Recent Changes to Ontario’s Personal Health Information Protection Act
There have been a number of new changes introduced with respect to Ontario’s Personal Health Information Protection Act (“PHIPA”). The Ontario government filed a new regulation on June 29, 2017 (Ontario Regulation 224/17 -- the “New Regulation”). The New Regulation comes into force on October 1, 2017 and imposes a variety of new reporting requirements on health information custodians under PHIPA.
By way of background, PHIPA governs the collection, use and disclosure of ‘personal health information’ (i.e. identifying information about an individual that relates to their physical or mental health) by health information custodians. Health information custodians (“HICs”), in turn, are defined in the legislation as persons involved in delivering health care services, such as practitioners, hospitals and pharmacies. Agents of HICs (i.e. employees at a doctor’s office) hold the same duties and responsibilities as HICs under PHIPA.
The recent amendments to the PHIPA regime appear to be in response to a number of cases reported in the media of employees disclosing personal health information. Examples include two workers at the Princess Margaret Cancer Centre who snooped on the late Mayor Ford’s electronic health records and a North Bay nurse who accessed 5,800 patient records.
The changes to PHIPA include the following:
- Changes to breach notification procedures: PHIPA previously provided that HICs were responsible for taking steps to ensure that personal health information was protected against theft, loss or unauthorized use or disclosure. Now the New Regulation requires that HICs must notify the Privacy Commissioner of Ontario in the following circumstances:
- if the HIC has reasonable grounds to believe that:
- personal health information was used or disclosed without authority by a person who knew or ought to have known that they were using or disclosing that information without authority;
- personal health information in the HIC’s custody or control was stolen; or
- after an initial loss or unauthorized use or disclosure of personal health information in the HIC’s custody or control, the personal health information was or will be further used or disclosed without authority.
- The loss or unauthorized use of personal health information is part of a pattern of similar conduct.
- The HIC determines that the loss or unauthorized use or disclosure of personal health information is significant after considering the following: (a) whether the personal health information is sensitive, (b) whether the loss or unauthorized use or disclosure involved a large volume of personal health information, (c) whether the loss or unauthorized use or disclosure involved many individuals’ personal health information, and (d) whether more than one health information custodian or agent was responsible for the loss or unauthorized use or disclosure of the personal health information.
- if the HIC has reasonable grounds to believe that:
- Notice to College: Section 17 of PHIPA requires that an HIC must give notice to a College if that member is terminated, suspended or subject to disciplinary action as the result of the unauthorized collection, use, disclosure, retention or disposal of personal health information. The New Regulation now provides that the HIC must notify a College of an event that relates to a loss or unauthorized use or disclosure of personal health information.
- New reporting requirements: The New Regulation also requires all HICs to provide the Privacy Commissioner with a report on March 1 of each year setting out the number of times in the previous calendar year that personal health information was (a) stolen, (b) lost, (c) used without authority, and (d) disclosed without authority. This reporting requirement will commence in 2019.
Health information custodians should take note of these developments and take further steps to train their practitioners and employees when handling personal health information.