On March 25, 2020, significant amendments to Ontario's Personal Health Information Protection Act, 2004 (PHIPA) were introduced and came into force, with other amendments to take effect on a future date. These amendments were made by Bill 188, the Economic and Fiscal Update Act, 2020.
Among other changes, the following amendments are notable for health care providers and for technology companies that process personal health information – whether on behalf of consumers or health care providers:
• new administrative penalty regime
• penalties for offences are double
• Administration and Individual Rights
• health numbers may be used for identification and record-linking purposes
• individuals have the right to access records of their personal health information in electronic format
•Technology (not yet in force)
• requirements for "consumer electronic service providers" (such as developers of mobile device applications or online portals that process personal health information - a group that previously had few direct obligations under PHIPA)
• mandatory electronic audit logs
• de-identification standards
This bulletin provides a brief overview of these changes.
New Administrative Penalty Regime
Section 61 of PHIPA now permits the Information and Privacy Commissioner of Ontario ("Commissioner") to make an order imposing administrative penalties on any person whose activities the Commissioner has reviewed, if the Commissioner is of the opinion that the person has contravened PHIPA or its regulations.
The Commissioner may issue such an order to either encourage compliance with PHIPA or to prevent a person from deriving an economic benefit as a result of contravening PHIPA or its regulations. Taking into account those factors, the Commissioner may set the amount of the financial penalty in any order – subject to the regulations.
The regulations may prescribe specific penalty amounts for different types of contraventions, including varying amounts based on whether the person required to pay the penalty is an individual or an organization.
PHIPA generally imposes a two year limitation period for the Commissioner to order administrative penalties – although the Commissioner can disregard that limitation period for a series of contraventions if the latest contravention is within the previous two years.
Administrative penalties are paid to the Ontario Minister of Finance, bear interest, and are considered a debt to the Crown (which means they are recoverable by a variety of methods). The enforcement measures under PHIPA are not exclusive, and so an administrative penalty could be combined with a penalty for committing an offence.
This new regime could result in individual staff members being fined for snooping in patient records. It could also result in fines for health care organizations or service providers who are subject to PHIPA if they fail to handle personal health information according to the Act. Previously, the only financial penalties that could be meted out required court proceedings under PHIPA’s offences provision; now, the Commissioner can mete out fines directly
Penalties for Offences Doubled
The potential maximum penalty for offences under PHIPA has doubled to $200,000 for an individual and $1,000,000 if the offender is an organization. PHIPA now also provides for the possibility of up to one year of imprisonment.
It is important to note that PHIPA also holds officers, members, employees or agents of corporations liable for corporate offences under PHIPA. Such persons can be liable if they authorize an offence or knowingly refrain from using their authority to prevent an offence from being committed. They can also be liable regardless of whether the corporation itself is prosecuted or convicted.
The expansion of PHIPA to consumer electronic service providers, and the additional requirements regarding electronic records, raises the stakes for health care providers and for companies that provide consumer-facing services involving electronic records of personal health information.
Administration and Individual Rights
New Uses for Health Numbers
PHIPA now allows for additional collections and uses of a patient's health card number. With patient consent, a health information custodian may now collect, use or disclose a patient's health number for identity verification purposes and to link the patient's records of personal health information – even where no provincially funded health care is provided.
In addition, if the health number was previously collected as part of provincially funded health care, the custodian may use the health number for the same purposes noted above (and no consent is needed).
The regulations may set out additional requirements – and may prescribe other persons (who are not health information custodians) who will be able to collect and use a health number for identity verification and linking records of personal health information.
Right of Access, Electronic Record Format
PHIPA now provides individuals with a right to access a record of personal health information in an electronic format (if that format meets requirements set out in the regulations). The regulations may also provide for additional restrictions, requirements or exceptions to this expanded right of access. Depending on what the regulations ultimately prescribe, this could be Ontario's version of the right to data portability seen in privacy laws in other jurisdictions.
