GENERAL

Personal Health Information Protection Act, 2004

ONTARIO REGULATION 329/04

general

Historical version for the period April 30, 2018 to August 7, 2019.

Last amendment: 181/18.

Legislative History: 245/06, 537/06, 322/07, 340/08, 447/08, 424/09, 127/10, 141/11, 331/11 (as am. by 367/13, 269/14, 396/15, 475/16, 538/17), 397/15, 117/17, 224/17, CTR 18 JL 17 - 2, 538/17, 181/18.

This is the English version of a bilingual regulation.

CONTENTS

1.

Definitions for the purposes of the Act

2.

Exemptions, “health care practitioner”

3.

Health information custodians

5.

Prevail over Act

6.

Persons who provide to custodians

6.1

eHealth Ontario

6.2

eHealth Ontario

6.3

Notice to Commissioner, subs. 12 (3) of the Act

6.4

Annual report re: theft, loss, etc.

7.

Exception to s. 17 (2) of the Act

8.

s. 18 (4) (c) of the Act

8.1

Notification if no consent

10.

Fundraising

11.

Health number collection

12.

Disclosure of health number

13.

Registries of personal health information

14.

Archives

15.

Research ethics boards

16.

Requirements for research plans

17.

Disclosure by researcher

18.

Prescribed entities for the purposes of s. 45 (1) of the Act

20.

Information received before commencement

21.

Exceptions to restrictions on recipients

22.

Extent of use or disclosure by recipient

23.

Freedom of information legislation

24.

Exclusions from access provisions

25.

Canadian Blood Services

 

Definitions for the purposes of the Act

1. (1) In the definition of “health care” in section 2 of the Act,

“a procedure that is done for a health-related purpose” includes taking a donation of blood or blood products from an individual.  O. Reg. 329/04, s. 1 (1).

(2) For the purposes of the Act,

“marketing” does not include,

(a) a communication by a health care practitioner who provides insured services within the meaning of the Health Insurance Act to an individual or a member of the individual’s family or household by which the practitioner makes available to those persons an arrangement whereby they may receive ancillary uninsured services for a block fee or on the basis of a set fee for service, or

(b) a communication by the Canadian Blood Services for the purpose of recruiting donors of blood, blood products or hematopoietic progenitor cells.  O. Reg. 329/04, s. 1 (2).

(3) In the definition of “disclose” in section 2 of the Act, the expression “to make the information available or to release it to another health information custodian or to another person” does not include a person’s providing personal health information to someone who provided it to or disclosed it to the person, whether or not the personal health information has been manipulated or altered, if it does not contain any additional identifying information.  O. Reg. 329/04, s. 1 (3).

(3.1) In paragraph 4 of the definition of “health information custodian” in subsection 3 (1) of the Act,

“person who operates” includes, with respect to a psychiatric facility within the meaning of the Mental Health Act, the officer in charge of the facility within the meaning of the Mental Health Act.  O. Reg. 537/06, s. 1.

(4) Revoked:  O. Reg. 322/07, s. 1 (1).

(5) For the purposes of subsection 7 (3) of the Act, if the Act or its regulations provides that an action, including a collection, use or disclosure, may be taken, and another Act or regulation provides that it may not be taken, then “it is not possible to comply with both”.  O. Reg. 329/04, s. 1 (5).

(5.1) In subsection 13 (1) of the Act,

“disposed of in a secure manner” does not include, in relation to the disposition of records of personal health information, the destruction of the records unless the records are destroyed in such a manner that the reconstruction of the records is not reasonably foreseeable in the circumstances.  O. Reg. 537/06, s. 1.

(6) For the purposes of clause 18 (4) (c) of the Act,

“information about an individual’s state of health” does not include information about medication or related goods or services provided by a member of the Ontario College of Pharmacists to the individual that the member discloses to a third party who is being requested to provide payment for the medication or related goods or services.  O. Reg. 329/04, s. 1 (6).

(7) For the purposes of paragraph 5 of subsection 23 (1) of the Act,

“a person whom an Act of Ontario or Canada authorizes or requires to act on behalf of the individual” includes a person who is an agent for the purposes of section 157 of the Drug and Pharmacies Regulation Act where the consent under section 23 of the Personal Health Information Protection Act, 2004 relates to a prescription being presented to a pharmacist to be dispensed.  O. Reg. 329/04, s. 1 (7).

