Ontario Gazette Volume 158 Issue 33 | August 16 2025

Government Notices — Other

Notice of Minister of Health

Notice of Proposed Regulation

Personal Health Information Protection Act, 2004

The Minister of Health on behalf of the Government of Ontario invites public comments on two amending regulations proposed to be made under the Personal Health Information Protection Act, 2004 (“PHIPA”).

PHIPA came into force on November 1, 2004. Ontario Regulation 329/04 (General) made under PHIPA (“the PHIPA General Regulation”) also originally came into force on November 1, 2004. PHIPA requires that the Minister publish a notice of the proposed amending regulations and allow 60 days for public comment and submissions after which time, the Minister is required to consider whatever comments and submissions are received and make a report to the Lieutenant Governor in Council regarding any potential changes to the proposed regulation that the Minister considers appropriate. Subsequently, the Lieutenant Governor in Council may exercise the discretion to make the regulation with any changes that the Lieutenant Governor in Council considers appropriate.

Content of Proposed Amending Regulations

The proposed regulation would support the coming into force of various recent amendments that were made to PHIPA as part of Schedule 6 of the More Convenient Care Act, 2025. Specifically, the proposed regulation would support amendments made to the digital health identifier (DHI) components of PHIPA contained in Part V.2 of the Act as well as to support provisions designed to enable access to personal health information (PHI) contained in the provincial Electronic Health Record (EHR) in PHIPA, in order to support better patient access to personal health information in Ontario.

The proposed regulation would amend O. Reg. 329/04 (General) made under PHIPA to:

1. Enable and provide additional authorities for Ontario Health (OH) to operate, support and provide activities related to the DHI as well as with respect to DHI records.
2. Enable OH to provide individual access to specified repositories of PHI contained in the provincial EHR and certain electronic audit records kept by OH.

If approved, the proposed amending regulation would:

• Define “digital means of access” for purposes of O._Reg.329/04 under PHIPA;
• Prescribe OH and its agents as persons who may collect and use an individual’s health number for purposes related to the electronic health record;
• Prescribe OH and its agents as persons who may, with express consent, collect and use an individual’s health number for the DHI-related purposes, as well as permitting OH and its agents to disclose, with express consent, an individual’s health number to the Minister of Health for specified purposes, including providing validation and verification services, and for verifying an individual’s identity in specified circumstances;
• Specify that the provisions of Part III of the Act apply to Ontario Health, with necessary modifications, when it is carrying out its powers, functions and responsibilities as the prescribed organization under any other Part of the Act and under the proposed Regulation;
• Specify the types of EHR records to which individuals have a right of access pursuant to subsection 51(5) of PHIPA;
• Provide for the types of means by which individuals can access their records of PHI contained in the EHR – e.g., via a digital means of access or via an alternative means, as well as requiring OH to publish instructions for individuals who cannot or do not wish to use the digital means of access;
• For EHR records, clarify that OH is not required to consider the exceptions to the right to access listed in PHIPA s. 52(1) but that OH would be required to notify health information custodians (HICs) that provide records to the EHR (“Contributing HICs”) that access may be provided and where the custodian does not identify an exception, provide access to the record;
• Specify OH’s responsibilities vis-à-vis Contributing HICs and individuals seeking their records upon disabling access through the digital means of access;
• Exempt OH from the requirement in PHIPA s. 52(1.1) to provide the records through the digital means of access in the electronic formats specified in that subsection;
• Exempt OH from subsections s. 52(4) to (7) when providing access to records;
• For the EHR audit records, require OH to provide access to both the actual record and summaries of such records;
• Require OH to provide only EHR audit records and their summaries generated on or after January 1, 2024;
• Specify the digital health identifier records to which the right of access in s. 51(7) applies;
• Establish new annual reporting requirements by OH to the Information and Privacy Commissioner of Ontario related to:
  • The number of access requests, refusals and other metrics related to records of PHI contained in the EHR, EHR audit logs and DHI records; and
  • The number of instances in which DHI records were stolen, lost, collected, used or disclosed without authority, as well as instances in which PHI was collected by OH for DHI purposes without authority;
• Specify the effects of the withdrawal of an individual’s consent to OH’s collection, use or disclosure of the individual’s PHI, as well as their health number, for DHI-related purposes, as well as specifying limited exceptions regarding retention, maintenance and disposal of PHI as well as incident and breach management activities;
• Prescribe the circumstances in which OH is required to notify the Information and Privacy Commissioner of Ontario regarding matters involving theft, loss or unauthorized use or disclosure of DHI records;
• Specify the circumstances in which OH must perform assessments related to the threats, vulnerabilities, risks, security and privacy of individuals with respect to DHI activities carried out by OH; and
• Allow OH and its agents to collect, use and disclose an individual’s PHI, with their express consent, for purposes of verifying the identity of individuals in certain specified circumstances related to the provincial EHR and accessing such records.

