Bill 188, the Ontario Economic and Fiscal Update Act, 2020, received Royal Assent on March 25, 2020. The Bill provided significant changes to several statutes in response to the COVID-19 pandemic, including the Personal Health Information Protection Act, 2004 (PHIPA). This article will provide a brief overview of the significant changes made to PHIPA.
The Personal Health Information Protection Act, 2004
PHIPA provides rules governing the collection, use and disclosure of individuals’ personal health information (PHI) in order to protect personal privacy and confidentiality of the information. In addition, subject to limited and specific exceptions, PHIPA provides individuals with a right to access their own PHI and to have it corrected.
PHIPA primarily regulates “health information custodians” (HICs), which are defined as individuals or institutions who have custody or control of PHI in connection with their powers or duties. The definition of HIC therefore includes, for example, health care practitioners, hospitals, long-term care service providers, pharmacies and laboratories.
Key Changes to PHIPA
Increased Penalties for Committing an Offence under PHIPA
Bill 188 increased the penalties for committing an “offence” under PHIPA:
- Natural persons (i.e. non-organizations) can now be subject to a fine of up to $200,000 (increased from $100,000) and face the possibility of imprisonment for committing an offence under PHIPA.
- Non-natural persons can now be subject to a fine of up to $1,000,000 (increased from $500,000) for committing an offence under PHIPA.
Administrative Penalties under PHIPA
Bill 188 also expanded the scope of the enforcement powers of the Information and Privacy Commissioner (IPC) to a variety of situations not specifically listed as “offences” under PHIPA. In particular, the IPC may now award an administrative penalty for the purposes of:
- Encouraging compliance with PHIPA and its regulations; or
- Preventing a person from deriving, directly or indirectly, any economic benefit as a result of a contravention of PHIPA or its regulations.
The IPC can use its discretion to determine the appropriate amount of an administrative penalty for a contravention in light of the above purposes and in accordance with regulations made under PHIPA.
Notably, this administrative penalty is subject to a two-year limitation period from the day the contravention comes to the knowledge of the IPC.
Bill 188 clarifies that the use of enforcement measures provided for in PHIPA do not prohibit the use of any other enforcement measure or remedy that may otherwise be available in law in respect of the same contravention.
It is our understanding that this clarification is intended to confirm that an individual or organization that is subject to a penalty or administrative fine under PHIPA may also be liable for breaching a privacy tort at common law pertaining to the same contravention.
Changes to PHIPA establish the ability of a provincial offences officer (as defined under the Provincial Offences Act) to apply to a provincial judge or justice of the peace, without notice, for a production order requiring a person under investigation to produce documents or data.
In order to obtain such an order, the provincial judge or justice of the peace must be satisfied by information given under oath or affirmation that there are reasonable grounds to believe that:
- An offence under PHIPA has been or is being committed;
- The document or data will provide evidence respecting the offence or suspected offence; and
- The person who is subject to the order has possession or control of the document or data.
A copy of a document or data produced by a production order, on proof by affidavit that it is a true copy, can be admissible in evidence in proceedings under PHIPA and has the same probative force as the original document or data if they had been produced in an ordinary way.
Electronic Audit Logs
HICs that use electronic means to collect, use, disclose, modify, retain or dispose of PHI are now subject to requirements to maintain, audit and monitor “electronic audit logs”.
Electronic audit logs must include, for every instance in which a record or part of a record of PHI that is accessible by electronic means is viewed, handled, modified or otherwise dealt with:
- The type of information that was viewed, handled, modified or otherwise dealt with;
- The date and time on which the information was viewed, handled, modified or otherwise dealt with;
- The identity of all persons who viewed, handled, modified or otherwise dealt with the PHI;
- The identity of the individual to whom the PHI relates; and
- Any other information that may be prescribed.
Electronic audit logs must be provided to the IPC upon request.
These provisions are yet to be proclaimed into force by the Lieutenant Governor.
Consumer Electronic Service Providers
Bill 188 establishes and regulates a new class of entities, “consumer electronic service providers” (CESPs). CESPs are those persons who provide electronic services to individuals, at their request, primarily for the purpose of allowing those individuals to access, use, disclose, modify, maintain or otherwise manage their records of PHI.
Provisions relating to CESPs will come into force on a date to be set by the Lieutenant Governor.
Other Consequential Amendments
Other consequential amendments to PHIPA include the following:
- Prescribed persons and HICs that are providing health care to an individual may collect or use that individual’s health number, with the person’s consent, for certain verification and linking purposes.
- PHIPA now permits HICs to disclose PHI for certain purposes related to the Immunization of School Pupils Act.
- In parallel with its amendments to PHIPA, Bill 188 established “extra-ministerial data integration units” under Part III.1 of the Freedom of Information and Protection of Privacy Act. Under PHIPA, HICs are permitted to disclose PHI to extra-ministerial data integration units for the purposes of compiling statistical information to enable analysis in relation to (1) managing or allocating resources; (2) planning the delivery of programs or services; and (3) evaluating those programs or services.
- HICs may disclose PHI to the Minister of Health and Long-Term Care, or other prescribed ministers, for certain health care payment purposes.
- The right of access to records containing PHI under PHIPA has been expanded to include the right to access the record in an electronic format.
- The IPC is now permitted to inspect records of PHI, without consent, where it determines or has reasonable grounds to suspect that the record of PHI has been abandoned.
- De-identified information has been amended under Bill 188 to mean “to remove, in accordance with such requirements as may be prescribed, any information that identifies the individual or for which it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify the individual”.
Many of the above changes are not yet in force and are pending proclamation by the Lieutenant Governor.
In Our View
The Bill 188 amendments to PHIPA are most notable for their significant expansion of HIC liability under PHIPA.
Previously, HICs could only face monetary sanctions under PHIPA for committing an “offence”, which generally requires a “deliberate” breach of PHIPA, such that “negligently” contravening PHIPA usually does not constitute an offence. Further, only the Attorney General or his/her agent can convict an HIC for an offence under PHIPA, which has historically only occurred on rare occasions – for example, in the first ten years of PHIPA, only one HIC was convicted of an offence.
However, with the introduction of administrative fines, HICs can potentially be liable for breaches of PHIPA that result from failing to implement and follow good PHI protection practices, even where the “deliberate” element of the contravention was absent. Since administrative fines can be ordered by the IPC, there is also a higher likelihood that they will be employed on a regular basis, as a common part of orders made by the IPC.
Additionally, Bill 188 amends PHIPA to clarify that individuals may, in addition to the enforcement measures taken under PHIPA, pursue alternative avenues of compensation where a breach of PHI occurs, such as civil actions (including class action lawsuits) for breaching privacy torts at common law.
We recommend HICs re-evaluate their PHI protection practices in light of the expanded liability facing them, to ensure compliance with PHIPA and its regulations.