With Royal Assent being given to Bill 188 – Economic and Fiscal Update, 2020, changes have been made to the Personal Health Information Protection Act (PHIPA). Several of these changes have direct impact on health information custodians.
The definition of de-identify, in relation to the personal health information of an individual, has been changed to mean: to remove, "in accordance with such requirements as may be prescribed,” any information that identifies the individual or for which it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify the individual, and “de-identification” has a corresponding meaning. This new definition does not come into effect until proclamation by the Lieutenant Governor.
A new section has been added to the PHIPA that requires health information custodians using an electronic document system to maintain, audit and monitor an electronic audit log. The custodian is to audit and monitor the log as often as required by the regulations. A copy of the audit log is to be provided to the Information Privacy Commissioner, on request. The audit log must include, for every time a record containing personal health information is viewed, handled, modified or otherwise dealt with, the following information:
- type of information viewed, handled or modified;
- date and time the information was viewed, handled or modified;
- the identity of the person who viewed, handled or modified the personal health information;
- the identity of the individual to whom the personal health information relates; and,
- any other information that may be prescribed.
The requirement to maintain and monitor an electronic audit log does not come into effect until proclamation by the Lieutenant Governor. However, health information custodians should be proactive and determine the capabilities of their electronic document system for generating an audit log, and ensuring that it will generate the information set out in the legislation. This will provide the time needed to update, or perhaps replace, the system if the electronic audit log does not comply with the prescribed requirements.
The inclusion of a requirement to audit and monitor the audit log sets an expectation that the health information custodian is taking steps to ensure that there has not been unauthorized access to patient personal health information, and that there have not been security breaches in the electronic documents system.
PHIPA now provides that an individual’s right to access a record of personal health information includes the right to access it in an electronic format.
A new section has been added to PHIPA that relates to “consumer electronic service providers” (CESP). A CESP is “a person who provides electronic services to individuals at their request, primarily for, the purpose of allowing those individuals to access, use, disclose, modify, maintain or otherwise manage their records of personal health information.” A health information custodian that provides personal health information to a CESP will have to comply with prescribed requirements and procedures. This section does not come into effect immediately; a proclamation by the Lieutenant Governor is required.
The provincial legislature is sending a strong message that it expects health information custodians to protect the privacy of its patients by significantly increasing the administrative penalties it can order against a person that has contravened PHIPA. If the offender is a natural person, the potential maximum penalty for an offence under PHIPA was increased to $200,000, with the possibility of imprisonment. If the potential offender is not a natural person, the potential maximum penalty was increased to $1,000,000.
PHIPA sets out administrative penalties only. It does not preclude an individual (or an entire class of individuals) from commencing litigation against a health information custodian if there was a breach of privacy relating to their personal health information.
The Lerners privacy law team is able to assist health information custodians in navigating their obligations under the Personal Health Information Protection Act.