(8) For the purposes of subsections 34 (2) and (3) of the Act,

“a person who is not a health information custodian” does not include,

(a) Revoked:  O. Reg. 322/07, s. 1 (2).

(b) the individual or the individual’s substitute decision-maker in respect of the individual’s health number.  O. Reg. 329/04, s. 1 (8); O. Reg. 322/07, s. 1 (2).

(8.1) In subclause 36 (1) (b) (i) of the Act,

“accurate” means, with respect to personal health information, correct and sufficient for the purposes for which the information is reasonably required.  O. Reg. 537/06, s. 1.

(8.2) Revoked:  O. Reg. 322/07, s. 1 (3).

(9) Revoked:  O. Reg. 322/07, s. 1 (4).

(10) For the purposes of subsections 42 (1) and (2) of the Act, “potential successor” and “successor” mean a potential successor or a successor that is a health information custodian or that will be a health information custodian if it becomes the successor.  O. Reg. 329/04, s. 1 (10).

(11) For the purposes of subsection 51 (3) of the Act,

“health information custodian acting as an agent of an institution” means a health care practitioner who is acting as part of the institution.  O. Reg. 537/06, s. 1.

Exemptions, “health care practitioner”

2. The following persons are not health care practitioners under clause (d) of the definition of “health care practitioner” in section 2 of the Act:

1. Persons providing fitness or weight-management services.  O. Reg. 329/04, s. 2.

Health information custodians

3. (1) The Canadian Blood Services is prescribed as a health information custodian, and is prescribed as a single health information custodian with respect to all its functions.  O. Reg. 329/04, s. 3 (1).

(2) A health information custodian described in paragraph 6 of subsection 3 (1) of the Act shall be deemed to be included in the list of types of custodians referred to in subsections 20 (2) and (3) and clause 38 (1) (a) of the Act.  O. Reg. 424/09, s. 1.

(3) The Ontario Agency for Health Protection and Promotion,

(a) is prescribed as a health information custodian;

(b) is prescribed as a single health information custodian with respect to all its functions; and

(c) shall be deemed to be included in the list of types of custodians referred to in subsections 20 (2) and (3) and clause 38 (1) (a) of the Act.  O. Reg. 447/08, s. 1.

(4) The Minister of Health Promotion, together with the Ministry of Health Promotion, if the context so requires, is prescribed as,

(a) a health information custodian; and

(b) a single health information custodian with respect to all functions of the Minister and the Ministry.  O. Reg. 537/06, s. 2.

(5) The Ontario Air Ambulance Services Corporation,

(a) is prescribed as a health information custodian;

(b) is prescribed as a single health information custodian with respect to all of its functions; and

(c) shall be deemed to be included in the list of types of custodians referred to in subsections 20 (2) and (3) and clause 38 (1) (a) of the Act.  O. Reg. 537/06, s. 2.

(6) Every municipality that operates a communications service within the meaning of the Ambulance Act is prescribed as,

(a) a health information custodian; and

(b) a single health information custodian with respect to all of its functions in operating the communications service.  O. Reg. 537/06, s. 2.

(7) Every person who, as a result of the bankruptcy or insolvency of a health information custodian, obtains complete custody or control of records of personal health information held by the health information custodian, is prescribed as the health information custodian with respect to those records.  O. Reg. 537/06, s. 2.

(8) Every local health integration network,

(a) is prescribed as a health information custodian;

(b) is prescribed as a single health information custodian with respect to all of its functions; and

(c) shall be deemed to be included in the list of types of custodians referred to in subsections 20 (2) and (3), clause 38 (1) (a) and subclause 39 (1) (d) (i) of the Act. O. Reg. 117/17, s. 1.

4. Revoked:  O. Reg. 127/10, s. 1.

Prevail over Act

5. (1) The confidentiality requirements in the following provisions prevail over the Act:

1. Section 227 of the Child, Youth and Family Services Act, 2017.

2. Subsection 85.3 (4) of the Health Professions Procedural Code set out in Schedule 2 to the Regulated Health Professions Act, 1991.

3. Subsection 19 (8) of the Remedies for Organized Crime and Other Unlawful Activities Act, 2001.

3.1 Subsection 44 (3) of the Social Work and Social Service Work Act, 1998.

4. Subsection 181 (3) of the Workplace Safety and Insurance Act, 1997.  O. Reg. 329/04, s. 5; O. Reg. 537/06, s. 3 (1); O. Reg. 424/09, s. 2; O. Reg. 181/18, s. 1.

