On March 25, 2020, Ontario amended the Personal Health Information Protection Act (PHIPA). The amendments are unrelated to the COVID-19 pandemic and largely fall in two categories. First, there are increases to the penalties for offenses and a new power given to the Information and Privacy Commissioner (IPC) to impose administrative penalties. Second, there are various amendments, many of which have yet to come into force, that aim to further regulate the use of electronically-stored Personal Health Information (PHI).
Tougher enforcement measures
The amendments grant the IPC the novel power to impose “administrative penalties.” These penalties may be imposed to encourage compliance with PHIPA, or to prevent people from deriving a direct or indirect economic benefit from a breach of PHIPA. The IPC will determine the amounts for these administrative penalties in accordance with regulations that the Government of Ontario has yet to enact. The regulations, when they become available, will likely give a better sense of the scale of the administrative penalties contemplated and the factors that will be considered in their imposition.
Earlier this month, the Ontario Legislature appointed Patricia Kosseim as the next Information and Privacy Commissioner of Ontario. Ms. Kosseim brings considerable experience to the role, having served over a decade as Senior General Counsel and Director General at the Office of the Privacy Commissioner of Canada. It will be interesting to see whether Ms. Kosseim will avail herself of this novel power to impose administrative penalties or whether it will be treated as a more symbolic power.
Because custodians may now face penalties when they benefit economically, albeit indirectly, from breaches of PHIPA, this may be a good time for custodians to review some of their internal policies and processes. For example, custodians may consider ensuring that their uses and disclosures of PHI for fundraising and research purposes comply with the requirements of PHIPA.
Maximum fines doubled
The amendments increase the maximum fines for offences under PHIPA from $100,000 to $200,000 for individuals, and from $500,000 to $1,000,000 for organizations. An individual found guilty of an offence under PHIPA can also face up to one year’s imprisonment. To date there have been only a handful of prosecutions under PHIPA with very few convictions. The increases in fines might therefore not change much in practice, but may help to deter wrongful conduct.
Availability of other remedies for breach of privacy
The amendments clarify that the right to sue for breach of privacy under section 65 of PHIPA does not prevent individuals from seeking other remedies. This amendment essentially codifies the Ontario Court of Appeal’s ruling in Hopkins v. Kay, 2015 ONCA 112 that section 65 of PHIPA does not preclude actions for intrusion upon seclusion.
Moving to electronic records
Right to access PHI in an electronic format
The amendments also, for the first time, will grant individuals the right to access their records in an electronic format that meets the requirements set out in PHIPA regulations. These requirements have not yet been determined so this amendment will not be implemented until some time in the future. However, custodians may want to start considering how they will comply with this amendment when it comes into force. One option may be through providers of online solutions that give patients a way to access their own health records.
Consumer electronic service providers
Over the past few years, there has been a growing interest in digital platforms and applications that give individuals direct electronic access to their PHI. In Ontario, this phenomenon has been marked by the emergence of platforms such as PocketHealth, My Chart, and TELUS Health’s Personal Health Records program, which allow patients to access some of their health records or information online.
The amendments will bring these online providers (referred to as “consumer electronic service providers”) within PHIPA’s purview. Consumer electronic service providers will be able to collect individuals’ health numbers, with consent, for the purpose of identity verification. They will have to comply with other requirements, which have not yet been adopted through regulation.
The amendments clarify that when an individual uses a particular consumer electronic service provider to request access to his or her PHI, the custodian need not make the PHI available through that same consumer electronic service provider. In other words, if a request for PHI is made through a consumer electronic service provider, the custodian will not be obligated to use the consumer electronic service provider to respond to the request. Therefore, even though individuals will have the right to access their PHI electronically, they will not necessarily have the right to access it using the electronic platform of their choice. Custodians may decide to rely on commercial platforms, or to develop their own platforms.
Again, these amendments are not yet law. However, they indicate that the Ontario government is taking an increased interest in online tools that will allow patients to access and manage their own PHI.
Electronic audit logs
The amendments will impose new obligations on custodians to maintain “electronic audit logs” to track access to all PHI that is collected or stored electronically. Custodians will be required to create an audit log for each individual, and to create a new entry in the audit log each time the individual’s PHI is accessed electronically. Each entry must include the following information:
- the type of PHI that was accessed;
- the date and time at which the PHI was accessed;
- the names of the persons who accessed the PHI; and
- the name of the individual whose PHI was accessed.
The idea of audit logs is not new. It has been the expectation of the IPC that custodians build the capacity to audit electronic access to PHI since it released Order HO-013 in 2014. Custodians have expended considerable effort in developing their electronic audit logging capacity over the past few years. While this amendment is not yet in force, it will reinforce the IPC’s expectation that custodians be able to audit electronic PHI access, and will likely foster custodians’ efforts in this regard.
As a practical matter, creating and maintaining such audit logs may be difficult for custodians that rely on numerous electronic health record systems, including many that are older and have limited auditing capabilities. In light of this challenge, custodians could begin by taking the following steps:
- make a list of all of their electronic systems that contain PHI;
- assess the auditing capacities of those systems;
- identify which systems should be prioritized for creating or upgrading existing auditing capabilities. This assessment should take into account costs and risk factors (sensitivity of PHI, number of users, frequency of use, existing audit logging capabilities); and
- explore possible audit solutions, such as third party auditing software or software offered by existing electronic system vendors.
The amendments to PHIPA reflect the objectives of encouraging compliance with PHIPA and moving toward better management of electronic health records. Ontario is signalling to custodians that they need to start exploring how they will provide individuals with electronic access to their health records. At the same time, the emphasis on the need for electronic audit logs, and the regulation of consumer electronic service providers, suggest that the move towards greater access to electronic records should not come at the expense of strong security and safety measures. It will be important to pay attention to the pending changes to PHIPA regulations that will enable the implementation of these amendments. The devil will be in the details.