Bill 78, Electronic Personal Health Information Protection Act, 2014

Matthews, Hon. Deborah Minister of Health and Long-Term Care

Versions

Bill 78 2013

An Act to amend certain Acts with respect to electronic health records

This Act amends or repeals more than one Act. For the legislative history of these Acts, see the Table of Consolidated Public Statutes – Detailed Legislative History at www.e-Laws.gov.on.ca.

Her Majesty, by and with the advice and consent of the Legislative Assembly of the Province of Ontario, enacts as follows:

Drug Interchangeability and Dispensing Fee Act

1. Clause 4 (6) (a) of the Drug Interchangeability and Dispensing Fee Act is amended by striking out "handwritten" and substituting "written".

Personal Health Information Protection Act, 2004

2. (1) Section 2 of the Personal Health Information Protection Act, 2004 is amended by adding the following definitions:

"Ministry" means the Ministry of Health and Long-Term Care; ("ministère")

"prescribed organization" means an organization prescribed for the purposes of Part V.1 and, where more than one organization has been prescribed, means every applicable prescribed organization; ("organisation prescrite")

(2) Subsection 34 (2) of the Act is amended by striking out "or" at the end of clause (c), by adding "or" at the end of clause (d) and by adding the following clause:

(e) if the person is prescribed and is collecting or using the health number, as the case may be, for purposes related to the electronic health record created or maintained by a prescribed organization.

(3) Section 51 of the Act is amended by adding the following subsections:

Application to prescribed organization

(5) Subject to the exceptions and additional requirements, if any, that are prescribed in regulations made under subsection (7), this Part applies to a prescribed organization as if it were a health information custodian with respect to the following records and as if the prescribed organization has custody or control of the records:

1. A record of personal health information that is available to health information custodians through the electronic health record created or maintained by the prescribed organization.

2. The records of personal health information kept by the prescribed organization under paragraphs 4, 5 and 6 of subsection 55.3 (2).

Application to record of a custodian

(6) Subject to the exceptions and additional requirements, if any, that are prescribed in the regulations made under subsection (7), this Part applies to a record in the custody or control of a health information custodian respecting all instances where all or part of the personal health information of the individual in the electronic health record created or maintained by a prescribed organization is viewed, handled or otherwise dealt with by the custodian.

Regulations

(7) The Minister may make regulations prescribing exceptions and additional requirements for the purposes of subsections (5) and (6).

Consultation

(8) The following rules apply to the making of a regulation by the Minister under subsection (7):

1. The public consultation requirements under section 74 apply, with necessary modification.

2. Before undertaking public consultation with respect to a regulation, the Minister shall submit a draft of the regulation to the Commissioner, and allow the Commissioner at least 30 days to review the draft regulation and make recommendations.

3. Before proceeding with public consultation with respect to the regulation, the Minister shall consider the recommendations of the Commissioner and make any changes to the draft regulation that the Minister considers appropriate.

(4) The Act is amended by adding the following Part:

Part v.1
Electronic Health Records

Interpretation

55.1 (1) In this Part,

"advisory committee" means the advisory committee established by the Minister under section 55.10; ("comité consultatif")

"consent directive" means a directive under section 55.5 and includes a directive to modify or withdraw a directive that has already been made; ("directive en matière de consentement")

"creating or maintaining the electronic health record" includes,

(a) administering, creating, integrating, managing, maintaining or servicing the electronic health record,

(b) conducting data quality assurance activities on the personal health information provided to a prescribed organization by health information custodians, and

(c) conducting analyses of the personal health information in the electronic health record in order to provide alerts and reminders to health information custodians for the custodians' use in the provision of health care to individuals; ("créer ou tenir le dossier de santé électronique")

"de-identify" and related expressions have the same meaning as in subsection 47 (1); ("anonymiser")

"electronic health record" means the record of personal health information created or maintained in electronic form by a prescribed organization to enable health information custodians to use electronic means to disclose personal health information to one another for the purpose of providing or assisting in the provision of health care to the individuals whose personal health information is in the record; ("dossier de santé électronique")

"identifying information" has the same meaning as in subsection 4 (2). ("renseignements identificatoires")

Same, collection, use, disclosure

(2) The following modifications are made to the definitions of "collect", "disclose" and "use" in section 2, and their related terms, as they relate to personal health information in the electronic health record:

1. A health information custodian that provides personal health information to a prescribed organization for the purpose of creating or maintaining the electronic health record is not considered to have disclosed the information until such time as the personal health information is viewed, handled or otherwise dealt with by any person other than that custodian or the prescribed organization.