(2) Section 5 of the Trillium Gift of Life Network Act prevails over the Personal Health Information Protection Act, 2004 in the event of a conflict.  O. Reg. 537/06, s. 3 (2).

Persons who provide to custodians

6. (1) Except as otherwise required by law, the following are prescribed as requirements for the purposes of subsection 10 (4) of the Act with respect to a person who supplies services for the purpose of enabling a health information custodian to use electronic means to collect, use, modify, disclose, retain or dispose of personal health information, and who is not an agent of the custodian:

1. The person shall not use any personal health information to which it has access in the course of providing the services for the health information custodian except as necessary in the course of providing the services.

2. The person shall not disclose any personal health information to which it has access in the course of providing the services for the health information custodian.

3. The person shall not permit its employees or any person acting on its behalf to be able to have access to the information unless the employee or person acting on its behalf agrees to comply with the restrictions that apply to the person who is subject to this subsection.  O. Reg. 329/04, s. 6 (1).

(2) In subsection (3),

“health information network provider” or “provider” means a person who provides services to two or more health information custodians where the services are provided primarily to custodians to enable the custodians to use electronic means to disclose personal health information to one another, whether or not the person is an agent of any of the custodians.  O. Reg. 329/04, s. 6 (2).

(3) The following are prescribed as requirements with respect to a health information network provider in the course of providing services to enable a health information custodian to use electronic means to collect, use, disclose, retain or dispose of personal health information:

1. The provider shall notify every applicable health information custodian at the first reasonable opportunity if,

i. the provider accessed, used, disclosed or disposed of personal health information other than in accordance with paragraphs 1 and 2 of subsection (1), or

ii. an unauthorized person accessed the personal health information.

2. The provider shall provide to each applicable health information custodian a plain language description of the services that the provider provides to the custodians, that is appropriate for sharing with the individuals to whom the personal health information relates, including a general description of the safeguards in place to protect against unauthorized use and disclosure, and to protect the integrity of the information.

3. The provider shall make available to the public,

i. the description referred to in paragraph 2,

ii. any directives, guidelines and policies of the provider that apply to the services that the provider provides to the health information custodians to the extent that these do not reveal a trade secret or confidential scientific, technical, commercial or labour relations information, and

iii. a general description of the safeguards implemented by the person in relation to the security and confidentiality of the information.

4. The provider shall to the extent reasonably practical, and in a manner that is reasonably practical, keep and make available to each applicable health information custodian, on the request of the custodian, an electronic record of,

i. all accesses to all or part of the personal health information associated with the custodian being held in equipment controlled by the provider, which record shall identify the person who accessed the information and the date and time of the access, and

ii. all transfers of all or part of the information associated with the custodian by means of equipment controlled by the provider, which record shall identify the person who transferred the information and the person or address to whom it was sent, and the date and time it was sent.

5. The provider shall perform, and provide to each applicable health information custodian a written copy of the results of, an assessment of the services provided to the health information custodians, with respect to,

i. threats, vulnerabilities and risks to the security and integrity of the personal health information, and

ii. how the services may affect the privacy of the individuals who are the subject of the information.

6. The provider shall ensure that any third party it retains to assist in providing services to a health information custodian agrees to comply with the restrictions and conditions that are necessary to enable the provider to comply with this section.

7. The provider shall enter into a written agreement with each health information custodian concerning the services provided to the custodian that,

i. describes the services that the provider is required to provide for the custodian,

ii. describes the administrative, technical and physical safeguards relating to the confidentiality and security of the information, and

iii. requires the provider to comply with the Act and the regulations.  O. Reg. 329/04, s. 6 (3).