Although none of the changes discussed below are in force (they will come into force on a day to be named by proclamation of the Lieutenant Governor), health care providers and technology companies should consider how their current operations, technology and contractual relationships may need to be modified to ensure continued compliance with PHIPA once these changes are in effect.
Electronic Audit Log
Although many health care providers do this in practice, the amendments to PHIPA will require health information custodians who use electronic means to handle personal health information to maintain an electronic audit log (or to require their electronic service provider to do so).
The log applies to all activity about a record or part of a record of personal health information that is accessible by electronic means. Specifically, for every instance in which such a record (or part of a record) is viewed, handled, modified or otherwise dealt with, the log must include the following information (and any other information required by the regulations):
• type of information viewed, handled, modified or otherwise dealt with;
• date and time it was viewed, handled, modified or otherwise dealt with;
• identity of all persons who viewed, handled, modified or otherwise dealt with the personal health information; and
• identity of the individual to whom the personal health information relates;
The apparent purpose of the audit log is to assist the Commissioner to validate a custodian's compliance with PHIPA – as a copy of the log must be provided to the Commissioner upon request. This accountability measure will further discourage staff from snooping in digital patient records (particularly when coupled with the new financial penalties discussed above).
New De-Identification Standards
The amendments to PHIPA will change the definition of "de-identify", such that it will involve specific de-identification requirements that will be set out in regulations. These amendments come on the heels of the amendments enacted (but not yet in force) under Bill 138, which restrict re-identification. The Commissioner commented, following Bill 138, that the Commissioner would like to see further amendments regarding de-identification, including to establish the purposes for which personal health information can be de-identified. The regulations will likely build upon existing Commissioner guidance around de-identification of personal health information, with a view to setting minimum legal standards for entities subject to PHIPA. The advantage of imposing de-identification requirements by regulation is that they can more easily adapt with changes in technology.
Consumer Electronic Service Providers
Previously, some health technology companies, such as developers of mobile device applications or online portals that processed personal health information, were subject to few, if any, obligations under PHIPA. Indeed, if such companies only provided services to individuals, they may not have been subject to PHIPA at all.
Once the amendments come into force, companies that provide consumer-facing services involving electronic records of personal health information will be directly subject to PHIPA. Specifically, the amendments contemplate PHIPA applying to "consumer electronic service providers" – which are persons who provide electronic services to individuals at their request, primarily for the purpose of allowing those individuals to access, use, disclose, modify, maintain or otherwise manage their records of personal health information (or any other purpose set out in the regulations).
Much of the new regime is unknown, as the amendments contemplate future regulations that will set out requirements for consumer electronic service providers. The regulations may impose obligations on how the electronic services providers operate, how health information custodians use those services, and what rights individuals have regarding those services.
Until those regulations are available, we note the following pending amendments regarding consumer electronic service providers.
First, the Commissioner is empowered, after conducting a review, to make an order requiring a health information custodian or a class of health information custodians to cease providing personal health information to a consumer electronic service provider.
Second, consistent with other "loosening" of the restrictions on the use of health numbers, the amendments will also permit consumer electronic service providers to collect and use health numbers to verify the identity of an individual or for other purposes set out in the regulations – as long as the individual has consented. The regulations may also set out additional rules on the use of health numbers by these providers.
Third, when responding to an individual's access request made via a consumer electronic service provider, a health information custodian will not be required to provide the requested information to that consumer electronic service provider. This means that the custodian may choose to provide the requested information to the requesting individual via other means.
A more integrated health system in Ontario  requires increased sharing of personal health information (including through digital means). These PHIPA amendments, and the regulations that they contemplate, are an important step in modernizing Ontario’s public and health sector privacy regime. That said, given that the new Ontario Health Team model may include members that are not health information custodians, we expect that technology companies are not the only group that should be keeping a keen eye out for further changes to Ontario’s privacy laws.
 For more information on the amendments introduced by Bill 138, you can read our earlier bulletin Towards A More Integrated Health System? Amendments to PHIPA and Announcements about Digital and Virtual Health Care