On March 25, 2020, significant amendments to Ontario's Personal Health Information Protection Act, 2004 (PHIPA) were introduced and came into force, with other amendments to take effect on a future date. These amendments were made by Bill 188, the Economic and Fiscal Update Act, 2020.
Among the changes are notable amendments affecting technology companies that process personal health information – whether on behalf of consumers or health care providers. These amendments, to come into force on a day to be proclaimed, include:
- requirements for "consumer electronic service providers" (such as developers of mobile device applications or online portals that process personal health information - a group that previously had few direct obligations under PHIPA)
- mandatory electronic audit logs
- de-identification standards
In force immediately are amendments that create a new administrative penalty regime and increase the penalties for offences under PHIPA.
This bulletin provides a brief overview of these changes.
Technology
Although none of the changes under the next few headings are in force (they will come into force on a day to be named by proclamation of the Lieutenant Governor), technology companies should consider how their current operations, technology and contractual relationships may need to be modified to ensure compliance with PHIPA once these changes are in effect.
Consumer Electronic Service Providers
Previously, some health technology companies, such as developers of mobile device applications or online portals that process personal health information, were subject to few, if any, obligations under PHIPA. Indeed, if such companies only provided services to individuals, they may not have been subject to PHIPA at all.
Much of the new regime is unknown, as the amendments contemplate future regulations that will set out new requirements for consumer electronic service providers. The regulations may impose obligations on how the electronic services operate, how health information custodians use those services, and what rights individuals have regarding those services.
Until those regulations are available, we note the following pending amendments regarding consumer electronic service providers.
First, the Information and Privacy Commissioner of Ontario (“Commissioner”) is empowered, after conducting a review, to make an order requiring a health information custodian or a class of health information custodians to cease providing personal health information to a consumer electronic service provider.
Second, the amendments will also permit consumer electronic service providers to collect and use health numbers to verify the identity of an individual or for other purposes set out in the regulations – as long as the individual has consented. The regulations may also set out additional rules on the use of the health number by these providers.
Third, when responding to an individual's access request made via a consumer electronic service provider, a health information custodian will not be required to provide the requested information to that consumer electronic service provider. This means that the custodian may choose to provide the requested information to the requesting individuals via other means. [1]
Electronic Audit Log
Although many health care providers do this in practice, the amendments to PHIPA will require health information custodians who use electronic means to handle personal health information to maintain an electronic audit log (or to require their electronic service provider to do so). As a result, technology companies that supply or support electronic record systems should expect their health information custodian clients to request the necessary functionality.
The log applies to all activity about a record or part of a record of personal health information that is accessible by electronic means. Specifically, for every instance in which such a record (or part of a record) is viewed, handled, modified or otherwise dealt with, the log must include the following information (and any other information required by the regulations):
- type of information viewed, handled, modified or otherwise dealt with;
- date and time it was viewed, handled, modified or otherwise dealt with;
- identity of all persons who viewed, handled, modified or otherwise dealt with the personal health information; and
- identity of the individual to whom the personal health information relates.
Health information custodians will also be required to audit and monitor the audit log. Additional requirements about the log, and the frequency of audits or monitoring, may also be set out in regulations. The apparent purpose of the audit log is to assist the Commissioner to validate a custodian's compliance with PHIPA – as a copy of the log must be provided to the Commissioner upon request.
New De-Identification Standards
The amendments to PHIPA will change the definition of "de-identify" specific de-identification requirements that will be set out in regulations. The regulations will likely build upon existing Commissioner guidance around de-identification of personal health information, with a view to setting minimum legal standards for entities subject to PHIPA. The advantage of imposing de-identification requirements by regulation is that they can more easily adapt with changes in technology. Again, health information custodians may look to their technology service providers to support their compliance with the new requirements.
Enforcement
As technology companies become subject to additional requirements under PHIPA, or subject to PHIPA requirements for the first time, it is notable that (effective March 25, 2020) a new administrative penalty regime was introduced under PHIPA and certain existing penalties were increased.
New Administrative Penalty Regime
Section 61 of PHIPA now permits the Commissioner to make an order imposing administrative penalties on any person whose activities the Commissioner has reviewed, if the Commissioner is of the opinion that the person has contravened PHIPA or its regulations.
The Commissioner may issue such an order to either encourage compliance with PHIPA or to prevent a person from deriving an economic benefit as a result of contravening PHIPA or its regulations. Taking into account those factors, the Commissioner may set the amount of the financial penalty in any order – subject to the regulations.
The regulations may prescribe specific penalty amounts for different types of contraventions, including varying amounts based on whether the person required to pay the penalty is an individual or an organization.
PHIPA generally imposes a two year limitation period for the Commissioner to order administrative penalties – although the Commissioner can disregard that limitation period for a series of contraventions if the latest contravention is within the previous two years.
Administrative penalties are paid to the Ontario Minister of Finance, bear interest, and are considered a debt to the Crown (which means they are recoverable by a variety of methods). The enforcement measures under PHIPA are not exclusive, and so an administrative penalty could be combined with a penalty for committing an offence.
This new regime could result in fines for health care organizations or service providers who are subject to PHIPA if they fail to handle personal health information according to PHIPA. Previously, the only financial penalties that could be meted out required court proceedings under PHIPA’s offences provision; now, the Commissioner can mete out fines directly.
Penalties for Offences Doubled
The potential maximum penalty for offences under PHIPA has doubled to $200,000 for an individual and $1,000,000 if the offender is an organization. PHIPA now also provides for the possibility of up to one year of imprisonment.
It is important to note that PHIPA also holds officers, members, employees or agents of corporations liable for corporate offences under PHIPA. Such persons can be liable if they authorize an offence or knowingly refrain from using their authority to prevent an offence from being committed. They can also be liable regardless of whether the corporation itself is prosecuted or convicted.
The expansion of PHIPA to consumer electronic service providers, and the additional requirements regarding electronic records, raises the stakes for companies that provide consumer-facing services involving electronic records of personal health information.
Looking Ahead
As Ontario continues to progress towards a more integrated health system[2], which will require increased sharing of personal health information, technology will play an increasingly central role. These changes are likely only some of the legislative and regulatory amendments to come.
[1] The amendments also include (in force immediately) a right of access to a record of personal health information in an electronic format (if that format meets requirements set out in the regulations). The regulations may also provide for additional restrictions, requirements or exceptions to this expanded right of access. Technology companies should consider how their products and services can support health information custodians in fulfilling such requests.
[2] You can find a series of bulletins on integration and the Ontario Health Team model on our website's Health Law Page (under the heading "Knowledge")