(4) A health information custodian who uses goods or services supplied by a person referred to in subsection 10 (4) of the Act, other than a person who is an agent of the custodian, for the purpose of using electronic means to collect, use, modify, disclose, retain or dispose of personal health information shall not be considered in so doing to make the information available or to release it to that person for the purposes of the definition of “disclose” in section 2 of the Act if,

(a) the person complies with subsections (1) and (3), to the extent that either is applicable, in supplying services; and

(b) in the case of a person supplying goods to the health information custodian, the custodian does not, in returning the goods to the person, enable the person to access the personal health information except where subsection (1) applies and is complied with.  O. Reg. 329/04, s. 6 (4).

eHealth Ontario

6.1 eHealth Ontario shall put in place administrative, technical and physical safeguards, practices and procedures that have been reviewed by the Commissioner to protect both the privacy of the individuals in relation to whose personal health information it provides services and the confidentiality of such information, and that,

(a) permit compliance with the Act by health information custodians who rely on services supplied by eHealth Ontario to use electronic means to collect, use, modify, disclose, retain or dispose of personal health information; and

(b) permit eHealth Ontario to comply with sections 6 and 6.2 of this Regulation, as applicable.  O. Reg. 340/08, s. 1; O. Reg. 331/11, s. 1 (1).

Note: On January 1, 2020, clause (b) is revoked and the following substituted: (See: O. Reg. 331/11, ss. 1 (2), 3 (2) (as am. by O. Reg. 367/13, s. 1, O. Reg. 269/14, s. 1, O. Reg. 396/15, s. 1, O. Reg. 475/16, s. 1 and O. Reg. 538/17, s. 1))

(b) permit eHealth Ontario to comply with section 6 of this Regulation.

eHealth Ontario

6.2 (1) Where a health information custodian provides personal health information to eHealth Ontario for the purpose of eHealth Ontario creating or maintaining one or more electronic health records, and eHealth Ontario satisfies the requirements listed in subsection (2),

(a) the health information custodian shall not be considered in so providing the personal health information to be making it available or to be releasing it to eHealth Ontario for the purposes of those expressions as used in the definition of “disclose” in section 2 of the Act;

(b) eHealth Ontario shall not be considered to be gathering, acquiring, receiving or obtaining the personal health information for the purposes of those expressions as used in the definition of “collect” in section 2 of the Act.  O. Reg. 331/11, s. 2 (1).

(2) eHealth Ontario shall comply with the following requirements in creating or maintaining one or more electronic health records:

1. It shall limit the personal health information it receives to that which is reasonably necessary for the purpose of creating or maintaining one or more electronic health records.

2. It shall not permit its employees or any other person acting on its behalf to access the personal health information received for the purpose of creating or maintaining one or more electronic health records unless the employee or person acting on behalf of eHealth Ontario agrees to comply with the restrictions that apply to eHealth Ontario.

3. It shall notify, at the first reasonable opportunity, every health information custodian that provided it with personal health information for the purpose of creating or maintaining one or more electronic health records if the personal health information is stolen, lost or accessed by unauthorized persons.

4. It shall make available, to the public and to each health information custodian that provided personal health information to it for the purpose of creating or maintaining one or more electronic health records,

i. a plain language description of the electronic health record, including a general description of the administrative, technical and physical safeguards in place to,

A. protect against theft, loss and unauthorized use or disclosure of personal health information contained in the electronic health record,

B. protect the electronic health record against unauthorized copying, modification or disposal, and

C. protect the integrity, security and confidentiality of the personal health information contained in the electronic health record, and

ii. any directives, guidelines and policies of eHealth Ontario that apply to the personal health information contained in the electronic health record to the extent that these do not reveal a trade secret or confidential scientific, technical, commercial or labour relations information.

5. It shall take steps that are reasonable in the circumstances to keep an electronic record of all accesses to all or part of the personal health information contained in the electronic health record, and shall ensure that record identifies the person who accessed the information and the date, time and location of the access.

6. It shall perform, for each electronic health record created or maintained, an assessment with respect to,

i. threats, vulnerabilities and risks to the security and integrity of the personal health information contained in the electronic health record, and

ii. how the electronic health record may affect the privacy of the individuals who are the subject of the information.

7. It shall,

i. make available to each health information custodian that provides personal health information to it for the purposes of creating or maintaining one or more electronic health records a written copy of the results of the assessment carried out under paragraph 6 for each record created or maintained for that custodian, and

ii. make available to the public a summary of the results of the assessments carried out under paragraph 6.

8. It shall ensure that any third party it retains to assist in providing services for the purposes of creating or maintaining one or more electronic health records agrees to comply with the restrictions and conditions that are necessary to enable eHealth Ontario to comply with all these requirements.  O. Reg. 331/11, s. 2 (1).

(3) Section 6 does not apply to eHealth Ontario when it is creating or maintaining one or more electronic health records under this section.  O. Reg. 331/11, s. 2 (1).