The public is invited to provide written comments on the proposed regulation over a 60-day period, commencing on August 16, 2025, and ending on October 15, 2025.

In providing comments, please consider whether the proposed amending regulation should be made, with or without any specified changes. Furthermore, please consider whether any other specified amendments should be made to the O. Reg. 329/04 made under PHIPA, or if any further legislative amendments should be contemplated to PHIPA. Please be as specific as possible and provide a full rationale for any suggested changes or additions.

Written comments may be addressed to:

Digital Health Program Branch
Ministry of Health
Digital and Analytics Strategy Division
222 Jarvis Street, 7^th Floor
Toronto ON M7A 0B6
Email: digitalhealthprogrambranch@ontario.ca

The text of the proposed amending regulations are set out following this notice in English and French. We welcome your input in either English or French. All comments and submissions received during the comment period will be considered during final preparation of the regulations. The content, structure and form of the proposed regulations is subject to change as a result of the consultation process and is in the discretion of the Lieutenant Governor in Council, who has the final decision on the contents of any regulation.

Information respecting PHIPA and O. Reg. 329/04 made under PHIPA, and electronic copies of this notice, including the text of the proposed regulation, may be accessed through Ontario’s Regulatory Registry website at the following address: https://www.ontariocanada.com/registry.

Copies of PHIPA and O. Reg. 329/04 made under PHIPA are available at www.e-laws.gov.on.ca.

Please note that all materials or comments received from organizations in response to this Notice will be considered public information and may be used and disclosed by the Ministry to assist the Ministry in evaluating and revising the proposed regulation. This may involve disclosing materials or comments, or summaries of them, to other interested parties during and after the request for public comment process. An individual who provides materials or comments and who indicates an affiliation with an organization will be considered to have submitted those comments or materials on behalf of the organization so identified. Materials or comments received from individuals who do not indicate an affiliation with an organization will not be considered public information unless expressly stated otherwise by the individual. However, materials or comments provided by individuals may be used and disclosed by the Ministry to assist in evaluating and revising the proposed regulation. Personal information of those who do not specify an organizational affiliation, such as an individual’s name and contact details, is collected by the Ministry under the authority of subsection 38(2) of the Freedom of Information and Protection of Privacy Act and subsection 74(1) of the Personal Health Information Protection Act, 2004, and will not be disclosed by the Ministry without the individual’s consent unless required by law. If you have any questions about the collection of this information, you can contact the Freedom of Information and Privacy Coordinator of the Ministry of Health at 416-327-7040.

The Honourable Sylvia Jones
Minister of Health

Caution:

This consultation draft is intended to facilitate dialogue concerning its contents. Should the decision be made to proceed with the proposal, the comments received during consultation will be considered during the final preparation of the regulation. The content, structure, form and wording of the consultation draft are subject to change as a result of the consultation process and as a result of review, editing and correction by the Office of Legislative Counsel.

consultation draft

ontario regulation

to be made under the

personal health information protection act, 2004

Amending O. Reg. 329/04

(general)

1.  Ontario Regulation 329/04 is amended by adding the following section:

Definition for the purposes of this Regulation

1.1  In this Regulation,

“digital means of access” means a digital means of access made available by the Agency in accordance with subsection 18.1.1 (3).

2.  The Regulation is amended by adding the following sections:

Health number collection and use for purposes related to electronic health record

11.1  The Agency and any of its agents are prescribed persons for the purposes of clause 34 (2) (e) of the Act.

Health number collection and use by Agency

11.2  (1)  For the purposes of clause 34 (2) (f) of the Act, the Agency and any of its agents may, with an individual’s express consent, collect or use the individual’s health number for the purpose of carrying out the Agency’s powers or duties under Part V.2 of the Act.

(2)  In this section,

“agent”, in relation to the Agency, means a person that, with the authorization of the Agency, acts for or on behalf of the Agency in respect of personal health information for the purposes of the Agency, and not the agent’s own purposes, whether or not the agent has the authority to bind the Agency, whether or not the agent is employed by the Agency and whether or not the agent is being remunerated.

