On September 15, 2016, the Information and Privacy Commissioner
of Ontario (the "IPC") released long awaited guidance on
communicating personal health information ("PHI") by
The Fact Sheet, which can be found here, sets out a number of
requirements that the IPC will expect health information custodians
("custodians") to meet if they decide to use email to
communicate PHI. These include:
Email Policy: Having
a written policy on the communication of PHI by email.
Notice and Consent:
Giving notice to patients of the custodian's email policy and
obtaining their consent prior to the use of unencrypted email to
Comprehensive and mandatory training of employees and agents in
connection with the custodian's email policy.
Prohibiting the use of a personal email account to send or receive
Encryption: The use
of encrypted email, except in exceptional circumstances (see below
Retention and Disposal of
PHI: The secure maintenance and disposal of emails
communicating PHI (see below for more).
Having a breach management protocol relating to emails
It is important to note that patient consent is not sufficient:
custodians have a duty to determine whether the use of email to
communicate unencrypted PHI is appropriate in the circumstances and
to limit the amount and type of PHI included in email.
The IPC has been writing about encryption for some time. In
2007, in HO-004, the IPC remarked that "to the extent that
personal health information on a mobile computing device has been
encrypted to protect it from unauthorized access", the theft
or loss of the device would not be considered a loss or theft of
PHI. The IPC has since issued other orders in relation to
encryption and a Fact Sheet in 2010 on the acceptable standard
of encryption for the health care environment.
According to the Fact Sheet, the IPC expects that email
communication of PHI among custodians "will be secured from
unauthorized access by use of encryption, barring exceptional
circumstances", for example, in an "emergency or other
Where feasible, custodians are advised they should use encrypted
email for communications with patients. If encryption is not
feasible, the IPC suggests that custodians should determine whether
email communication is reasonable considering: (1) the degree of
sensitivity of the information; (2) the volume and frequency of the
emails; (3) the purpose of the transmission; (4) patient
expectations; and (5) the availability of alternative methods of
Retention and Disposal of PHI
PHI should be stored on email servers only for as long as is
necessary. It is up to each custodian to determine how long is
necessary. For example, once an email has been documented in a
patient's record, it may not be necessary to retain the email
on the email server. The same goes for emails on a portable
The IPC has a Fact Sheet (2005) regarding the secure destruction
of PHI. Secure destruction includes ensuring that PHI is disposed
of in a permanent manner. If destruction is outsourced to a third
party service provider, the IPC recommends using a provider
accredited by an industrial trade association, such as the National
Association for Information Destruction. It also describes
provisions that should be part of the custodian's agreement
with the service provider. For this Fact Sheet, please click here.
Abbott Laboratories Limited, Takeda Pharmaceuticals Company Limited and Takeda Pharmaceuticals America Inc. (collectively, the Defendants) sought summary judgment of Apotex Inc.'s action for damages pursuant to section 8 of the Regulations.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).