(4) In this section,

“creating or maintaining one or more electronic health records” includes creating, integrating, managing, maintaining or servicing one or more electronic health records, and includes,

(a) conducting data quality assurance activities on the personal health information provided to eHealth Ontario by health information custodians, and

(b) conducting analyses of the personal health information in order to provide alerts and reminders to health information custodians who have provided personal health information to eHealth Ontario, for the custodian’s use in the provision of health care to individuals; (“créer ou tenir un ou plusieurs dossiers de santé électroniques”)

“electronic health record” means a record of personal health information created or maintained in electronic form by eHealth Ontario to enable health information custodians to use electronic means to disclose personal health information to one another for the purpose of providing or assisting in the provision of health care to the individual whose personal health information is contained in the record. (“dossier de santé électronique”)  O. Reg. 331/11, s. 2 (1).

Note: On January 1, 2020, section 6.2 is revoked. (See: O. Reg. 331/11, ss. 2 (2), 3 (2) (as am. by O. Reg. 367/13, s. 1, O. Reg. 269/14, s. 1, O. Reg. 396/15, s. 1, O. Reg. 475/16, s. 1 and O. Reg. 538/17, s. 1))

Notice to Commissioner, subs. 12 (3) of the Act

6.3 (1) The following are the circumstances in which a health information custodian is required to notify the Commissioner for the purposes of subsection 12 (3) of the Act:

1. The health information custodian has reasonable grounds to believe that personal health information in the custodian’s custody or control was used or disclosed without authority by a person who knew or ought to have known that they were using or disclosing the information without authority.

2. The health information custodian has reasonable grounds to believe that personal health information in the custodian’s custody or control was stolen.

3. The health information custodian has reasonable grounds to believe that, after an initial loss or unauthorized use or disclosure of personal health information in the custodian’s custody or control, the personal health information was or will be further used or disclosed without authority.

4. The loss or unauthorized use or disclosure of personal health information is part of a pattern of similar losses or unauthorized uses or disclosures of personal health information in the custody or control of the health information custodian.

5. The health information custodian is required to give notice to a College of an event described in section 17.1 of the Act that relates to a loss or unauthorized use or disclosure of personal health information.

6. The health information custodian would be required to give notice to a College, if an agent of the health information custodian were a member of the College, of an event described in section 17.1 of the Act that relates to a loss or unauthorized use or disclosure of personal health information. 

7. The health information custodian determines that the loss or unauthorized use or disclosure of personal health information is significant after considering all relevant circumstances, including the following:

i. Whether the personal health information that was lost or used or disclosed without authority is sensitive.

ii. Whether the loss or unauthorized use or disclosure involved a large volume of personal health information.

iii. Whether the loss or unauthorized use or disclosure involved many individuals’ personal health information.

iv. Whether more than one health information custodian or agent was responsible for the loss or unauthorized use or disclosure of the personal health information. O. Reg. 224/17, s. 1.

(2) In this section,

“College” means a College as defined in subsection 17.1 (1) of the Act. O. Reg. 224/17, s. 1.

Annual report re: theft, loss, etc.

6.4 (1) On or before March 1 in each year starting in 2019, a health information custodian shall provide the Commissioner with a report setting out the number of times in the previous calendar year that each of the following occurred:

1. Personal health information in the custodian’s custody or control was stolen.

2. Personal health information in the custodian’s custody or control was lost.

3. Personal health information in the custodian’s custody or control was used without authority.

4. Personal health information in the custodian’s custody or control was disclosed without authority. O. Reg. 224/17, s. 1.

(2) The report shall be transmitted to the Commissioner by the electronic means and format determined by the Commissioner. O. Reg. 224/17, s. 1.

Exception to s. 17 (2) of the Act

7. The following are prescribed as exceptions to subsection 17 (2) of the Act:

1. An agent of a health information custodian to whom the custodian provides information to use for the purposes of clause 37 (1) (d) of the Act may use that information, together with other such information that the agent has received from other custodians to use for the purposes of that clause, for the purposes of systemic risk management analysis if,

i. the agent is the Canadian Medical Protective Association or the Healthcare Insurance Reciprocal of Canada, and

ii. the agent does not disclose personal health information provided to it by one health information custodian to another custodian.