3.  (1)  Section 12 of the Regulation is amended by adding the following subsections:

(2)  Despite subsection 34 (3) of the Act, the Agency and any of its agents may disclose a health number of an individual that the Agency has custody or control of if,

1. the individual gives their express consent to the disclosure; and
2. the disclosure is made to the Minister for the purpose of assisting the Agency in,
   1. providing validation and verification services,
   2. verifying the identity of an individual who contacted the Agency because they were experiencing issues accessing the digital means of access referred to in subsection 18.1.1 (3), or
   3. verifying the identity of an individual who is seeking access to electronic records kept by the Agency under paragraph 4, 5 or 6 of section 55.3 of the Act.

(3)  In this section,

“agent”, in relation to the Agency, means a person that, with the authorization of the Agency, acts for or on behalf of the Agency in respect of personal health information for the purposes of the Agency, and not the agent’s own purposes, whether or not the agent has the authority to bind the Agency, whether or not the agent is employed by the Agency and whether or not the agent is being remunerated.

(2)  Clause 12 (2) (b) of the Regulation, as made by subsection (1), is amended by striking out “or” at the end of subclause (ii), by adding “or” at the end of subclause (iii) and by adding the following subclause:

4. verifying the identity of an individual who is seeking to use an alternative process described in clause 18.1.1 (3) (b).

4.  Section 18.1 of the Regulation is revoked and the following substituted:

Prescribed organization

18.1  (1)  The Agency is prescribed as the prescribed organization for the purposes of the Act.

(2)  Subject to subsection (3), the provisions of Part III of the Act apply to the Agency, with necessary modifications, when it is carrying out its powers, functions and responsibilities as the prescribed organization under any other Part of the Act and under this Regulation.

(3)  Section 55.18 of the Act describes how the provisions of Part III of the Act apply to the Agency when it acts under Part V.2 of the Act.

5.  (1)  The Regulation is amended by adding the following sections:

Application of s. 51 (5) of the Act

18.1.1  (1)  This section applies to the Agency when it is acting as the prescribed organization under subsection 51 (5) of the Act.

(2)  Subsection 51 (5) of the Act provides a right of access to only the following records:

1. Records that are derived from the Digital Health Drug Repository, or a successor repository, and that are provided to the electronic health record by the Minister.
2. Records that are derived from the Ontario Laboratories Information System, or a successor repository, and that are provided to the electronic health record by the Minister.

(3)  The Agency shall make available a digital means of access to permit individuals, who have a digital health identifier and who are specified by the Agency on the Agency’s website, to access, in accordance with the requirements in Part V of the Act and in this section, the records described in subsection (2).

(4)  The Agency shall publish instructions on the Agency’s website to instruct persons who wish to access the records described in subsection (2), but who cannot or do not wish to use the digital means of access, on how to request access to the records from the applicable health information custodian or custodians.

(5)  The Agency,

1. shall respond to requests for access to the records described in subsection (2) through the digital means of access if the request is made by an individual specified by the Agency who has a digital health identifier, and shall act as if it is a health information custodian in providing access to those records through the digital means of access; and
2. is not required to respond to any other requests for access to the records.

(6)  The Agency is not required to consider the exceptions from the right to access a record listed in clauses 52 (1) (a) to (f) of the Act, but shall,

1. ensure that the health information custodian that provides the personal health information to the electronic health record has been notified that the Agency may provide access to the record of personal health information pursuant to Part V of the Act; and
2. if the health information custodian does not identify an exception listed in clauses 52 (1) (a) to (f) of the Act that applies, provide access to the record in accordance with Part V of the Act and this section.

(7)  The Agency is exempt from the requirement in subsection 52 (1.1) of the Act to provide the records through the digital means of access in the electronic formats specified in that subsection.

(8)  The Agency is exempt from subsections 52 (4) to (7) of the Act when providing access to the records.

(9)  In this section,

“electronic health record” has the same meaning as in section 55.1 of the Act.

Notification and disabling of access if exception applies

18.1.2  (1)  A health information custodian may notify the Agency if the custodian determines that an exception listed in clauses 52 (1) (a) to (f) of the Act applies to one of the records the custodian provides to the electronic health record.

(2)  The right of an individual to access a record described in subsection 51 (5) of the Act through the digital means of access, including the right to access a part of such a record through the digital means of access that has been severed in accordance with subsection 52 (2) of the Act, does not apply to a record in a repository referred to in subsection 18.1.1 (2) of this Regulation if any of the individual’s records in that repository have been the subject of a notification under subsection (1).

(3)  If the Agency receives a notice under subsection (1), the Agency shall,

1. provide updates to the health information custodian who provided the notice to determine whether the exception is still applicable at least once every two weeks or in accordance with such other timeframe to which the Agency and the custodian may agree; and
2. redirect the individual to the health information custodian or custodians that provided the applicable records so that the individual can request the records directly from them in accordance with Part V of the Act.

