skip to main content
Back to all blog posts

Posted in: Privacy

Aug 17, 2017

Recent Changes to Ontario’s Personal Health Information Protection Act

By Meghan A. Cowan

There have been a number of new changes introduced with respect to Ontario’s Personal Health Information Protection Act (“PHIPA”). The Ontario government filed a new regulation on June 29, 2017 (Ontario Regulation 224/17 -- the “New Regulation”). The New Regulation comes into force on October 1, 2017 and imposes a variety of new reporting requirements on health information custodians under PHIPA.

By way of background, PHIPA governs the collection, use and disclosure of ‘personal health information’ (i.e. identifying information about an individual that relates to their physical or mental health) by health information custodians. Health information custodians (“HICs”), in turn, are defined in the legislation as persons involved in delivering health care services, such as practitioners, hospitals and pharmacies. Agents of HICs (i.e. employees at a doctor’s office) hold the same duties and responsibilities as HICs under PHIPA.

The recent amendments to the PHIPA regime appear to be in response to a number of cases reported in the media of employees disclosing personal health information. Examples include two workers at the Princess Margaret Cancer Centre who snooped on the late Mayor Ford’s electronic health records and a North Bay nurse who accessed 5,800 patient records.

The changes to PHIPA include the following:

  • Changes to breach notification procedures: PHIPA previously provided that HICs were responsible for taking steps to ensure that personal health information was protected against theft, loss or unauthorized use or disclosure. Now the New Regulation requires that HICs must notify the Privacy Commissioner of Ontario in the following circumstances:
    • if the HIC has reasonable grounds to believe that:
      • personal health information was used or disclosed without authority by a person who knew or ought to have known that they were using or disclosing that information without authority;
      • personal health information in the HIC’s custody or control was stolen; or
      • after an initial loss or unauthorized use or disclosure of personal health information in the HIC’s custody or control, the personal health information was or will be further used or disclosed without authority.
    • The loss or unauthorized use of personal health information is part of a pattern of similar conduct.
    • The HIC determines that the loss or unauthorized use or disclosure of personal health information is significant after considering the following: (a) whether the personal health information is sensitive, (b) whether the loss or unauthorized use or disclosure involved a large volume of personal health information, (c) whether the loss or unauthorized use or disclosure involved many individuals’ personal health information, and (d) whether more than one health information custodian or agent was responsible for the loss or unauthorized use or disclosure of the personal health information.
  • Notice to College: Section 17 of PHIPA requires that an HIC must give notice to a College if that member is terminated, suspended or subject to disciplinary action as the result of the unauthorized collection, use, disclosure, retention or disposal of personal health information. The New Regulation now provides that the HIC must notify a College of an event that relates to a loss or unauthorized use or disclosure of personal health information.
  • New reporting requirements: The New Regulation also requires all HICs to provide the Privacy Commissioner with a report on March 1 of each year setting out the number of times in the previous calendar year that personal health information was (a) stolen, (b) lost, (c) used without authority, and (d) disclosed without authority. This reporting requirement will commence in 2019.

Health information custodians should take note of these developments and take further steps to train their practitioners and employees when handling personal health information. 

Related Categories

Related Blogs

Posted in: Privacy | Court Decision | Data Security/Privacy

Insights TheSpotlight
Texting and the Expectation of Privacy By Donald B. Johnston Dec 11, 2017 The Supreme Court of Canada published an important judgment on December 8, 2017, concerning whether or not Canadians have the right to expect that their texting conversations will remain private. Interestingly, the judgment of the court was split – which shows that even the cleverest lawyers can ...

Posted in: Privacy | Data Security/Privacy

Insights TheSpotlight
Equifax Breach - The Breach That Will Keep on Giving By Paige Backman and Meghan A. Cowan Sep 14, 2017 At this point, if you haven’t heard of the Equifax data breach, it could only be because you have rightfully been glued to the coverage of (or living through) Hurricane Irma, Harvey or Jose. On September 7, 2017, Equifax revealed that it was the subject of a cybersecurity breach over the s...

Posted in: Data Protection | Privacy | Data Security/Privacy

Insights TheSpotlight
Ontario Court of Appeal Established New Privacy Rights – Utility Consumption Data and Grow Ops By Paige Backman Aug 21, 2017 If you are a utility monitoring consumption data, think twice before providing any of that information to the police. You may need to ensure the police first provide you with a warrant or other judicial authorization specifically requesting the information. The Ontario Court of Appeal, distinguis...