2. A health information custodian collects personal health information on the initial instance on which it views, handles or otherwise deals with personal health information in the electronic health record that the custodian has not provided to a prescribed organization for the purpose of creating or maintaining the electronic health record. The health information custodian is not considered to have collected the personal health information on subsequent instances in which it views, handles or otherwise deals with the information, as long as no new or additional information is viewed, handled or otherwise dealt with by the custodian.

3. A health information custodian that views, handles or otherwise deals with personal health information in the electronic health record for a second or subsequent time is considered to be using, and not collecting, that information, as long as no new or additional information is viewed, handled or otherwise dealt with by the custodian.

4. A health information custodian that views, handles or otherwise deals with personal health information that the custodian provided to a prescribed organization for the purpose of creating or maintaining the electronic health record is considered to be using that information, as long as no new or additional information is viewed, handled or otherwise dealt with by the custodian.

Custodians and a prescribed organization

55.2 (1) Where a health information custodian provides personal health information to a prescribed organization for the purpose of creating or maintaining the electronic health record,

(a) the health information custodian shall not be considered in so providing the personal health information to be disclosing it to the prescribed organization; and

(b) the prescribed organization shall not be considered in so receiving the personal health information from the custodian to be collecting the information.

Obligation transferred

(2) If a health information custodian requests a prescribed organization to transfer to the custodian personal health information in the electronic health record, the obligations in section 12 apply to the custodian with respect to the information that is transferred by the prescribed organization regardless of whether the custodian has viewed, handled or otherwise dealt with the information.

Functions and responsibilities re electronic health record

55.3 (1) A prescribed organization shall exercise the following functions with respect to the electronic health record:

1. Carrying out its responsibilities under Part V and this Part.

2. Any other functions prescribed in the regulations.

Requirements re electronic health record

(2) A prescribed organization shall comply with the following requirements in creating or maintaining the electronic health record:

1. It shall take reasonable steps to limit the personal health information it receives to that which is reasonably necessary for the purpose of creating or maintaining the electronic health record.

2. It shall not permit its employees or any other person acting on its behalf to view, handle or otherwise deal with the personal health information received for the purpose of creating or maintaining the electronic health record, unless the employee or person acting on behalf of the prescribed organization agrees to comply with the restrictions that apply to the prescribed organization.

3. It shall make available to the public and to each health information custodian that provided personal health information to it for the purpose of creating or maintaining the electronic health record,

i. a plain language description of the electronic health record, including a general description of the administrative, technical and physical safeguards in place to,

A. protect against theft, loss and unauthorized collection, use or disclosure of personal health information in the electronic health record,

B. protect the electronic health record against unauthorized copying, modification or disposal, and

C. protect the integrity, security and confidentiality of the personal health information in the electronic health record, and

ii. any directives, guidelines and policies of the prescribed organization that apply to the personal health information in the electronic health record to the extent that these do not reveal a trade secret or confidential scientific, technical, commercial or labour relations information.

4. It shall,

i. keep an electronic record of all instances where all or part of the personal health information in the electronic health record is viewed, handled or otherwise dealt with, and shall ensure that the record identifies the individual to whom the information relates, the type of information that is viewed, handled or otherwise dealt with, all persons who have viewed, handled or otherwise dealt with the information, and the date, time and location of the viewing, handling, or dealing with, and

ii. in the event that a health information custodian has requested that the prescribed organization transfer to the custodian personal health information in the electronic health record, keep an electronic record of all instances where all or part of the personal health information in the electronic health record is transferred to the custodian, and ensure that the record identifies the individual to whom the information relates, the type of information that is transferred, the custodian requesting the information, the date and time that the information was transferred, and the location to which the information was transferred.

5. It shall keep an electronic record of all instances where a consent directive is made, withdrawn or modified, and shall ensure that the record identifies the individual who made, withdrew or modified the consent directive, the instructions that the individual provided regarding the consent directive, the health information custodian, agent or other person to whom the directive is made, withdrawn or modified, and the date and time that the consent directive was made, withdrawn or modified.

