Human Resources Legislative Update
Ontario Proposes Regulations on Reporting Obligations of Health Information Custodians under PHIPA and on Electronic Health Records
Date: May 4, 2020
On May 2, 2020, Ontario’s Minister of Health issued notice of proposed regulations that (1) provide clarity on the existing reporting obligations of Health Information Custodians under the Personal Health Information Protection Act, 2004 (PHIPA) and (2) empowers Ontario Health to develop and maintain amalgamated Electronic Health Records (EHRs) while refining the rules relating to the personal health information in EHRs. The public is invited to provide written comments on the proposed regulation over a 60-day period, commencing on May 2, 2020 and ending on July 1, 2020.
Changes to Reporting Obligation
The proposed regulations would modify the duty of a Health Information Custodian to report an incident in which personal health information is suspected to be stolen, lost, or used and/or disclosed without authority by stipulating that Health Information Custodians must report the incident to the Information and Privacy Commissioner (IPC) “at the first reasonable opportunity.” This may be at a relatively early point in the Custodian’s investigation of a privacy or security incident.
Ontario Health and the Electronic Health Record
The proposed regulations would also introduce and refine rules that will apply to the forthcoming Ontario Health agency as well as Health Information Custodians who collect, use or disclose personal health information derived from EHRs maintained by Ontario Health.
On April 18, 2019, the Connecting Care Act, 2019 came into force and created Ontario Health. Ontario Health will oversee health care delivery, improve clinical guidance and provide support for providers to ensure better quality care for patients.
The proposed regulations would make Ontario Health responsible for developing and maintaining EHRs including by logging, auditing and monitoring instances where personal health information in an EHR is accessed, used or otherwise dealt with. The EHR provisions of PHIPA (in Part V.1) were originally enacted in 2016 but are still not in force.
An EHR will be a secure lifetime record of one’s health history that health care providers may access in accordance with PHIPA requirements when providing care. No custodian will have sole custody or control of the personal health information in the EHR; instead, a health care provider will have custody or control of personal health information if they contribute it to the EHR or if they collect personal health information from the EHR.
The proposed regulations will help operationalize Part V.1 of PHIPA by addressing the data elements that may be used to identify individuals when a health care provider requests or collects personal health information from an EHR, breach reporting to the IPC in respect of the EHRs and requirements relating to consent directives and other technical matters.
Hicks Morley is tracking developments pertaining to the implementation of the EHRs and will continue to keep you updated. If you have any questions about these proposed regulations or any other information and privacy-related matters please contact your regular Hicks Morley lawyer.
The article in this client update provides general information and should not be relied on as legal advice or opinion. This publication is copyrighted by Hicks Morley Hamilton Stewart Storie LLP and may not be photocopied or reproduced in any form, in whole or in part, without the express permission of Hicks Morley Hamilton Stewart Storie LLP. ©