(4)  Despite subsection (3), if an individual’s access through the digital means to records in a repository referred to in subsection 18.1.1 (2) has been disabled because one of their records was the subject of a notification under subsection (1), the Agency shall restore the individual’s access through the digital means of access and shall cease providing updates and redirection under subsection (3) if,

1. the health information custodian who provided the notice indicates that the exceptions listed in clauses 52 (1) (a) to (f) of the Act no longer apply to the record; and
2. no other exceptions listed in clauses 52 (1) (a) to (f) of the Act have been identified as applying to any of the affected individual’s records in that repository.

(5)  In this section,

“electronic health record” has the same meaning as in section 55.1 of the Act.

Application of s. 51 (6) of the Act

18.1.2.1  (1)  This section applies to the Agency when it is acting as the prescribed organization under subsection 51 (6) of the Act.

(2)  When the Agency provides access to a record described in subsection 51 (6) of the Act, it shall also provide access to a summary of the record.

(3)  Despite subsection 51 (6) of the Act and subsection (2) of this section, the Agency is not required to provide records described in subsection 51 (6) of the Act, and any summaries of those records, in respect of any period before January 1, 2024.

Exceptions for s. 51 (7) of the Act

18.1.2.2  Subsection 51 (7) of the Act applies with respect to the following digital health identifier records:

1. Records related to a change in the identifying information used in the creation or maintenance of the digital health identifier.
2. Records of consents that have been given or withdrawn in relation to the digital health identifier.
3. Records related to validation and verification services.
4. Records of the date on which a digital health identifier was used to access the digital means of access.

Annual report to Commissioner

18.1.2.3  (1)  The Agency shall provide an annual report to the Commissioner with respect to the previous calendar year.

(2)  The annual report must specify,

1. the number of requests the Agency has received in the year for records described in subsections 51 (5), (6) and (7) of the Act;
2. the number of refusals by the Agency to disclose records described in subsections 51 (5), (6) and (7) of the Act, the provisions of the Act under which disclosure was refused and the number of occasions on which each provision was invoked;
3. any other information indicating an effort by the Agency to put into practice the purposes of the Act; and
4. any other metrics or indicators specified by the Commissioner.

(3)  The Agency shall provide the report to the Commissioner on or before March 1 in each year starting in 2027 by the electronic means and in a format determined by the Commissioner.

Auditing and records of digital health identifiers

18.1.2.4  (1)  The Agency shall audit and monitor the electronic records that it is required to keep for the purpose of providing digital health identifier activities.

(2)  The Agency shall keep an electronic record of all of the records described in section 18.1.2.2.

(2)  Paragraph 1 of subsection 18.1.1 (2) of the Regulation, as made by subsection (1), is revoked and the following substituted:

1. Records that are derived from the Digital Health Drug Repository or a successor repository.

(3)  Subsection 18.1.1 (3) of the Regulation, as made by subsection (1), is revoked and the following substituted:

(3)  The Agency shall make available,

1. a digital means of access to permit individuals who have a digital health identifier to access the records described in subsection (2); and
2. an alternative process to permit individuals who cannot or do not wish to use the digital means of access to access the records described in subsection (2).

(4)  Subsection 18.1.1 (4) of the Regulation, as made by subsection (1), is revoked.

(5)  Subsection 18.1.1 (5) of the Regulation, as made by subsection (1), is revoked and the following substituted:

(5)  The Agency,

1. shall respond to requests for access to the records described in subsection (2) through the digital means of access if the request is made through the digital means of access by an individual who has a digital health identifier, and shall act as if it is a health information custodian in providing access to those records through the digital means of access;
2. shall respond to all requests for access to the records described in subsection (2) through the alternative process when that process is requested by the requesting individual and shall act as if it is a health information custodian in providing access to those records through the alternative process; and
3. is not required to respond to any other requests for access to the records.

(6)  Clause 18.1.2 (3) (b) of the Regulation, as made by subsection (1), is revoked and the following substituted:

(b) redirect the individual to the alternative process and provide the individual access through the alternative process to any of their records described in subsection (2),

1. that are not subject to an exception listed in clauses 52 (1) (a) to (f) of the Act, and
2. for which access through the digital means of access has been disabled.

(7)  Subsection 18.1.2.1 (3) of the Regulation, as made by subsection (1), is revoked.

