Quebec wants to create a new regime for the management and the protection of health and social services information
Quebec’s Premier and Health Minister announced with great enthusiasm that a reform of Quebec’s health system is in the works.
One of the main pillars of this reform is the management of health and social services information. It is in this view that on December 3rd, 2021, the Minister of Health and Social Services introduced Bill 19, the Act respecting health and social services information and amending various legislative provisions (the “Act respecting health and social services information”).
Bill 19 aims to set up a new management model while modernizing and decentralizing the health network. Its goals are to enable a safer and more seamless flow of health and social services information and to simplify the rules that govern practices with regard to access to health and social services information.
The new regime sets out:
- a broader definition of “health and social services information”;
- the appointment of a health and social services information access authorization manager within the Ministère de la Santé et des Services sociaux (MSSS);
- the requirement for health and social services bodies to create a health and social services information governance policy, which will include appointing an internal person in charge and establishing a process for logging information;
- a person’s right to access his or her personal information and to request the rectification of that information where necessary;
- the general principle that, whenever possible, access to or use of the health and social services information should be in a form not allowing the person concerned to be identified directly;
- the possibility for researchers to access the health and social services information without an individual's consent is only possible upon obtaining the authorization from the most senior officer of the institution to which they are attached to or from the research access centre, as appropriate.
Purpose and scope of the Act
Health and social services information (“health information”) is defined as any information held by health and social services bodies (“health bodies”) that concerns an individual’s state of physical or mental health, any material collected in the context of an assessment or treatment, and the health services or social services provided to an individual, whether identified or not. Likewise, information obtained in the exercise of a function under the Public Health Act is considered as health information.
In addition to the MSSS, a person, partnership or body operating in the health sector and in Health and Social Services Institutions as defined by the Act Respecting Health Services and Social Services (“ARHSSS”) will be subject to this new Act, as will any person, partnership or body that enters into an agreement with a health body concerning the provision of health services or social services on behalf of that body (a “health and social service provider”) with respect to the activities associated with its provision of health and social services on behalf of a health body.
It is important to mention that a person or a partnership operating a private health facility or a specialized medical centre is covered by the Act respecting health and social services information even though it is not considered an “institution” within the meaning of the ARHSSS. Indeed, Schedule II of the Act respecting health and social services information notably provides that laboratories, centres for assisted procreation, palliative care hospices, private seniors’ residences, funeral service providers and ambulance service providers are all health bodies.
The delegated manager of government digital data of the MSSS acts as the health and social services information access authorization manager and assists the Minister in the application of the Act. Bill 19 entrusts the Commission d’accès à l’information (the “Commission”) with responsibility for overseeing the carrying out of the bill and, to that end, grants the Commission inspection and investigation powers and the power to make orders.
- Confidentiality of health and social services information
Health and social services information is confidential and may only be used with the consent of the persons concerned by the information.
Where possible, access to or use of health and social services information must be in a form that does not allow the person concerned to be identified directly.
- Consent of the person concerned
As is the case in Bill 64, (the Act to modernize legislative provisions as regards the protection of personal information), the Act respecting health and social services information provides that any consent to access to health and social services information must be clear, free and informed and be given for specific purposes. Consent is valid only for the time necessary to achieve the purposes for which it was requested.
Similarly, the requirement of notification prior to the collection of health and social services information that is stipulated in the Act respecting health and social services information is the same as the one prescribed by Bill 64. Hence, a health body must, at the time of collection of health and social services information and subsequently upon request, inform the person concerned in simple and clear language:
- of the name of the body collecting the information or on whose behalf it is collected;
- of the purposes for which the information is collected;
- of the means by which the information is collected;
- of his or her right to access or rectify the information; and
- of the period of time the information will be kept.
The Act respecting health and social services information also stipulates that health and social services information may not be used within a health body except for the purposes for which it was collected, unless:
- it is used for purposes consistent with the purposes for which it was collected;
- it is clearly used for the benefit of the person concerned; or
- its use is necessary for the application of an Act in Quebec.