2. An agent of a health information custodian may disclose personal health information acquired in the course of the agent’s activities for or on behalf of the custodian, as if the agent were a health information custodian for the purposes of,

i. subsection 40 (1) of the Act,

ii. clauses 43 (1) (b), (c) and (d) of the Act, or

iii. disclosures to the Public Guardian and Trustee or a children’s aid society under clause 43 (1) (e) of the Act.  O. Reg. 329/04, s. 7.

s. 18 (4) (c) of the Act

8. The disclosure of information by a member of the Ontario College of Pharmacists to a third party who is being requested to provide payment for medication or related goods or services provided to an individual is a prescribed type of disclosure for the purposes of clause 18 (4) (c) of the Act.  O. Reg. 329/04, s. 8.

Notification if no consent

8.1 For the purposes of subsection 20 (2) and clause 37 (1) (a) of the Act, if a health information custodian described in paragraph 1, 2, 3 or 4 of the definition of “health information custodian” in subsection 3 (1) of the Act or a health information custodian prescribed by subsection 3 (3) or (5) of this Regulation provides personal health information about an individual to an agent of the custodian for the purpose of providing health care or assisting in the provision of health care to the individual and if the custodian does not have the consent of the individual to provide all the personal health information about the individual that the custodian considers reasonably necessary for that purpose, the custodian shall notify the agent to whom the custodian provides the information of that fact.  O. Reg. 537/06, s. 5.

9. Revoked:  O. Reg. 322/07, s. 3.

Fundraising

10. (1) The following types of contact information are prescribed for the purposes of clause 32 (1) (b) of the Act:

1. The mailing address of the individual.

2. The name and mailing address of the individual’s substitute decision-maker.  O. Reg. 537/06, s. 6 (1).

(2) For the purposes of subsection 32 (2) of the Act, the following are prescribed as requirements and restrictions on the manner in which consent is obtained and the resulting collection, use or disclosure of personal health information:

1. Personal health information held by a health information custodian may only be collected, used or disclosed for the purpose of fundraising activities undertaken for a charitable or philanthropic purpose related to the custodian’s operations.

2. For personal health information collected on or after November 1, 2004, consent under clause 32 (1) (b) of the Act may only be inferred where,

i. the custodian has at the time of providing service to the individual, posted or made available to the individual, in a manner likely to come to the attention of the individual, a brief statement that unless he or she requests otherwise, his or her name and contact information may be disclosed and used for fundraising purposes on behalf of the custodian, together with information on how the individual can easily opt-out of receiving any future fundraising solicitations on behalf of the custodian, and

ii. the individual has not opted out within 60 days of when the statement provided under subparagraph i was made available to him or her.

2.1 For personal health information collected before November 1, 2004, a health information custodian is entitled to assume that it has the individual’s implied consent to use or disclose the individual’s name and contact information for the purpose of fundraising activities, unless the custodian is aware that the individual has expressly withheld or withdrawn the consent.

3. All solicitations for fundraising must provide the individual with an easy way to opt-out of receiving future solicitations.

4. A communication from the custodian or a person conducting fundraising on its behalf to an individual for the purpose of fundraising must not include any information about the individual’s health care or state of health.  O. Reg. 329/04, s. 10 (2); O. Reg. 537/06, s. 6 (2, 3).

(3) Revoked:  O. Reg. 537/06, s. 6 (4).

Health number collection

11. The following are prescribed persons for the purposes of clause 34 (2) (d) of the Act:

1. The Workplace Safety and Insurance Board.

2. Every person that is prescribed under section 13.

3. Every entity that is prescribed under section 18.

4. A researcher mentioned in paragraph 2 of section 12, for the purposes of the research.

5. A person conducting health research to the extent that the individual to whom the health number was issued has provided a valid consent to the collection or use of his or her health number for that purpose.  O. Reg. 329/04, s. 11; O. Reg. 537/06, s. 7.

Disclosure of health number

12. The following are prescribed as exceptions for the purposes of subsection 34 (3) of the Act:

1. A person who is not a health information custodian may disclose a health number for a purpose related to the provision of provincially funded health resources.

2. A researcher who has custody or control of personal health information, including a health number, by reason of a disclosure authorized under section 44 of the Act may disclose the health number to a person who is a prescribed person for the purposes of clause 39 (1) (c) of the Act, an entity prescribed for the purposes of subsection 45 (1) of the Act or another researcher if,

i. the disclosure is part of a research plan approved under section 44 of the Act, or

ii. the disclosure is necessary for the purpose of verifying or validating the information or the research.