6. It shall keep an electronic record of all instances where all or part of the personal health information in the electronic health record is disclosed under section 55.6 and shall ensure that the record identifies the health information custodian that disclosed the information, the health information custodian who collected the information, any agent who collected the information on a custodian's behalf, the individual to whom the information relates, the type of information that was disclosed, the date and time of the disclosure and the purpose of the disclosure.

7. It shall audit and monitor the electronic records that it is required to keep under paragraphs 4, 5 and 6.

8. It shall, upon the request of the Commissioner provide to the Commissioner, for the purposes of Part VI, the electronic records kept under paragraphs 4, 5 and 6.

9. It shall, upon request of a health information custodian who requires the records to audit and monitor its compliance with this Act, provide to the custodian or an agent acting on the custodian's behalf, the records kept under paragraphs 4, 5 and 6.

10. It shall perform, for each system that retrieves, processes or integrates personal health information in the electronic health record, an assessment with respect to,

i. threats, vulnerabilities and risks to the security and integrity of the personal health information in the electronic health record, and

ii. how each system that retrieves, processes or integrates personal health information in the electronic health record may affect the privacy of the individuals to whom the information relates.

11. It shall notify, at the first reasonable opportunity, a health information custodian that provided it with personal health information for the purpose of creating or maintaining the electronic health record if the personal health information that the health information custodian provided is stolen, lost or accessed by unauthorized persons.

12. It shall,

i. make available to each health information custodian that provided personal health information to the prescribed organization for the purpose of creating or maintaining the electronic health record a written copy of the results of the assessment carried out under paragraph 10 that relates to the personal health information the custodian provided, and

ii. make available to the public a summary of the results of the assessments carried out under paragraph 10.

13. It shall ensure that any third party it retains to assist in providing services for the purpose of creating or maintaining the electronic health record agrees to comply with the restrictions and conditions that are necessary to enable the prescribed organization to comply with all these requirements.

14. It shall have in place and comply with practices and procedures,

i. that are for the purpose of protecting the privacy of the individuals whose personal health information it receives for the purpose of creating or maintaining the electronic health record and for maintaining the confidentiality of the information, and

ii. that are approved by the Commissioner every three years.

15. It shall notify the Commissioner, in writing, immediately after becoming aware that personal health information in the electronic health record,

i. has been viewed, handled or otherwise dealt with by the prescribed organization or a third party retained by the prescribed organization, other than in accordance with this Act or its regulations, or

ii. has been made available or released by the prescribed organization or a third party retained by the prescribed organization, other than in accordance with this Act or its regulations.

16. It shall submit to the Commissioner, at least annually, a report in the form and manner specified by the Commissioner, and based on or containing any information, other than personal health information, that is kept in the electronic record required under paragraph 6 that the Commissioner may specify, respecting every instance in which personal health information was disclosed under section 55.6 since the time of the last report.

17. It shall comply with the practices and procedures prescribed in the regulations when managing consent directives.

18. It shall have in place and comply with practices and procedures that have been approved by the Minister for responding to or facilitating a response to a request made by an individual under Part V in respect of the individual's records of personal health information in the electronic health record created or maintained by the prescribed organization.

19. It shall comply with such other requirements as may be prescribed in the regulations.

Directives

(3) The Minister may make directives to a prescribed organization with respect to the carrying out of its responsibilities and functions under this section, and the prescribed organization shall comply with the directives of the Minister.

Consultation

(4) Before making a directive under subsection (3), the Minister shall,

(a) submit a draft of the directive to the Commissioner and the advisory committee for the purpose of reviewing and making recommendations on the draft directive; and

(b) consider the recommendations, if any, made by the Commissioner and the advisory committee and amend the directive if the Minister considers it appropriate to do so.

Timing

(5) The Minister shall allow the Commissioner and the advisory committee a period of at least 30 days for the purposes of review and recommendation under subsection (4), unless the Minister believes that there are urgent circumstances involving a significant risk to privacy or the confidentiality of personal health information, in which case the Minister may abridge the review period for both the Commissioner and the advisory committee to not less than five business days.

Restrictions on collection

55.4 (1) A health information custodian shall not collect personal health information from the electronic health record except for the purposes of,

(a) providing or assisting in the provision of health care to an individual; or

(b) eliminating or reducing a significant risk of serious bodily harm to a person or group of persons, where the health information custodian believes on reasonable grounds that the collection is necessary for this purpose.

