Even before joining the IPC, I always admired Ontario’s Personal Health Information Protection Act (PHIPA) for its “gutsiness.” PHIPA introduced many novel concepts for its time. These include the first breach notification requirement in the country; a comprehensive code for consent and substitute decision-making; and a research governance framework that integrates a custodian’s data stewardship obligations with applicable national ethics standards and mandatory review by a research ethics board.
PHIPA also introduced the prelude to the “data trust” model. It designated certain prescribed entities and registries with significant latitude to use Ontarians’ personal health information (PHI) entrusted in their care for public good purposes, subject to strict accountability requirements. This includes a detailed review of their privacy practices and procedures by the IPC every three years.
PHIPA has evolved over the last 16 years, and in case you missed the memo, it has undergone a whole series of additional changes in 2020. These have been incremental but consequential.
Enhanced rights and responsibilities; stronger enforcement
For instance, last March, Bill 188 doubled the size of fines for offences under PHIPA, now up to $200,000 for individuals and $1,000,000 for corporations.
Bill 188 also introduced administrative penalties for the Information and Privacy Commissioner – a very first in Canada – whereby my office will be able to impose administrative monetary penalties directly against persons who contravene PHIPA. The penalty amounts and their administration have yet to be determined by regulation.
Along with new “teeth,” Bill 188 ushered in new rights and responsibilities:
- rights for individuals to obtain access to their PHI in electronic format (pursuant to regulations to be prescribed) so they could take steps to manage their own health information, including potentially through patient portals and health apps;
- responsibilities for the providers of these patient portals and digital health apps (new entities called “consumer electronic service providers”) to comply with certain requirements that have yet to be defined in regulations.
Also, the bill sets out explicit requirements for all custodians to maintain and monitor an electronic audit log of all instances where PHI is viewed, handled, modified, or otherwise dealt with, and to provide a copy of this log to my office on request (not yet in force).
Ontario’s Electronic Health Record at long last
On October 1, 2020, new regulations designated Ontario Health as the prescribed organization responsible for bringing to life the province’s long-awaited-for electronic health record (EHR) under Part V.1 of PHIPA. One of the main goals of the EHR is to ensure that Ontarians’ comprehensive health information is brought together in a consistent format under a single, virtual ‘roof.’ This will make the information readily accessible to a broad range of health care providers across a wide spectrum of care settings, enabling more efficient and better-integrated care.
Part V.1 establishes a comprehensive privacy and accountability framework for the EHR. It defines an extensive role for Ontario Health as the administrator of the EHR subject to oversight by my office. It allocates shared responsibilities among multiple custodians using the EHR, to establish “who’s on first.” For example, it clarifies the rules for custodians seeking to upload or download PHI, to or from the EHR; rules for honoring an individual’s consent directives and rules for overriding them, subject to notice requirements. There are also new rules for breach notification adapted specifically for the EHR context.
There are new rules that allow coroners, medical officers of health, and the ministry of health data integration unit (designated under Part III.1 of FIPPA) to collect PHI from the EHR. The Minister of Health may also direct disclosure of PHI from the EHR to others (for example, researchers) on request, subject to consultation with a yet-to-be- established advisory committee. This concept of an advisory committee is yet another interesting aspect of PHIPA.
Other PHIPA regulations relating to the digitization of PHI will come into force on January 1, 2021. These regulations set out a framework for establishing, monitoring, and enforcing compliance with interoperability specifications. Interoperability helps ensure that custodians’ electronic information systems, or “digital health assets,” can “speak to one another” making it easier for custodians to share PHI seamlessly across institutions.
Ontario Health has been charged with making these interoperability specifications, in consultation with my office (particularly where individuals’ privacy and access rights are at issue), and subject to approval by the Minister of Health. Ontario Health will also be required to publish these specifications, develop a certification process to green light electronic systems that meet the required specifications, and monitor custodians’ compliance with these specs.
2020 – A big year for PHIPA
Looking back, 2020 was a big year for PHIPA. These significant amendments speak to the intricacies of our new digital health reality. They demonstrate how incredibly complex the health system has become as it strives to deliver highly personalized digital health solutions at the individual level, while also increasing data sharing across different entities to help solve broader public health issues, like those we have seen with COVID-19, for example.
The elephant left standing in the room is how best to regulate the increasing number of private sector actors becoming inextricably linked into Ontario’s digital health system. PHIPA has already shown itself ready to hold some private sector players (like health information networks providers and consumer electronic service providers) to certain obligations, but what about others? This must certainly be on the mind of many as Ontario continues to consult on a possible made-in-Ontario private sector privacy law. Such a law, if adopted, would need to jive well with the growing tentacles of PHIPA to create a seamless and integrated regime, that is both practical and coherent.
This post is also available in: French