Ontario government to strengthen health privacy laws
In the wake of a number of high-profile privacy breaches that flooded the media over the past year, Ontario’s Ministry of Health and Long-Term Care (the “Ministry”) has officially announced its intention to introduce amendments to the Personal Health Information Protection Act (“PHIPA”) in order to strengthen the protections surrounding the privacy of personal health information.
Amendments to the Personal Health Information Protection Act
The specific amendments the Ministry proposes to make to PHIPA include:
- Introducing a mandatory reporting requirement, such that all privacy breaches would need to be reported to the Information and Privacy Commissioner of Ontario (IPC) and, in certain cases, to relevant health regulatory colleges;
- Doubling the existing fines for privacy violations from $50,000 to $100,000 for individuals and from $250,000 to $500,000 for organizations;
- Eliminating the requirement that prosecutions of offences under PHIPA must be commenced within six months of the alleged privacy breach; and
- Providing additional protections to address the unique privacy concerns raised by the use of electronic medical records (“EMRs”).
Reintroduction of the Electronic Personal Health Information Protection Act
As part of this initiative, the Ministry has indicated its intention to reintroduce protections set out in the Electronic Personal Health Information Protection Act, 2013 (“E-PHIPA”). The IPC voiced support for this measure, which was in fact a recommendation it made in its 2014 Annual Report.
E-PHIPA was originally introduced in the Ontario Legislature in 2013, but did not survive past second reading. It was designed to amend PHIPA to establish a single provincial electronic health record (“EHR”) that would be created and maintained by organizations prescribed by regulation (“Prescribed Organizations”). The EHR would enable multiple health care providers within a patient’s circle of care to share the information contained in a patient’s EMR. Currently, eHealth Ontario has the authority to create and maintain electronic health records.
The focus of E-PHIPA was to guarantee adequate privacy and security protections for the EHR. For example, E-PHIPA would amend PHIPA to clarify how health care providers may collect, use and disclose personal health information in the EHR.
E-PHIPA also preserves patients’ right to control what appears in their EHR and by introducing “consent directives.” Like the “lock-box” provisions of PHIPA, consent directives permit individuals to identify what information in the EHR can and cannot be shared with other health care providers. Prescribed Organizations would be responsible for managing and implementing consent directives. E-PHIPA sets out specific circumstances in which a patient’s instructions to withhold certain information in the EHR can be overridden, including where disclosure is necessary to eliminate or reduce a significant risk of serious bodily harm to the patient or another person, and for the purpose of alerting health care providers about potentially harmful medication interactions.
In addition, E-PHIPA contains a provision to establish an advisory committee who would be responsible for providing guidance to Prescribed Organizations and making recommendations to the Minister of Health on matters related to the EHR.
At a time where headlines such as “Privacy of Rob Ford’s medical records breached by third hospital” and “Hundreds of hospital privacy violations go unreported” permeate the news, it is not surprising that the Minister of Health has committed to taking steps to enhance the protection of personal health information. A bill containing the proposed amendments is likely to be introduced when the Ontario Legislature resumes in the fall.
It is unclear at this time whether the Ministry intends to reintroduce E-PHIPA in its entire original form, or whether only specific provisions will be incorporated into a new bill. When E-PHIPA was first introduced in 2013, it was criticized for failing to provide details respecting implementation of the EHR, such as: whether information subject to a consent directive will be stored in the EHR with limited access, or will be excluded from the EHR entirely; how breaches of the EHR will be managed; and who will be held liable for such breaches. It will be interesting to see whether the new bill tabled this fall addresses any of these previously identified shortcomings.
We will share updates on our blog as these amendments progress through the Legislature.