Unique identification

(2) A health information custodian may collect, use and disclose data elements prescribed in regulations made under this section for the purpose of uniquely identifying an individual in order to collect personal health information under subsection (1).

Where consent directive exists

(3) Despite subsection (1), where personal health information is subject to a consent directive provided by an individual under subsection 55.5 (1), a health information custodian may only collect the personal health information from the electronic health record if the information may be disclosed under section 55.6.

Use or disclosure

(4) Despite any other provision in this Act or the regulations, a health information custodian that collects personal health information under clause (1) (b) may only use or disclose the information for the purpose for which the information was collected.

Regulations

(5) The Minister may make regulations,

(a) prescribing the data elements that a health information custodian may collect, use and disclose for the purpose of uniquely identifying an individual in order to collect personal health information in the electronic health record under this section; and

(b) specifying data elements that may not be made subject to a consent directive.

Consultation

(6) The following rules apply to the making of a regulation by the Minister under subsection (5):

1. The public consultation requirements under section 74 apply, with necessary modification.

Consent directives

55.5 (1) Subject to the limitations prescribed in the regulations, if any, an individual may at any time make a directive that withholds or withdraws, in whole or in part, the individual's consent to the collection, use and disclosure of his or her personal health information in the electronic health record for the purposes of providing or assisting in the provision of health care to the individual.

Compliance

(2) Where a prescribed organization receives a directive made under subsection (1), it shall, in accordance with the requirements prescribed in the regulations, if any, implement the directive.

Withdrawal or modifications

(3) Subject to the limitations prescribed in the regulations, if any, an individual who has made a directive under subsection (1) may withdraw or modify the directive.

How to make directive

(4) An individual may make a directive under subsection (1) or withdraw or modify a directive under subsection (3) by submitting the directive to a prescribed organization.

Must contain sufficient detail

(5) The directive must contain sufficient detail to enable a prescribed organization to implement the directive.

Assistance

(6) If the directive does not contain sufficient detail to enable the prescribed organization to implement the directive with reasonable efforts, the prescribed organization shall offer assistance to the person in reformulating the directive to comply with subsection (5).

Information re directives

(7) If a health information custodian seeks to collect personal health information that is subject to a consent directive, a prescribed organization shall notify the custodian that an individual has made a directive under subsection (1), as long as no personal health information that is subject to the directive is provided.

Consent overrides

55.6 (1) Despite the contents of a consent directive, a health information custodian may disclose personal health information that is subject to the directive to another health information custodian if the custodian that is seeking to collect the information obtains the express consent of the individual to whom the information relates.

Same, protection of individual

(2) Despite the contents of a consent directive, a health information custodian may disclose personal health information that is subject to the directive to another health information custodian if,

(a) the custodian that is seeking to collect the personal health information believes, on reasonable grounds, that the collection is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to the individual to whom the information relates; and

(b) it is not reasonably possible for the health information custodian that is seeking to collect the personal health information to obtain the individual's consent in a timely manner.

Same, protection of others

(3) Despite the contents of a consent directive, a health information custodian may disclose personal health information that is subject to the directive to another health information custodian, if the health information custodian that is seeking to collect the personal health information believes on reasonable grounds that the collection is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to a person other than the individual to whom the information relates or to a group of persons.

Use or disclosure

(4) Despite any other provision in this Act or the regulations, a health information custodian that collects personal health information under this section may only use or disclose the information for the purpose for which the information was collected.

Audit, etc.

(5) A prescribed organization shall audit and monitor every instance where personal health information is collected in the circumstances described in this section.

Notice re consent overrides

(6) Where personal health information has been collected in the circumstances described in this section, a prescribed organization shall immediately provide written notice, in accordance with the requirements in the regulations, to the health information custodian that collected the personal health information.

Same

(7) Upon receiving notice under subsection (6), the custodian that collected the personal health information in the circumstances described in this section shall, at the first reasonable opportunity, notify the individual to whom the information relates, in accordance with the requirements in the regulations.

No identifying information

(8) Where personal health information has been collected in the circumstances described in subsection (3), in notifying the individual to whom the information relates, the custodian shall not provide identifying information about the person or group of persons at significant risk of serious bodily harm.

Notice: custodian

(9) Where personal health information has been collected in the circumstances described in subsection (3), the custodian that collected the personal health information shall give written notice to the Commissioner, in accordance with the regulations, in a manner that does not provide identifying information about the individual to whom the information relates or the person or group of persons at significant risk of serious bodily harm.

