Information, Privacy and Data Security Post

Employers Take Note: New PHIPA Amendments

Information, Privacy and Data Security Post

Employers Take Note: New PHIPA Amendments

Date: March 27, 2020

On March 25, 2020, the provincial government passed Bill 188, Economic and Fiscal Update Act, 2020, which amends various statutes, including the Personal Health Protection Information Act, 2004 (PHIPA). Included among these amendments are new requirements for health information custodians relating to electronic audit logs, requirements for “consumer electronic service providers,” the ability of justices to make production orders, administrative penalties that can be issued by the Information and Privacy Commissioner of Ontario (Commissioner) and a significant increase in the amount of penalties and possible imprisonment for offences. Unless otherwise indicated, these amendments came into force on March 25, 2020.

Health Information Custodians

PHIPA applies to a “health information custodian” (HIC) which is a defined term that includes a number of persons and organizations that have custody or control over personal health information (PHI). In general, a HIC includes persons involved in the delivery of health care. Some obvious examples include hospitals and long-term care service providers, but would also include health care practitioners for non-HICs. For example, a nurse or social worker working for a school board to provide health care would be considered an HIC.

Electronic Audit Logs

Although yet to be proclaimed into force by the Lieutenant Governor, there will be a new requirement for HICs that use electronic means to collect, use, disclose, modify, retain or dispose of personal health information to maintain, audit and monitor an electronic audit log. For every instance in which a record of PHI that is accessible by electronic means is viewed, handled, modified or otherwise dealt with, an electronic record must include:

  • the type of information
  • the date and time
  • the identity of all persons who viewed, handled, modified or otherwise dealt with the PHI, and
  • the identity of the individual to whom the PHI relates.

HICs are also required to provide a copy of the electronic log to the Commissioner, upon request, even if it contains PHI. We anticipate prescribed requirements with respect to how long to retain such logs to be forthcoming.

Consumer Electronic Service Providers

The amendments under PHIPA identify a new “consumer electronic service provider” (CESP). A CESP is a person who provides electronic services to individuals, at their request, primarily for the purpose of allowing those individuals to access, use, disclose, modify, maintain or otherwise manage their PHI records. There will be certain prescribed requirements for CESPs that provide electronic services to individuals and prescribed requirements for HICs to provide PHI to a CESP. These provisions will also come into force at a later time when proclaimed by the Lieutenant Governor

Production Orders

PHIPA now permits a provincial offences officer to apply to a provincial judge or justice of the peace, without notice, for a production order to produce documents or produce data. In order to obtain such an order, the provincial judge/justice of the peace must be satisfied that there are reasonable grounds to believe that:

  • an offence under PHIPA has been or is being committed,
  • the document/data will provide evidence respecting the offence, and
  • the person who is subject to the order has possession or control of the document/data.

The provisions with respect to production orders come into effect immediately.

Administrative Penalties

Also effective immediately are amendments that now give the Commissioner the ability to require any person to pay an administrative penalty if he is of the opinion that the person has contravened PHIPA. The purpose behind these new powers is to encourage compliance with PHIPA and to prevent a person from deriving, directly or indirectly, any economic benefit as a result of a contravention of the Act. The amount of such administrative penalty is to reflect these purposes and is to be determined by the Commissioner in accordance with regulations to be made under PHIPA.

Increased Penalties

The penalties for offences under PHIPA have doubled. In particular, a person who is not a natural person and guilty of an offence is liable, upon conviction, to pay a fine of not more than $1,000,000.00. Previously, the amount was $500,000.00.

In addition, a natural person found guilty of an offence under PHIPA is liable, upon conviction, to pay a fine of not more than $200,000.00 (up from $100,000.00). Significantly, a natural person is also subject to a term of imprisonment of not more than one year – alone or along with the fine.

Other Amendments

Other amendments under PHIPA include, but are not limited to, the following:

  • To allow prescribed persons and HICs that are providing health care to a person, to collect or use a person’s health number, with the person’s consent, for certain verification and linking purposes.
  • To allow for the disclosure of PHI for purposes related to the Immunization of School Pupils Act.
  • To allow entities that are “extra-ministerial data integration units” under the Freedom of Information and Protection of Privacy Act to use PHI for the purpose of compiling information, including statistical information, to enable analysis in relation to the management or allocation of resources, the planning for the delivery of programs and services, and the evaluation of those programs and services.
  • To allow for the disclosure of PHI to the Minister of Health and Long-Term Care, or other prescribed ministers, for certain health care payment purposes.
  • To allow for the right of access to a record of PHI to include the right to access it in an electronic format.
  • To allow HICs to provide PHI from an electronic health record to a coroner and to provide for the collection of PHI from an electronic health record by medical officers of health for purposes related to their duties under the Health Protection and Promotion Act or the Immunization of School Pupils Act (yet to be proclaimed into force by the Lieutenant Governor).
  • To allow the Commissioner to inspect records of PHI, without consent, where the records may have been abandoned. 

Please contact your regular Hicks Morley lawyer should you require more information about these changes to PHIPA.

The article in this client update provides general information and should not be relied on as legal advice or opinion. This publication is copyrighted by Hicks Morley Hamilton Stewart Storie LLP and may not be photocopied or reproduced in any form, in whole or in part, without the express permission of Hicks Morley Hamilton Stewart Storie LLP. ©