Amendments to Ontario’s health information legislation bring new obligations and penalties
Charles S. Morgan, Daniel Glover, Michael Scherman, Ellen Yifan Chen
On March 25, 2020, a new law passed by the Ontario legislature made significant amendments to the province’s personal health information legislation, the Personal Health Information Protection Act (“PHIPA”). Several changes have important implications for those in the health care industry and businesses that collect personal health information (“PHI”). Among these changes are:
- new powers for the province’s privacy commissioner;
- higher penalties for offences under PHIPA;
- new obligations to maintain an electronic audit log;
- introduction of the concept of “consumer electronic service providers”; and
- the ability to impose requirements related to information de-identification.
Most amendments are in force as of March 25, 2020, while a few amendments will come into force on a later date to be declared by the government.
1. New Powers for Privacy Commissioner
Ontario’s privacy regulator, the Office of the Information and Privacy Commissioner (the “IPC”), gained new powers as a part of the amendments:
- Section 61 of PHIPA is amended and s. 61.1 is introduced to provide the IPC with authority to order a person to pay an administrative penalty if they have contravened PHIPA. The purpose of the penalty is to encourage compliance with PHIPA, and to prevent a person from deriving, directly or indirectly, any economic benefit by contravening PHIPA or any of its regulations. The amount of the administrative penalty should reflect these purposes and is determined by the IPC, subject to the regulations.
- Other amendments to Section 61 of PHIPA provide the IPC with the power to make an order requiring a health information custodian (“HICs”) or a class of HICs to cease providing PHI to a “consumer electronic service provider”. This is a new concept that is discussed further in this blog.
With these amendments, the IPC has additional enforcement powers. The administrative penalty is a new power that did not exist previously in PHIPA. Once regulations are introduced, this provisions will be another tool for the IPC in its enforcement toolkit.
2. Higher Penalties for Offences
Penalties for offences also increased with amendments to Section 72(2) of PHIPA:
- fines for an individual found guilty of an offence doubled from a maximum of $100,000 to $200,000;
- fines for an organization found guilty of an offence doubled from a maximum of $500,000 to $1,000,000; and
- individuals found guilty of an offence may now also face imprisonment of up to a year.
3. Electronic Audit Log
The amendments add a new obligation for HICs under a new Section 10.1 to PHIPA (which is not yet in force at the time of publication), whereby HICs that use electronic means to collect, use, or disclose PHI will be required to maintain an electronic audit log that records the viewing, handling, and modification of PHI. HICs will also be required to audit and monitor the electronic audit log. The IPC will have the power to order production of electronic audit logs from HICs.
The new section mandates that the electronic audit log must contain sufficient amounts of information about the record, including recording when and by whom a record was created and altered and every time that a record was viewed. For every instance in which a record or part of a record of PHI that is accessible by electronic means is viewed, handled, modified or otherwise dealt with, the electronic audit log must document:
- the type of information that was viewed, handled, modified or otherwise dealt with;
- the date and time on which the information was viewed, handled, modified or otherwise dealt with;
- the identity of all persons who viewed, handled, modified or otherwise dealt with the PHI;
- the identity of the individual to whom the PHI relates; and
- any other information that may be prescribed.
As enacted, Section 10.1 may present some difficulties to HICs when the provision comes into force, and which HICs may need to address prior to the provision coming into force. For instance, HICs will need to ensure that they have sufficient time to implement the technological infrastructure required to maintain electronic audit logs as required under Section 10.1. Notably, the amendments are silent on whether HICs will be allowed to grandfather existing systems or whether HICs will be given a transition period for compliance.
4. “Consumer Electronic Service Providers”
The amendments introduced a new “consumer electronic service providers” concept under a new Section 54.1 to PHIPA (which is not yet in force at the time of publication).
Section 54.1 of PHIPA defines “consumer electronic service provider” as “a person who provides electronic services to individuals, at their request, primarily for, (a) the purpose of allowing those individuals to access, use, disclose, modify, maintain or otherwise manage their records of PHI or (b) such other purposes as may be prescribed under regulation”. Potential examples of such consumer electronic service providers could include entities who provide services related to the processing of PHI to individuals through their mobile apps, online portals or event smart devices providers.
With this amendment, the Ontario government will recognize a new category of organizations that are subject to legal compliance obligations, which are distinct and separate from the obligations applicable to HICs, under PHIPA. However, at the time of publication, the Ontario government has not provided any draft regulations or any other indications as to what the applicable obligations will be for consumer electronic service providers under PHIPA. The obligations applicable to consumer electronic service providers therefore remain to be seen.
5. Requirements for De-Identification and Re-Identification
The amendments will change the definition of “de-identify” under Section 2 of PHIPA (which is not yet in force at the time of publication), such that the Ontario government can prescribe, via regulations, requirements and standards for the de-identification of PHI. The change to “de-identify” will affect a number of provisions in PHIPA that mandate the de-identification of PHI. No draft regulations have been made at the time of publication, so the requirements for de-identification under PHIPA remain to be seen.
These provisions complement re-identification provisions in s. 11.2 of PHIPA that were passed in 2019 but are not yet in force. Those provisions prohibit attempts to re-identify information that has been previously de-identified, except for a limited class of persons including HICs and prescribed entities.
The Ontario government introduced a number of key amendments in its latest March 25, 2020 amendment to PHIPA. Among these, new enforcement and inspection powers are added to existing powers of the IPC. Other amendments bring more severe penalties, new obligations to keep electronic audit logs, as well as the introduction of the new concept of the “consumer electronic service provider” and possible regulations setting out standards for de-identification.
For more information about PHIPA or any other Canadian privacy laws, please contact the authors and see our Cybersecurity, Privacy & Data Management group page.