Ontario passes amendments to protect patient privacy, improve transparency

Reforms to health privacy legislation that passed third reading in the Ontario legislature this week to enhance patient privacy, bringing the province into line with several other jurisdictions, says Toronto health lawyer Mary Jane Dykeman.

“They reflect a new standard and expectation around protecting individual privacy and confidentiality of the personal health information held by health information custodians such as hospitals, long-term care homes, and community mental health and addictions agencies,” Dykeman, partner with DDO Health Law, tells

“We’ve seen numerous developments over the past two years, including several high-profile breaches, increased media attention, class-action lawsuits and Attorney General prosecutions,” Dykeman notes. The first successful prosecution of a teaching hospital’s employees for snooping has just been announced. Toronto Star

In one case, former hospital employees inappropriately accessed and sold patient information, she says, resulting in a successful prosecution by the Ontario Securities Commission for securities fraud.

The changes, under Bill 119, the Health Information Protection Act, are aimed at protecting patient privacy and improving transparency. The Act amends two key pieces of legislation, the Personal Health Information Protection Act (PHIPA) and the Quality of Care Information Protection Act (QCIPA).

The bill’s key reforms to PHIPA include:

  • Doubling the maximum fines for privacy offences from $50,000 to $100,000 for individuals and from $250,000 to $500,000 for organizations.
  • Strengthening the process to prosecute offences under PHIPA by removing the requirement that prosecutions must be commenced within six months of when the alleged offence occurred.

Dykeman says the six-month deadline was a focal point in the case of a nurse in North Bay accused of snooping into close to 6,000 patient records. Her case was dismissed because the Crown took 16 months. “That was frustrating for many people,” she says. Toronto Star

Under the changes, it will become mandatory to report privacy breaches, as defined in regulation, to the Information and Privacy Commissioner and, in certain circumstances, to health regulatory colleges.

The new reporting requirement was urged by Ontario’s Information and Privacy Commissioner Brian Beamish, Dykeman says.

Previously, health information custodians have only been required to give notice of a privacy breach to the affected individual. “But there was no requirement to actually alert the Information and Privacy Commissioner,” she says.

This change brings Ontario into line with other jurisdictions, says Dykeman’s law partner, Kate Dewhirst.

The accompanying requirement to alert relevant governing health colleges — in cases where an employee or agent of a health information custodian is terminated, suspended or subject to disciplinary action arising out of unauthorized collection, use, disclosure and other privacy infringements — is reminiscent of provisions already in place in the Regulated Health Professions Act, Dewhirst says.

Under those rules, organizations must report to the relevant colleges if there is believed to be professional misconduct, or if the health practitioner in question is incompetent or incapacitated, she says.

Dewhirst adds, “This change is presumably aimed at including physicians and other independent contractors who are not direct employees but who collect, use and disclose personal health information on behalf of health information custodians.”

Dykeman also notes that other provisions of Bill 119 will govern an electronic provincial health record and establish the responsibilities of eHealth Ontario in its overarching role of managing that electronic system. More details about those changes, and what health information custodians should do to prepare, will emerge in the coming days, she says.

Bill 119 also amends QCIPA to clarify that facts about critical incidents cannot be withheld from affected patients and their families.

Under the reforms, the Minister of Health and Long-Term Care will have to review QCIPA every five years.

Notes Dewhirst, “One of the challenges with QCIPA over the years since it came into force in 2004, has been its uneven application by various health-care organizations.”

Dykeman adds, “All said, we will be monitoring all of these new rules very closely over the next while,” she says, noting that many details that will operationalize Bill 119 have been left to the regulations.

To Read More Mary Jane Dykeman Posts Click Here