Proposed Changes to Ontario's Health Privacy Laws - What do they mean for Regulators?
On September 16, 2015, Bill 119 (the "Bill") was introduced by the Minister of Health and Long-Term Care into the Ontario legislative assembly and is now in second reading. A previous iteration of the Bill died on the order paper in advance of the 2014 provincial election. It proposes to amend the Personal Health Information Protection Act, 2004 ("PHIPA"). The Bill addresses the development and maintenance of an electronic health record ("EHR") and the collection, use and disclosure of personal health information ("PHI") by means of the EHR. The Bill also proposes to amend the Regulated Health Professions Act, 1991 ("RHPA") and other legislation.
If passed, the Bill has important consequences for regulators. In this article, we canvass three matters of particular interest: the provider registry, mandatory reporting obligations and provincial offences.
Bill 119 proposes amendments to the RHPA to develop and implement a provider registry that contains certain information about regulated health care providers. The Bill would permit the Minister of Health and Long-Term Care to make regulations requiring the College of a regulated health profession to collect information about its members that is necessary for the purpose of developing and maintaining the EHR. The Bill also requires the College to provide the information to the prescribed organization (which is expected to be eHealth Ontario) in the form, manner and timeframe specified by the prescribed organization.
One of the purposes of the provider registry is to establish a registry of authorized health care providers who will have access to the EHR based on their status in the registry. This process is designed to ensure that only authorized health care providers have access to PHI in the EHR. It is therefore key that the information provided by the Colleges is accurate, complete and up-to-date. Additional costs may be associated with the collection of personal information from Colleges' members and providing it in the requisite form, manner and timeframe to the prescribed organization. There is no required consultation prior to the regulation being passed by the Minister of Health and Long-Term Care as to what information is to be collected by a College. Similarly, there is no required consultation prior to the prescribed organization's direction respecting the form, manner and timeframe for providing information. Therefore, it would be advisable for Colleges to seek consultations with the Ministry and eHealth Ontario (assuming it is the prescribed organization) so that the requirements of collecting members' personal information and disclosing it to eHealth Ontario are reasonable.
Health privacy violations appear to be on the increase. If passed, the Bill will impose new mandatory reporting obligations on health information custodians. It will require employers that are health information custodians ("HICs") who employ health care practitioners (e.g. nurses, physiotherapists, respiratory therapists and social workers) to report health privacy breaches to the College of the regulated health profession under the RHPA or to the Ontario College of Social Workers and Social Service Workers ("OCSWSSW"), as well as to the Ontario Information and Privacy Commissioner.
This obligation is triggered under two circumstances:
- If the employee is terminated, suspended, or subject to disciplinary action as a result of a health privacy breach.
- If the employee resigns and the HIC believes that the resignation is related to an investigation or other action by the HIC with respect to an alleged health privacy breach.1
There are similar mandatory reporting provisions that will apply to HICs that extend privileges to health care practitioners (e.g. physicians) where there is a health privacy breach.
If a HIC employs a health care practitioner who is a member of a
health regulatory College or the OCSWSSW, the HIC must give the
College written notice within 30 days if the health care
practitioner is terminated, suspended, subject to disciplinary
action or resigns due to the practitioner's actual or suspected
health privacy breach. In a similar vein, if a HIC extends
privileges to a health care practitioner who is a member of a
health regulatory College or the OCSWSSW, the HIC must give
the College written notice within 30 days if the health care practitioner's privileges or affiliations are revoked, suspended or restricted, or the practitioner relinquishes his or her privileges or affiliation due to the practitioner's actual or alleged health privacy breach.
Other amendments to the PHIPA deal with the prosecution of health privacy breaches. The Bill will double the maximum fines for offences under the PHIPA to a maximum of $100,000 for individuals and $500,000 for corporations. The amendments will also eliminate the six-month limitation period for commencing a prosecution. Lastly, in order to commence a prosecution, the consent of the Attorney General will be required, thereby relieving the Attorney General of commencing the prosecution itself. Amendments to the Bill may be made through Standing Committee hearings. We will provide an update once the Bill has been enacted.
1 There may be regulations made under the PHIPA which provide exceptions and additional requirements related to this obligation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.