6.  (1)  The Regulation is amended by adding the following sections:

Effect of withdrawal of consent

18.12  (1)  This section applies if an individual with a digital health identifier withdraws their consent for the Agency to,

1. collect, use or disclose the individual’s personal health information under section 55.17 of the Act for the purpose of carrying out digital health identifier activities; or
2. collect or use the individual’s health number under section 11.2 of this Regulation for the purpose of carrying out the Agency’s powers or duties under Part V.2 of the Act.

(2)  Despite the withdrawal of consent, the Agency may continue to use the applicable personal health information for the following purposes:

1. Retention, maintenance and disposal of the personal health information.
2. Incident and breach management activities, including maintenance, auditing and responding to such incidents or breaches.

Notice to Commissioner, s. 55.24 (3) of the Act

18.13  (1)  The following are prescribed for the purposes of subsection 55.24 (3) of the Act as circumstances in which the Agency must notify the Commissioner:

1. The Agency has reasonable grounds to believe that a digital health identifier record was used or disclosed without authority by a person who knew or ought to have known that they were using or disclosing the information without authority.
2. The Agency has reasonable grounds to believe that a digital health identifier record was stolen.
3. The Agency has reasonable grounds to believe that, after an initial loss or unauthorized use or disclosure of a digital health identifier record, the digital health identifier record was or will be further used or disclosed without authority.
4. The loss or unauthorized use or disclosure of a digital health identifier record is part of a pattern of similar losses or unauthorized uses or disclosures of digital health identifier records in the custody or control of the Agency.
5. The Agency determines that the loss or unauthorized use or disclosure of a digital health identifier record is significant after considering all relevant circumstances, including the following:
   1. Whether the personal health information that was lost or used or disclosed without authority is sensitive.
   2. Whether the loss or unauthorized use or disclosure involved a large volume of personal health information.
   3. Whether the loss or unauthorized use or disclosure involved many individuals’ personal health information.
   4. Whether one or more agents of the Agency were responsible for the loss or unauthorized use or disclosure of the digital health identifier record.

(2)  The Agency shall notify the Commissioner of the existence of a circumstance set out in subsection (1) at the first reasonable opportunity.

Annual report by Agency re: theft, loss, etc.

18.14  (1)  On or before March 1 in each year starting in 2027, the Agency shall provide the Commissioner with a report setting out the number of times in the previous calendar year that each of the following occurred:

1. Digital health identifier records were stolen.
2. Digital health identifier records were lost.
3. Digital health identifier records were used without authority.
4. Digital health identifier records were disclosed without authority.
5. Personal health information was collected by the Agency for the purposes of Part V.2 of the Act without authority.

(2)  The report shall be transmitted to the Commissioner by the electronic means and in a format determined by the Commissioner.

Digital health identifier activity assessment

18.15  The Agency shall perform the assessments described in subsection 55.25 (1) of the Act at the following times:

1. Before the Agency first begins to collect, use and disclose personal health information for the purpose of providing digital health identifier activities.
2. Whenever a new significant security threat to the Agency’s digital health identifier activities is identified.
3. Before the second anniversary of the day this section came into force and at least once within every two-year period after that day.

Collection and use by Agency, access requests and issues with access

18.16  (1)  The Agency and any of its agents may, with the express consent of the individual to whom the personal health information relates, collect or use personal health information for the purposes of verifying the identity of an individual who,

1. contacted the Agency because they were experiencing issues accessing the digital means of access referred to in subsection 18.1.1 (3); or
2. is seeking access to electronic records kept by the Agency under paragraph 4, 5 or 6 of section 55.3 of the Act.

(2)  The Agency and any of its agents, may, with the express consent of the individual to whom the personal health information relates, disclose personal health information to the Minister for the purposes of verifying the identity of an individual described in subsection (1).

(2)  Subsection 18.16 (1) of the Regulation, as made by subsection (1), is amended by striking out “or” at the end of clause (a), by adding “or” at the end of clause (b) and by adding the following clause:

3. verifying the identity of an individual who is seeking to use an alternative process described in clause 18.1.1 (3) (b).

Revocation

7.  Subsection 1 (1) of Ontario Regulation 394/22 is revoked.

Commencement

8.  [Commencement]

(158-G183E)

Marriage Act

certificate of permanent registration as a person authorized to solemnize marriage in Ontario have been issued to the following:

July 28, 2025 to August 03, 2025

Re-Registrations

certificates of temporary registration as person authorized to solemnize marriage in Ontario have been issued to the following:

July 28, 2025 to August 03, 2025

certificate of cancellation of registration as a person authorized to solemnize marriage in Ontario have been issued to the following:

July 28, 2025 to August 03, 2025

Sirad Mohamoud
Deputy Registrar General

(158-G184)