Canada: The New And The Familiar: Changes To Health Information - Part 1
Privacy & Cybersecurity Bulletin

The purpose of Bill 3, An Act respecting health and social services information and amending various legislative provisions ("Bill 3")¹ is to establish a legal framework specific to health and social services information in order to facilitate a safer and more seamless flow of such information, all in the same legislation.

Specifically, the idea is that health data should be "connected to the patient" rather than to the establishment where the care was provided.

There are currently several statutes that cover this information, including the Act respecting Access to documents held by public bodies and the Protection of personal information ("Access Act") and the Act respecting the protection of personal information in the private sector ("Private Sector Act"), as amended by Bill 25, An Act to modernize legislative provisions as regards the protection of personal information.² This creates a complex situation that makes the work of health professionals much more difficult than it should be. Interestingly, Bill 3 was introduced by Eric Caire, Minister of Cybersecurity and Digital Technology, not by the Minister of Health, as was the case with Bill 19, An Act respecting health and social services information and amending various legislative provisions.³

This bulletin provides an overview of certain parts of Bill 3, particularly in terms of governance. In a separate bulletin, we will describe other parts of the Bill, which will cover the rights of individuals with respect to their health information, and the applicable rules concerning research activities.

1. The missing piece: Defining "health information"

   Bill 3 provides a detailed definition of health information⁴, namely it is any information that allows a person to be identified, even indirectly, and that has any of the following characteristics:
   • it concerns the person's state of physical or mental health and his or her health determinants, including the person's medical or family history;
   • it concerns any material taken from the person, including biological material, collected in the context of an assessment or treatment, or any implants, ortheses, prostheses or other aids that compensate for a disability of the person;
   • it concerns the health services or social services provided to the person, including the nature of those services, their results, the location where they were provided and the identity of the persons or groups that provided them;
   • it was obtained in the exercise of a function under the Public Health Act; or
   • any other characteristic determined by government regulation.

   It is understood that "[...]information that concerns a personnel member of a health and social services body or a professional who practises his or her profession within the body, including a student or trainee, or that concerns a mandatary or a provider of services of such a body, is not health and social services information if collected for human resources management purposes. [...]" ⁵

   No such definition currently exists, and adding it will bring us closer to the European Union's General Data Protection Regulation, although Bill 3's definition is even broader, stating that: "In addition, information allowing a person to be identified, such as the person's name, date of birth, contact information or health insurance number, is health and social services information when it appears with information referred to in the first paragraph or when it is collected for registration, enrolment or admission of the person concerned at, in or to an institution or for the taking in charge of the person concerned by another health and social services body."

   It should also be noted that Bill 3 applies to health and social services bodies that hold health information⁶. It is worth noting that this definition is broad and not limited to institutions that provide care directly but also includes⁷:

   • the Ministère de la Santé et des Services sociaux;
   • a person or a group referred to in Schedule I or Schedule II of Bill 3;
   • an institution, the Nunavik Regional Board of Health and Social Services and the Cree Board of Health and Social Services of James Bay;
   • a person or a group not already referred to in this section that enters into an agreement with a health and social services body concerning the provision of health services or social services on behalf of that body;
   • any other person or group determined by government regulation;
   • a person or a group whose activities are related to the provision of health services or social services on behalf of a health and social services body noted above.

   A service provider who offers health services or social services within a health and social services body other than an institution, and whose records are not kept by the body, is also considered a health and social services body.

2. Governance rules, taken directly from Bill 25

The governance rules of Bill 3 are identical to those of Bill 25 and impose a number of obligations on bodies subject to Bill 3. More specifically:

• A body is responsible for the protection of the information it holds, and must take the security measures for ensuring the protection of the information that is reasonable given, in particular, the sensitivity of the information, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored⁸.
• The person exercising the highest authority within a body exercises the function of person in charge of the protection of information; such function may be delegated⁹. Their title and contact information are sent to the Minister and to the Commission d'accès à l'information ("CAI") and published on the body's website¹⁰.
• When offering its clientele a technological product or service with privacy settings, the body must ensure that those settings provide the highest level of confidentiality by default, without any intervention by the person concerned¹¹.
• For any project to acquire, develop, or overhaul technological products or services or an electronic service delivery system, the body must conduct a privacy impact assessment ("PIA")¹².
• If a confidentiality incident presents a "risk of serious injury," the organization must notify the CAI and the person concerned¹³. Note that a confidentiality incident is defined as "a use or communication not authorized by law of information, the loss of information or any other breach of its protection"¹⁴.

Moreover, the body must adopt a governance policy for the information it holds, which sets out^[15:

• the roles and responsibilities of the members of its personnel and professionals practising their profession within the body, including students and trainees, with regard to the information;
• the categories of persons who may use the information in the exercise of their functions. For example, a researcher or service provider may use the health information (i) where the information is necessary for the purposes for which it was collected; (ii) when it is used for purposes consistent with the purposes for which it was collected, meaning a relevant and direct connection therewith; or (iii) when its use is necessary for the application of an Act in Québec ^[16;
• the logging mechanisms and the security measures for ensuring the protection of the information that the body puts in place;
• the terms and conditions on which the information may be communicated;
• an update schedule for the technological products or services the body uses;
• a procedure for processing confidentiality incidents;
• a procedure for processing complaints regarding the protection of the information;
• a description of the training and awareness activities regarding the protection of the information.

And finally, at the end of the applicable preservation period, the body holding information must destroy or anonymize it¹⁷.

In this context, penalties of up to $150,000 can be applied to legal persons, which amounts can be doubled and then tripled in the case of a subsequent offence¹⁸.

Furthermore, Bill 3 will implement a specific regime for health information, which would no longer be subject to existing legislation. A subsequent bulletin will describe the rights of the persons concerned as well as the rules applicable to research activities. If you have questions, Fasken can provide you with information or advice, such as by helping you apply the right law in the right circumstances and finding practical solutions for complying with the new obligations created by Bill 3.

Footnotes

1. An Act respecting health and social services information and amending various legislative provisions

2. Bill 25, An Act to modernize legislative provisions as regards the protection of personal information, assented to on September 22, 2021. For more information, you can visit Fasken's Resource Center.

3. Bill 19, An Act respecting health and social services information and amending various legislative provisions; See Fasken Bulletin A Quebec law regulating personal information in the health sector.

4. (Bill 3, s 2)

5. (Bill 3, s. 2, para. 3)

6. (Bill 3, s 4)

7. (Bill 3, s 4; Schedules I and II)

8. (Bill 3, s 91)

9. (Bill 3, s 92)

10. (Bill 3, s 94)

11. (Bill 3, s 96)

12. (Bill 3, s 98)

13. (Bill 3, s 100)

14. (Bill 3, s 3)

15. (Bill 3, s 97)

16. (Bill 3, s 55)

17. (Bill 3, s 103)

18. (Bill 3, ss 148-153)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.