Medication interaction checks

55.7 Despite the contents of a consent directive, personal health information may be utilized by a system that is maintained by a prescribed organization and that retrieves, processes or integrates personal health information in the electronic health record to provide alerts to health information custodians about potentially harmful medication interactions, as long as the alerts do not reveal personal health information that is subject to the consent directive.

Provision of information to Ministry

55.8 (1) Despite section 55.4, and subject to subsection (2), the Minister may collect personal health information from the electronic health record for the purposes of,

(a) funding, planning or delivering health services that the Government of Ontario funds in whole or in part, directly or indirectly, or allocating resources to any of them; or

(b) detecting, monitoring or preventing fraud or inappropriate receipt of a payment, service or good, including any subsidy or other benefit funded in whole or in part, directly or indirectly, by the Government of Ontario, where such payment, service or good is health-related or is prescribed in the regulations.

Practices and procedures

(2) The Minister may only collect personal health information under subsection (1), if,

(a) the Lieutenant Governor in Council has prescribed not more than one unit of the Ministry to collect personal health information under subsection (1) on the Minister's behalf; and

(b) the prescribed unit of the Ministry has put in place practices and procedures,

(i) to protect the privacy of the individuals whose personal health information the Minister collects, and to maintain the confidentiality of the information, and

(ii) that are approved by the Commissioner every three years.

De-identification

(3) Where personal health information has been collected by the Minister under subsection (1), the prescribed unit shall, in accordance with the practices and procedures approved by the Commissioner under subclause (2) (b) (ii),

(a) create a record containing the minimal amount of personal health information necessary for the purpose of de-identifying the information and linking it to other information in the custody or control of the Minister; and

(b) de-identify the personal health information.

Link

(4) The prescribed unit of the Ministry may link the personal health information that has been de-identified under subsection (3) to other de-identified personal health information under the custody and control of the Minister.

Use in auditing, etc.

(5) The Minister may use personal health information obtained under subsection (1) to conduct audits where there are reasonable grounds to believe there has been inappropriate receipt of a payment, service or good, including any subsidy or other benefit funded in whole or in part, directly or indirectly, by the Government of Ontario and where such payment, service or good is health-related or is prescribed in the regulations, if,

(a) the Lieutenant Governor in Council has prescribed not more than one unit of the Ministry to use the personal health information for the purpose set out in this subsection on the Minister's behalf; and

(b) the prescribed unit of the Ministry has put in place practices and procedures,

(i) to protect the privacy of the individuals whose personal health information the Minister collects, and to maintain the confidentiality of the information, and

(ii) that are approved by the Commissioner every three years.

Disclosure

(6) The Minister may disclose personal health information used in an audit mentioned in subsection (5),

(a) where the disclosure is required by law;

(b) for the purpose of a proceeding or contemplated proceeding where the Minister or an agent or former agent of the Minister is, or is expected to be, a party or witness, if the information relates to or is a matter in issue in the proceeding; or

(c) to a law enforcement agency in Canada to aid in an investigation undertaken with a view to a law enforcement proceeding or from which a law enforcement proceeding is likely to result.

No other uses and disclosures permitted

(7) Despite any other provision in this Act or the regulations, the Minister shall not use or disclose the personal health information collected under subsection (1) except as authorized by this section.

Direction to prescribed organization

(8) The Minister may issue a direction requiring a prescribed organization to provide the Minister with the information that the Minister is authorized to collect under subsection (1), and the prescribed organization must comply with such a direction.

Terms and conditions

(9) A direction made under subsection (8) may specify the form, manner and timeframe in which the information that is the subject of the direction is to be provided to the Minister.

Provision of information for purposes other than health care

55.9 (1) Despite any other provision in this Act or the regulations, the Minister may direct the disclosure of personal health information in the electronic health record to a person, as if the Minister had custody or control of the information, if,

(a) a person has requested that the Minister disclose the personal health information in accordance with clause 39 (1) (c), subsection 39 (2), section 44 or 45 of this Act;

(b) the personal health information requested by the person was provided to a prescribed organization for the purpose of creating or maintaining the electronic health record by more than one health information custodian;

(i) submitted the request to the advisory committee,

(ii) provided the advisory committee with 30 days to review the request and make recommendations to the Minister, and

(iii) considered the recommendations, if any, made by the advisory committee; and

(d) the Minister has determined that the disclosure of the personal health information would be in accordance with clause 39 (1) (c), subsection 39 (2) or section 44 or 45.