Additionally, with a view to sound management, only the MSSS, a health and social services institution or a health and services body referred to in Schedule I may also use the health and social services information it holds, where such use is necessary for the exercise of its functions relating to the organization and assessment of health services.
Bill 19 stipulates that the Minister of Health and Social Services is responsible for defining rules for the governance of health and social services information by health and social services bodies. Those rules are published on his or her department’s website and come into force 30 days after their approval by the Commission. These rules pertain to:
- the responsibilities of health and social services bodies and the minimization of the risk of a confidentiality incident;
- the guidelines used by professionals in assessing whether it is necessary to access information in a context where health or social services are provided;
- the conditions on which access to information may be allowed in order to prevent an act of violence, including a suicide; and
- the terms for keeping and destroying information.
The Minister also defines governance rules that comply with the guidelines, standards, strategies, directives, rules and application instructions made under the Act respecting the governance and management of the information resources of public bodies and government enterprises and other legislative provisions, which come into force 30 days after their receipt by the Commission (and the secretariat of the Conseil du Trésor). These rules will address the following subjects:
- the quality of information and, more specifically, the technical norms or standards to be used, in particular with respect to the categorization of information;
- the maintenance and evaluation of technological products or services; and
- the mobility and valorization of information.
A new framework for the management and use of health and social services information
- A special regime for the research sector
As concerns research, a person’s consent to access health and social services information concerning him or her may cover research themes, categories of research activities or categories of researchers.
A person may however refuse access to health and social services information concerning him or her for the purpose of soliciting his or her participation in a research project, or where the research project is not carried out by a researcher attached to a health and social services body, a public health and social services institution or a private health and social services institution under agreement that operates a hospital centre.
A researcher who wishes to access, without the consent of the person concerned, health and social services information necessary for carrying out a research project must present a written request for authorization to that effect to the most senior officer of the institution or body to which the researcher is attached or to the person designated by the officer. This request must include a privacy impact assessment, which must be proportionate to the sensitivity of the information concerned, the purposes for which it is to be used, the quantity and distribution of the information, the medium on which it is stored and its format.
This represents a significant paradigm shift regarding consent requirements for research activities. It addresses the repeated requests from the Quebec research community to access the Quebec government’s anonymized data. The rules proposed by Bill 19, in conjunction with those set out in the Act respecting the governance and management of the information resources of public bodies and government enterprises and other legislative provisions and in Bill 64, appear to respond to these concerns.
Before authorizing access to the health and social services information requested, the institution’s or body’s most senior officer or the person designated by the officer must consult the bodies that hold the information requested, which have 10 days to submit observations.
Access to the information necessary for the research project will be authorized if certain criteria are met and for a limited period if it is unreasonable to require obtaining the consent of the persons concerned and if the objective of the research project outweighs, with regard to the public interest, the impact of access to the information on the privacy of the person concerned. In addition, the security measures for ensuring the protection of the information that have been or will be put in place for carrying out the research project must comply with the health and social services information governance rules stipulated in the Act respecting health and social services information and the special rules defined by the health and social services network information officer.
Where the research may be carried out by accessing only information in a form that does not allow the person concerned to be identified directly, the authorization must stipulate that access to the necessary information must be solely in this form.
At any time, the authorization may be revoked, without delay or formality, should there be reason to believe that the security measures for ensuring the protection of the information that have been put in place or the conditions attached to the authorization are not being complied with, or that the protection of the information is otherwise compromised.
A researcher in the private sector who wishes to access, without the consent of the person concerned, health and social services information necessary for carrying out a research project must present a written request for authorization to the research access centre.
The access centre and the researcher may then enter into an agreement that stipulates, in particular, the conditions covering the access, the use and communication of the health and social services information, the security measures for ensuring the protection of the information, the preservation period and the destruction of the information.
