individual to whom the personal health information relates; and

(e) any other information that may be prescribed."

Section 34 – Use of Health Number

Bill 188 amends Section 34 of PHIPA allow prescribed persons and HICs to collect or use a patient's health number, with that person's consent, for certain verification and linking purposes.

Section 39 – Disclosure of PHI

Bill 188 amends Section 39 of PHIPA to allow the disclosure of PHI by HICs if such disclosure is in relation to the Immunization of School Pupils Act.

Section 46 – Payment for Healthcare

Bill 188 amends Section 46 of PHIPA to allow a HIC to disclose PHI to a minister who, upon request, seeks the requested PHI for the purpose of determining, providing, monitoring, or verifying payment or funding for health care funded in any way by the Ministry.

Section 52 – Electronic Format

Bill 188 amends Section 52 of PHIPA to state that the right to access PHI includes the right to access PHI in electronic format that meets specific requirements, restrictions, or exceptions that may be prescribed.

Section 54.1 – Consumer Electronic Service Providers

Bill 188 enacts a new Section 54.1 which defines a "consumer electronic service provider" as a person who provides electronic services to individuals at their request, primarily for2:

a) the purpose of allowing those individuals to access, use, disclose, modify, maintain or otherwise manage their records of personal health information; or

b) such other purposes as may be prescribed.

As further requirements are prescribed over time, consumer electronic service providers will need to comply with such requirements in addition to those requirements that currently apply to HICs that provide PHI to consumer electronic service providers.

Section 60 – Inspection of PHI by the Information and Privacy Commissioner of Ontario

Bill 188 amends Section 60 of PHIPA to allow the Information and Privacy Commissioner (IPC) of Ontario to inspect PHI records without consent, if the IPC believes that the PHI records may have been abandoned.

Section 61 – Administrative Penalties from the IPC

Bill 188 amends Section 61 of PHIPA to provide the IPC with the power to administer administrative penalties to people who have contravened PHIPA. The amendment states that the amount of an administrative penalty should:

a) encourage compliance with PHIPA and its regulations;

b) prevent a person from deriving, directly or indirectly, any economic benefit as a result of a contravention of PHIPA or its regulations; and

c) be determined by the Commissioner in accordance with the regulations made under PHIPA.

This amendment also places a two (2) year limitation on any orders requiring a person to pay an administrative penalty. This means that no administrative penalty can be issued under this section more than two (2) years after the day the IPC became knowledgeable of the person's most recent contravention of PHIPA.

Section 71.1 – Production Orders

Bill 188 amends Section 71.1 of PHIPA to allow justices to order a person to provide documents or data as evidence that an offence under PHIPA has, or is being committed, if:

a) the justice is satisfied that an offence under PHIPA has been, or is being committed; and

b) the justice is satisfied that the requested documents or data will provide evidence of such offence.

Section 72 – Maximum Penalty for Offenses under PHIPA

Bill 188 amends Section 72 of PHIPA to increase the potential maximum penalty for offenses under PHIPA. A natural person (individual) can face a penalty of up to $200,000 or up to one (1) year imprisonment. If the offender is not a natural person (company, organization, or the like), the maximum penalty for an offense under PHIPA is $1,000,000.

Conclusion

Overall, Bill 188 provides a much needed step forward for Ontario's ever-changing data privacy and health data privacy landscape. As the world continues to change in ways we have never seen before, the need for secure and private data transmission and management is at an all-time high, and subsequently so is the need to hold people accountable for how they use this data.

Ontario's enactment of Bill 188 will have a significant impact on how PHIPA is enforced, how health data is managed in the Province, and how people, companies, and organizations are held accountable for offences under PHIPA. Moving forward, healthcare providers and Health Information Custodians (whether as an individual, company, or organization) will need to ensure that they are aware of, and regularly apprised of PHIPA obligations, requirements, and the enforcement powers of any governing bodies.

Although Bill 188 places a higher standard of responsibility on healthcare providers and Health Information Custodians, the flexibility that the amendments provide is essential for building successful and sustainable data protection practices. These amendments allow us to balance the old adage of checks and balances with the new-age needs of having a flexible and fluid digital world. This will serve as a good baseline for how we manage and govern the digital collection and use of sensitive, personal, and health information in Ontario.

Footnotes

1. https://www.ola.org/en/legislative-business/bills/parliament-42/session-1/bill-188

2. https://www.ontario.ca/laws/statute/s20005#BK8

Originally published May 29 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.