Shorter time period

(2) The Minister may shorten the time period in subclause (1) (c) (ii) if,

(a) in the Minister's opinion, the urgency of the situation requires it; and

(b) the request is for the disclosure of personal health information in accordance with subsection 39 (2).

Must comply

(3) A prescribed organization must comply with a direction under this section.

Terms and conditions

(4) A direction under this section may specify the form, manner and timeframe in which the information that is the subject of the direction is to be disclosed.

Disclosure only if necessary

(5) The Minister shall not direct the disclosure of personal health information under this section if other information will serve the purpose of the disclosure.

Only necessary disclosure

(6) The Minister shall not direct the disclosure of more personal health information than is reasonably necessary to meet the purpose of the disclosure.

Advisory committee

55.10 (1) The Minister shall establish an advisory committee for the purpose of making recommendations to the Minister concerning,

(a) practices and procedures that a prescribed organization must have in place for the purpose of protecting the privacy of the individuals whose personal health information it receives for the purpose of creating or maintaining the electronic health record and for maintaining the confidentiality of the information;

(b) practices and procedures that a prescribed organization must have in place for responding or facilitating a response to a request made by an individual under Part V in respect of the individual's records of personal health information in the electronic health record;

(c) the administrative, technical and physical safeguards a prescribed organization should have in place to protect the privacy of the individuals whose personal health information it receives for the purpose of creating or maintaining the electronic health record and for maintaining the confidentiality of the information;

(d) the role of a prescribed organization in assisting a health information custodian to fulfil its obligation to notify an individual under subsection 12 (2) in the event that personal health information in the electronic health record created or maintained by the prescribed organization is stolen, lost, or accessed by unauthorized persons;

(e) the provision of notice to individuals whose personal health information in the electronic health record is lost, stolen or accessed by unauthorized persons;

(f) anything that is referred to in this Part or in the regulations as capable of being the subject of a recommendation of the advisory committee; and

(g) any other matter referred to the advisory committee by the Minister.

Terms of reference

(2) Subject to the other provisions of this Part, the Minister shall determine the terms of reference of the advisory committee, including terms of reference with respect to conflicts of interest, the membership of the committee and the organization and governance of the committee.

Appointments

(3) The Minister shall appoint the members of the advisory committee in accordance with the requirements, if any, prescribed in the regulations.

Support by Ministry

(4) The Ministry,

(a) shall provide administrative support for the advisory committee;

(b) shall have custody and control of the records of the advisory committee for the purposes of the Freedom of Information and Protection of Privacy Act; and

(c) is responsible for compliance with the Archives and Recordkeeping Act, 2006, in connection with records created by or supplied to the advisory committee.

Required provision of information

55.11 (1) The Minister may make regulations requiring classes of health information custodians or specific health information custodians to provide personal health information to a prescribed organization for the purpose of creating or maintaining the electronic health record and specifying what personal health information they are required to provide.

Consultation

(2) The following rules apply to the making of a regulation by the Minister under subsection (1):

1. The public consultation requirements under section 74 apply, with necessary modification.

2. Before undertaking public consultation with respect to a regulation, the Minister shall submit a draft of the regulation to the Commissioner and the advisory committee, and allow the Commissioner and the advisory committee at least 30 days to review the draft regulation and make recommendations.

3. Before proceeding with public consultation with respect to the regulation, the Minister shall consider the recommendations of the Commissioner and the advisory committee and make any changes to the draft regulation that the Minister considers appropriate.

Regulations, Lieutenant Governor in Council

55.12 (1) The Lieutenant Governor in Council may make regulations for carrying out the purposes and provisions of this Part.