- Certification of certain technological products or services
Under certain circumstances to be determined by regulation, only certified technological products or services may be used by a health and social services body. The Minister may also determine by regulation the procedure and criteria for certification with respect to the security provided by the product or service, its functionalities and its interoperability with other tools used in the network. A list of the certified technological products and services will be published on the department’s website. Certification aims to facilitate, for purchasers of computing solutions in the health and social services sector, the choice of technological products and services that are, in particular, interoperable and secure with other information assets.
- Obligations of health and social services bodies
A health and social services body is responsible for the protection of the health and social services information it holds. Security measures must be taken to ensure the protection of that information that are reasonable given, in particular, the sensitivity of the information, the purposes for which it is to be used, the quantity and distribution of the information, the medium on which it is stored and its format. It must also see to it that the information it holds is accurate.
The person exercising the highest authority within a health and social services body must see to ensuring that these obligations are complied with. That person exercises the function of person in charge of the protection of health and social services information, and he or she may delegate this function.
A health and social services body must log all accesses to the health and social services information it holds, as well as all uses of such information by any member of the body’s personnel and any professional practising his or her profession within the body. Each year, the body sends a report to the Minister that concerns all such accesses and uses, excluding those in a context where health or social services are provided.
A health and social services body must adopt a governance policy that sets out the following:
- the roles and responsibilities of the members of the body’s personnel and the professionals practising their profession within the body;
- the categories of persons who may, in the exercise of their functions, access the health and social services information;
- an update schedule for the technological products or services the body uses;
- a procedure for processing confidentiality incidents;
- a procedure for processing complaints regarding the protection of health and social services information; and
- a description of the training and awareness activities concerning the protection of the health and social services information the body provides to its staff members the professionals practising their profession within the body.
As it is the case in the private sector, any project to acquire, develop or overhaul technological products or services or any electronic service delivery project, where the project involves the collection, use, keeping or destruction of health and social services information or access to such information must be the subject of a privacy impact assessment that is proportionate to the sensitivity of the information concerned, the purposes for which it is to be used, the quantity and distribution of the information, the medium on which it is stored and its format.
A health and social services body must also record in a register any technological product or service it uses.
- Confidentiality incident
A health and social services body that has cause to believe that a confidentiality incident involving health and social services information it holds has occurred or that there is a risk of such an incident occurring must take reasonable measures to reduce the risk of injury and to prevent new incidents of the same nature.
The definition of a “confidentiality incident” stipulated in the Act respecting health and social services information is based on the wording of Bill 64, except with regards to the “release not authorized by law”. Accordingly, in the Act respecting health and social services information, a “confidentiality incident” means access not authorized by law to health and social services information, use not authorized by law of such information, or loss of such information or any other breach of its protection.
If the incident presents a risk of serious injury, the body must promptly notify the Minister and the Commission. It must also notify any person whose information is concerned by the incident, failing which the Commission may order the body to do so. It may also notify any person, partnership or body that could reduce the risk and send the person, partnership or body, without the consent of the person concerned, any information necessary for that purpose.
Despite the previous paragraph, a person whose information is concerned by an incident need not be notified so long as doing so could hamper an investigation conducted by a person or body responsible by law for the prevention, detection or repression of crime or statutory offences.
A health and social services body must keep a register of confidentiality incidents. A copy of the register must be sent to the Minister or the Commission at their request.
- Keeping and destruction
According to the category of information or that of health and social services bodies concerned, a government regulation may determine the minimum period for which information must be kept.
Subject to retention period determined by regulation, if applicable, or the provisions of the Archives Act or the Professional Code, where the purposes for which health and social services information was collected or used are achieved, a health and social services body must destroy the information.
- Right of access and rectification
A natural person with standing may make a request for access or rectification addressed to the person in charge of the protection of health and social services information within the body concerned. The person in charge must respond to such a request within 30 days. Where relevant, the person concerned will be allowed to examine the information sought on the premises during regular working hours or by remote access and to obtain a copy of it. Such access is free of charge, subject to reasonable fees that may be required from the applicant for the transcription, reproduction or transmission of the information, which must be made accessible in the form of a written and intelligible transcript.
