Amendment of Regulation O. Reg. 329/04 (General) under the Personal Health Information Protection Act, 2004 (PHIPA) to Enable Proclamation of Part V.1 of PHIPA
Regulation - LGIC
Bill or Act:
Personal Health Information Protection Act, 2004
Summary of Decision:
The proclamation of Part V.1 under PHIPA along with amendments of O. Reg. 329/04 (General) under PHIPA came into force on October 1, 2020 and temporary regulations Section 6.2 under O. Reg. 329/04 of PHIPA were repealed. The approved regulations were filed on October 1, 2020 as O. Reg. 534/20.
Analysis of Regulatory Impact:
The proposed regulatory amendments have no additional costs or burdens on the public. There will be no impacts on administrative costs or fiscal implications within the government. Ontario Health will be impacted as the prescribed organization responsible for managing the electronic health record but the impact is within expected business planning. Ontario Health- Digital Services assumed the former eHealth Ontario's function of operating the provincial electronic health record which supports the delivery of integrated health care. Ontario Health- Digital Services is ensuring business operations and planning remains continuous. Additional administrative costs are expected to be minimal.
May 26, 2020
Summary of Proposal:
The amendments to the existing regulation include clarifying that the requirement on a health information custodian (HIC) to notify the IPC of the existence of a circumstance set out in s. 6.3 (1) of the Regulation shall be done at the first reasonable opportunity and a new paragraph under s. 6.4 (1) of the Regulation adding that personal health information collected from the electronic health record (EHR) without authority must be included in the annual report that health information custodians must provide to the Commissioner as outlined in that section.
The new provisions to enable proclamation and implementation of Part V.1:
Name Ontario Health as the prescribed organization under Part V.1 of PHIPA.
Establish prescribed data elements that may be used for unique identification of individuals for the purposes of collecting their information by means of the EHR
Clarify that HICs collecting from the EHR are required to notify the Commissioner under any circumstances where they would be required to notify the Commissioner if the collection were for a use or disclosure outlined in s.6.3 of the Regulation [on loss, theft, etc. of information], and to do so at the earliest opportunity.
Set a series of requirements for consent directives under the EHR:
o Require the prescribed organization to put into place practices and procedures for the purposes of managing consent directives that are approved by the Commissioner under paragraph 14 of section 55.3 and s. 55.12 of the Act.
o Set the level of specificity ["granularity"] at which the prescribed organization is required to implement consent directives of individuals, and to prescribe the data elements in section 18.2 as not being subject to any consent directive.
o Require the prescribed organization to maintain existing consent directives if the individuals so desire, and to ensure that existing consent directives apply to information newly entered into the EHR;
Set the requirements of notices of override of consent directives for the purposes of ss. 55.7 (6), 55.7 (7)(a), and 55.7 (7)(b).
Exempt HICs that disclosed information that was collected from the EHR from ss. 12 (1) and 12 (3) of the Act where a health information custodian that collected personal health information is required to notify an individual under s. 55.5 (7)(a) or to notify the Commissioner under s. 55.5 (7)(b) of the Act.
Set out a variety of regulatory provisions for coroners accessing the EHR for the purposes of the Coroners Act:
o Require a coroner to whom the prescribed organization provides information under section 55.9.1 (1) of the Act to comply with section 11.1, subsections 12 (1) and (3), subsection 13 (1) and sections 17, 17.1, 30 and 31 of the Act as if the coroner were a health information custodian.
o Clarify that a coroner acting under the Coroners Act may only use and disclose information for the purposes for which the information was collected.
o Require the coroner to comply with the obligations set out in subsection 12 (1) of the Act with respect to the transmitted information, regardless of whether the coroner has viewed, handled or otherwise dealt with the information, if a coroner requests that prescribed organization transmit personal health information to the coroner by means of the EHR and the prescribed organization transmits the information as requested.
Christine Sham, Director
Information Management Strategy and Policy Branch
Digital Health Division
Ministry of Health
1075 Bay St., 13th floor
Toronto, ON M5S 2B1
October 1, 2020