Same

(2) Without limiting the generality of subsection (1), the Lieutenant Governor in Council may make regulations,

(a) prescribing one or more organizations to be a prescribed organization for the purposes of this Part and respecting the purposes for which such an organization is prescribed;

(b) prescribing additional functions of a prescribed organization under this Act;

(c) prescribing additional requirements with which a prescribed organization must comply in creating or maintaining the electronic health record;

(d) governing the notices that are required under section 55.6 and requiring notices under other circumstances and governing such notices;

(e) prescribing the level of specificity at which personal health information may be made subject to a consent directive, including whose collection, use and disclosure of the information may be restricted;

(f) prescribing the units of the Ministry that will be permitted to collect, use and disclose personal health information from the electronic health record on behalf of the Minister for the purposes described in section 55.8;

(g) respecting the provision of services related to the electronic health record by a prescribed organization directly to individuals;

(h) providing for anything that under this Part may or must be provided for or prescribed in the regulations, unless the Minister is specifically empowered to make regulations with respect to the matter.

Review

(3) The Minister shall review every regulation made under the authority of clause (2) (e) at least once in every three-year period.

Public consultation

(4) Section 74 applies, with necessary modification, to the making of a regulation under this section.

(5) Clauses 72 (2) (a) and (b) of the Act are repealed and the following substituted:

(a) if the person is a natural person, to a fine of not more than $100,000; and

(b) if the person is not a natural person, to a fine of not more than $500,000.

(6) Section 72 of the Act is amended by adding the following subsections:

Protection of information

(6) In a prosecution for an offence under subsection (1), the court may take precautions to avoid the disclosure by the court or any person of any personal health information about an individual, including, where appropriate, conducting hearings or parts of hearings in private or sealing all or part of the court files.

No limitation

(7) Section 76 of the Provincial Offences Act does not apply to a prosecution under this Act.

Regulated Health Professions Act, 1991

3. The Regulated Health Professions Act, 1991 is amended by adding the following section:

Electronic health records

36.2 (1) The Minister may make regulations,

(a) requiring one or more Colleges to collect from their members information relating to their members that is specified in those regulations and that is, in the Minister's opinion, necessary for creating or maintaining the electronic health record;

(b) requiring the College or Colleges to provide the information to a prescribed organization in the form, manner and timeframe specified by the prescribed organization;

Members to provide information

(2) Where the Minister has made a regulation under subsection (1), and a College has requested information from a member in compliance with the regulation, the member shall comply with the College's request.

Use and disclosure by prescribed organization

(3) Despite a regulation made under subsection (1), the prescribed organization,

(a) may only collect, use and disclose information under this section for the purpose provided for in subsection (1);

(b) shall not use or disclose personal information collected under this section if other information will serve the purpose; and

Notice required by s. 39 (2) of FIPPA

(4) Where the Minister has made a regulation under subsection (1), and a College is required to collect personal information from its members, the notice required by subsection 39 (2) of the Freedom of Information and Protection of Privacy Act is given by,

(a) a public notice posted on a prescribed organization's website; or

(b) any other public method that may be prescribed in regulations made by the Minister under subsection (1).

Same

(5) If a prescribed organization publishes a notice referred to under subsection (4), the prescribed organization shall advise the College of the notice and the College shall also publish a notice about the collection on the College's website within 20 days.

Definitions

(6) In this section,

"creating or maintaining the electronic health record" has the same meaning as in Part V.1 of the Personal Health Information Protection Act, 2004, and includes, for greater certainty, accurately identifying members in connection with electronic health records; ("créer ou tenir le dossier de santé électronique")

"information" includes personal information, but does not include personal health information; ("renseignements")

"personal health information" has the same meaning as in the Personal Health Information Protection Act, 2004; ("renseignements personnels sur la santé")

"prescribed organization" has the same meaning as in section 2 of the Personal Health Information Protection Act, 2004. ("organisation prescrite")

Commencement

4. This Act comes into force on a day to be named by proclamation of the Lieutenant Governor.

Short title

5. The short title of this Act is the Electronic Personal Health Information Protection Act, 2013.

EXPLANATORY NOTE

Various Acts are amended to deal with electronic health record issues.

The Drug Interchangeability and Dispensing Fee Act is amended to remove the requirement that certain instructions on prescriptions be handwritten.

Numerous amendments are made to the Personal Health Information Protection Act, 2004.

Section 34 of the Act is amended to permit prescribed persons who are not health information custodians to collect and use health numbers for the purpose of creating or maintaining the electronic health record.

Section 51 of the Act is amended to make Part V of the Act apply to a prescribed organization as if it were a health information custodian with respect to the specified records and as if the organization has custody or control of the records. Section 51 is also amended to apply Part V to certain records in the custody or control of a health information custodian.

The Bill adds a new Part V.1, "Electronic Health Records" to the Act.