A person whose request for access or rectification has been refused by the person in charge of the protection of health and social services information may apply to the Commission for a review of the decision.
- Enforcement of the Act and penalties
The Commission is responsible for overseeing the carrying out of this Act. It must also ensure respect for and promotion of the protection of health and social services information, in particular by using awareness tools. In the exercise of its functions, it may act by means of inspection or inquiry. It has very broad powers and may require the production of any document.
When informed of a security incident, the Commission may take any measure to protect the rights granted to the persons concerned.
A mandatory order of the Commission becomes enforceable within 30 days, whereas a cease-and-desist order is immediately enforceable. The orders of the Commission’s oversight division may be contested before a judge of the Court of Quebec. Such a proceeding does not suspend the execution of the order.
Anyone who contravenes the provisions of the Act is liable to a fine of up to $150,000. In the case of a subsequent offence, these fines are doubled. The prescription period for an offence under a provision of this Act is five years.
Fines for offences range from $1,000 to $10,000 in the case of a natural person and from $3,000 to $30,000 in all other cases.
A person commits an offence when he or she:
- collects, uses, keeps, destroys or accesses health and social services information in contravention of this Act or a regulation made under this Act;
- refuses to allow access to information that is accessible under this Act or impedes such access, in particular by destroying, modifying or concealing the information or by unduly delaying its transmission;
- hinders the health and social services information access authorization manager or a person in charge of the protection of health and social services information in the exercise of the manager’s or person’s functions;
- fails to report, where required to do so, a confidentiality incident to the Minister or to the Commission; or
- fails to comply with the conditions set out in an authorization issued by or an agreement entered into with the research access centre or in a contract for services agreed upon with a health and social services body.
Fines are increased to a range of $5,000 to $100,000 in the case of a natural person and to that of $15,000 to $150,000 in all other cases for any offender who:
- allows access to information that cannot be made accessible under this Act or for which access authorization has been refused under this Act;
- identifies or attempts to identify a natural person, without authorization, using de-identified information or using anonymized information;
- contravenes the obligation to use a technological product or service;
- holds health and social services information without complying with the applicable requirements;
- impedes the progress of an inquiry or inspection of the Commission or the hearing of an application by the Commission by providing it with false or inaccurate information, by omitting to provide information it requires or otherwise;
- refuses or neglects to comply, within the prescribed time, with a demand for documents or information sent by the Commission to verify compliance with this Act;
- fails to comply with an order of the Commission.
This Act provides for organizational liability if there is proof that the offence was committed by a director, agent or employee of an organization, unless the organization establishes that due diligence was exercised and all necessary precautions were taken to prevent the commission of the offence.
Besides creating a new Act Respecting Health and Social Services Information, this Bill amends 26 Acts and repeals the Act respecting the sharing of certain health information. It is important to note that this Bill seeks to amend the ARHSSS by notably providing for the creation of a national information filing system that will enable the integration of patients’ records, their consents for the post-mortem removal of organs and tissues as well as their advance medical directives regarding end-of-life care. A regulation will determine which bodies must file in this system all or part of the information they collect.
Like most other Canadian provinces, Quebec wishes to create a full legislative framework for the management of health and social services information. Many of the principles put forward by Bill 19 are consistent with those found in the Act respecting the protection of personal information in the private sector, as amended by Bill 64, passed on September 21st by the National Assembly.
The date at which the Act will come into force is not stipulated in Bill 19. The provisions of the Act respecting health and social services information come into force at dates to be set by an order of the government. The government wishes to have this Bill passed before the end of the current parliamentary session. However, since two important bills are already being examined by the Committee on Health and Social Services, it remains to be seen whether the parliamentary committee will be able to exam the Act respecting health and social services information in time to permit its passing before June 2022.