September 16, 2020
On March 17, 2020, the Government of Ontario declared a provincial state of emergency in response to the COVID-19 pandemic. Subsequent workplace closures and public health recommendations instantly moved a significant number of businesses online, including health care providers and organizations that use and disclose personal health information. The Government of Ontario reacted to this new reality by making significant amendments to Personal Health Information Protection Act (“PHIPA”). On March 25, 2020, these significant amendments came into force through Bill 188: the Economic and Fiscal Update Act, 2020. These amendments constitute a significant response to the expanding digital landscape that has emerged as a result of COVID-19.
What is PHIPA?
In Ontario, PHIPA came into force on November 1, 2004. PHIPA contains numerous safeguards to protect the privacy of personal health information in the province. PHIPA is the only specific privacy legislation enacted by the Ontario legislature, highlighting the protection of privacy in this sector as a clear legislative priority.
PHIPA applies to the use and disclosure of personal health information by those persons who receive personal health information from health information custodians. PHIPA limits the collection, use and disclosure of personal health information by custodians unless the custodian has the consent of the individual and the disclosure of the health information is “necessary for a lawful purpose”. A person who believes another person has contravened PHIPA may complain to the Privacy Commissioner who may further conduct a review. A person may sue for damages for actual harm caused by the contravention of PHIPA.
Notable Amendments to PHIPA
Administrative Penalties – Section 61
Section 61 of PHIPA creates a new administrative penalty regime. The powers of the Information Privacy Commissioner (IPC) have been expanded to administer administrative penalties to those who have contravened PHIPA. The amount of the penalty should encourage compliance with PHIPA and its regulations or prevent a person from deriving, directly or indirectly, any economic benefit as a result of a contravention of PHIPA or its regulations.
Maximum Penalty- Section 72
Notably, these amendments have doubled the maximum penalty for a contravention of PHIPA. These amounts are now doubled to $200,000 or up to one year imprisonment for an individual and $1,000,000 for organizations.
Production Orders- Section 71.1
Section 71.1 allows a justice to make a production order requiring an individual to produce documents or data if satisfied that an offence under PHIPA has or is being committed, the document or data will provide evidence respecting the offence or suspected offence, and the person who is subject to the order has possession or control of the document or data.
Audit Logs- Section 10.1
Health Information Custodians (“HICs”) must maintain an electronic audit log. HICs that collect, use, disclose, modify, retain, or dispose of personal health information though electronic means must now maintain an electronic audit log containing specified information. When personal health information is viewed, handled or dealt with the audit log must contain:
- the type of information that was viewed, handled, modified or otherwise dealt with;
- the date and time on which the information was viewed, handled, modified or otherwise dealt with;
- the identity of all persons who viewed, handled, modified or otherwise dealt with the personal health information;
- the identity of the individual to whom the personal health information relates; and
- any other information that may be prescribed.
Consumer Electronic Service Providers – Section 54.1
This is a new classification of entities defined as a person who provides electronic services to individuals at their request, primarily for the purpose of allowing those individuals to access, use, disclose, modify or maintain or otherwise manage their records of personal health information. There will be further provisions relating to consumer electronic service providers.
Use of Health Number – Section 34
This section allows prescribed persons and HICS to collect or use a patient’s health number with the individual’s consent for verification and linking purposes.
Electronic Format – Section 52
The right to access personal health information now includes the right to access personal health information in electronic format.
The amendments are responsive to the ever growing digital landscape which we can expect to continue to expand long after the pandemic subsides. The amendments to PHIPA contain have now expanded the liability of health information custodians. Health information custodians should familiarize themselves with all amendments to PHIPA.
The Koskie Minsky privacy team is able to assist in navigating the amendments to PHIPA and the obligations of Health Information Custodians. To speak to one of our privacy lawyers please click here.
Privacy and Compliance