The Bill permits the Lieutenant Governor in Council to prescribe organizations for the purposes of Part V.1 of the Act ("prescribed organization").

Various terms are defined for the purposes of Part V.1, and definitions in the Act as they relate to personal health information in the electronic health record are modified.

The Minister is required to establish an advisory committee for the purpose of making recommendations to the Minister concerning specified matters related to the electronic health record. The Minister may determine the terms of reference of the advisory committee, and appointments to the committee. The Ministry shall provide administrative support for the committee.

A prescribed organization is required to exercise enumerated functions with respect to the electronic health record, and must comply with specified requirements in creating or maintaining the electronic health record. The Minister is authorized to make directives to a prescribed organization with respect to the carrying out of these responsibilities and functions. The Minister would be required to take the recommendations of the advisory committee and the Information and Privacy Commissioner into account before so directing a prescribed organization.

Part V.1 prohibits a health information custodian from collecting personal health information from the electronic health record maintained by a prescribed organization except for the purposes of providing or assisting in the provision of health care to an individual, or eliminating or reducing a significant risk of serious bodily harm to a person or group of persons, where the health information custodian believes on reasonable grounds that the collection is necessary for this purpose. Part V.1 permits health information custodians to collect, use and disclose prescribed data elements for the purpose of uniquely identifying individuals in order to collect their personal health information in the electronic health record.

An individual may provide to a prescribed organization a directive that withholds or withdraws the individual's consent to the collection, use and disclosure of his or her personal health information contained in the electronic health record for the purpose of providing or assisting in the provision of health care to the individual. The individual is permitted to amend and modify a directive previously made. The prescribed organization would be required to comply with the directive.

A health information custodian is authorized to disclose personal health information despite the contents of a consent directive in specified circumstances, including: to another health information custodian with the express consent of the individual to whom the information relates; to another custodian if the custodian that is seeking to collect the information believes on reasonable grounds that the collection is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to the individual to whom the information relates, and it is not reasonably possible for the custodian to obtain the individual's consent in a timely manner; and to another custodian if the custodian that is seeking to collect the information believes on reasonable grounds that the collection is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to a person other than the individual to whom the information relates or to a group of persons.

A prescribed organization is required to audit, log and monitor access to personal health information that is the subject of a consent directive, and provide notice to health information custodians where consent directives are overridden as described above. A health information custodian so notified would be required to notify the individual who provided the consent directive and the Information and Privacy Commissioner.

Despite a consent directive, a prescribed organization is permitted to use personal health information to provide alerts to health information custodians about potentially harmful medication interactions, as long as the information that is subject to the directive is not provided.

The Minister may collect personal health information from the electronic health record for funding, planning and delivering health services funded by the Government of Ontario, and for detecting, monitoring or preventing fraud or inappropriate receipt of health-related payments, goods or services funded by the Government of Ontario. The Minister may use this information to conduct audits where there are reasonable grounds to believe there has been an inappropriate receipt of a payment, service or good funded by the Government of Ontario, and may disclose this information where required by law, for the purpose of a legal proceeding or to a law enforcement agency. The Lieutenant Governor in Council must prescribe a unit of the Ministry to collect and use the information for these purposes. Part V.1 would require the Ministry to take certain steps to de-identify such personal health information. The Ministry would be required to put in place practices and procedures to protect the privacy of the individuals whose personal health information the Ministry collects for such purposes. These practices and procedures would require the approval of the Information and Privacy Commissioner every three years.

When the required conditions are met, the Minister may direct the disclosure of personal health information in the electronic health record to persons specified by the Minister as if the Minister had custody or control of the information for the purposes of certain provisions of the Act. In directing the prescribed organization to make such disclosures, the Minister is required to take into account any recommendations of the advisory committee.

Regulation-making powers of the Minister and Lieutenant Governor in Council are provided for.

The Act is amended to increase fines for persons guilty of offences under the Act, to provide that there is no limitation period for prosecution for offences under the Act and to permit the court to take precautions to avoid the disclosure of personal health information in the course of a prosecution under the Act.

The Regulated Health Professions Act, 1991 is amended to permit the Minister to make regulations requiring a regulated health professional college to collect from its members information specified in the regulations that is necessary for ensuring effective electronic health records and requiring the college to disclose such information to a prescribed organization. A member of the college would be required to comply with the college's request for information.