At the start of June 2016, a number of significant amendments to
the Personal Health Information Act, 2004
("PHIPA") were proclaimed in force. The most significant
changes relate to the duties and responsibilities of health
information custodians with respect to notification in the event of
privacy breaches and the responsibilities of agents. We note that
provisions related to electronic health records as well as the new
Quality of Care Information Act have not yet been
proclaimed in force. The following will highlight some of the key
changes to PHIPA now in effect.
New Mandatory Notification Duties
Significant changes were made to the notification provisions
found in section 12, which is the section that sets when patients
must be notified of certain security breaches. These amendments
have expanded the circumstances in which patient notification of
privacy breaches is required.
Prior to the amendments, notification was required where
information was "stolen, lost, or accessed by unauthorized
persons." Under the new section 12(2), however, notification
is now also mandatory where personal health information is
"used or disclosed without authority". Although
"used without authority" is not specifically defined in
the Act, it will likely include situations involving snooping or
other similar misuses of personal health information
("PHI"). Additionally, health information custodians must
explicitly state that "the individual is entitled to make a
complaint to the Privacy Commissioner" in the notice letters
Moreover, health information custodians may also be required to
notify the Privacy Commissioner of certain privacy breaches. The
regulations setting out when and how the Privacy Commissioner must
be notified have not yet been adopted. Overall, however, these
amendments are likely to lead to additional investigations and
requests for information from the Privacy Commissioner.
Expanded Responsibilities for Agents
The amendments also impose additional responsibilities on health
information custodians to monitor agents' (i.e. including
medical staff, nursing staff, clerks etc.) access to personal
health information as well as restrictions on the ability of agents
of health information custodians to collect, use, and disclose
personal health information.
For example, section 17(1.1) specifically provides that the
health information custodian may impose restrictions on the
agent's ability to access and use personal health information.
As such, health information custodians will have to consider
whether or not to restrict the amount of personal health
information that an agent has access to and whether this is
Further, under section 17(3), health information custodians are
required to take reasonable steps to ensure that agents are
collecting, using, and disclosing personal health information in
accordance with PHIPA. Although the "reasonable steps"
required are not defined, the Privacy Commissioner will likely find
that random audits of access by agents as well as regular staff
training on privacy are required.
Additional restrictions were also imposed on agents themselves.
Section 17(2) was amended to specify that agents are only permitted
to collect, use, and disclose personal health information if it is
"necessary in the course of carrying out his or her duties as
agent of the custodian."
Lastly, under section 17.1, health information custodians are
now required to report agents who have been subjected to
disciplinary action for "the unauthorized collection, use,
disclosure, retention or disposal of personal health
information" to the agent's college within 30 days. The
health information custodian's obligation to report is
also engaged where the employee resigns if it has reasonable
grounds to believe the resignation is related to an investigation
into misuse of personal health information. The impetus for these
changes appears, at least in part, targeted towards discouraging
The overall effect of these amendments to PHIPA is twofold.
First, health information custodians will have greater
responsibility to notify patients of privacy breaches related to
use of personal health information by employees. These amendments
are likely to result in an increased number of investigations by
the Privacy Commissioner. Second, custodians have an increased
responsibility to monitor the actions of their employees with
respect to their use of personal health information.
As a result of these amendments, Hospitals and other health
information custodians should review their policies and practices
to ensure they are in compliance with the new obligations set out
in the amendments.
Effective September 1, 2016, the Disposition of Surplus Real Property Regulation to the Ontario Education Act was amended with the intention to reduce barriers to the formation of health and community hubs in Ontario.
This appeal relates to two generic drug submissions for two different products: exemestane and infliximab. Both submissions cross-referenced the submission of another generic company that had received a Notice of Compliance.
Two recent decisions from the Supreme Court of Canada directly affect Quebec's farm businesses by confirming La Financière Agricole du Québec's discretion in the administration of the farm income stabilization program...
On October 6, 2016, the Ontario Legislature reintroduced the Patients First Act, 2016 as Bill 41. Bill 41 is very similar to its predecessor, Bill 210, which was introduced in June 2016, but makes some important changes to the previous bill.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).