3. A person that is prescribed for the purposes of clause 39 (1) (c) of the Act may disclose the health number for the purposes of its functions under clause 39 (1) (c).

4. The Workplace Safety and Insurance Board may disclose the health number in the course of exercising its powers under section 159 of the Workplace Safety and Insurance Act, 1997.  O. Reg. 329/04, s. 12; O. Reg. 537/06, s. 8.

Registries of personal health information

13. (1) The following are prescribed persons for the purposes of clause 39 (1) (c) of the Act if the requirements of subsection (2) are satisfied:

1. Cardiac Care Network of Ontario in respect of its registry of cardiac and vascular services.

2. INSCYTE (Information System for Cytology etc.) Corporation in respect of CytoBase.

3. Revoked: O. Reg. 537/06, s. 9 (2).

4. Revoked: O. Reg. 397/15, s. 1 (2).

5. Hamilton Health Sciences Corporation in respect of the Critical Care Information System.

6. Cancer Care Ontario in respect of the Ontario Cancer Screening Registry.

7. Children’s Hospital of Eastern Ontario — Ottawa Children’s Treatment Centre in respect of the Better Outcomes Registry and Network.

8. Ontario Institute for Cancer Research in respect of the Ontario Tumour Bank.  O. Reg. 329/04, s. 13 (1); O. Reg. 537/06, s. 9 (1-4); O. Reg. 322/07, s. 4; O. Reg. 424/09, s. 3; O. Reg. 141/11, s. 1; O. Reg. 397/15, s. 1.

(2) A person who is a prescribed person for the purposes of clause 39 (1) (c) of the Act shall put into place practices and procedures,

(a) that are for the purpose of protecting the privacy of the individuals whose personal health information it receives and for maintaining the confidentiality of the information; and

(b) that are approved by the Commissioner every three years.  O. Reg. 537/06, s. 9 (5).

(3) A person that is a prescribed person for the purposes of clause 39 (1) (c) of the Act shall make publicly available a plain language description of the functions of the registry compiled or maintained by the person, including a summary of the practices and procedures described in subsection (2).  O. Reg. 329/04, s. 13 (3).

(4) A person that is a prescribed person for the purposes of clause 39 (1) (c) of the Act may use personal health information as if it were a health information custodian for the purposes of clause 37 (1) (j) or subsection 37 (3) of the Act.  O. Reg. 329/04, s. 13 (4).

(5) A person that is a prescribed person for the purposes of clause 39 (1) (c) of the Act may disclose personal health information as if it were a health information custodian for the purposes of sections 44, 45 and 47 of the Act.  O. Reg. 329/04, s. 13 (5).

Archives

14. (1) Subject to clause 42 (3) (b) of the Act, a health information custodian may transfer records of personal health information under that clause to a person who,

(a) has put in place reasonable measures to ensure that personal health information in the person’s custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copying, modification or disposal;

(b) has put in place measures to allow an individual to have reasonable access to the individual’s own record of personal health information held by the person;

(c) has made available to the public a written statement that,

(i) provides a general description of the person’s information practices,

(ii) describes how an individual may obtain access to a record of personal health information about the individual that is in the custody or control of the person,

(iii) describes the mandate, and organizational links and affiliations, of the person in maintaining the archive, and

(iv) describes how to make a complaint to the person and to the Commissioner under the Act; and

(d) has registered with the Commissioner the intention to act as a recipient of information under this section, and provided to the Commissioner the statement set out in (c), and any further information reasonably requested by the Commissioner.  O. Reg. 329/04, s. 14 (1).

(2) If a person that received records under clause 42 (3) (b) of the Act ceases to exercise the functions of collecting and preserving records of historical or archival importance or ceases to comply with the conditions set out in subsection (1), the person shall immediately transfer the records, including any health number contained in the records, to another person who is authorized to receive transfers of records under clause 42 (3) (a) or (b) of the Act, subject to the agreement of the person who is to receive the transfer.  O. Reg. 329/04, s. 14 (2).

(3) Despite subsection 49 (1) of the Act, and subject to the agreement of the person who is to receive the transfer, a person who is not a health information custodian to whom a health information custodian disclosed personal health information may transfer any records containing the personal health information, including any health number contained in the records to,

(a) the Archives of Ontario; or

(b) a person prescribed under subsection (1), if the disclosure is made for the purpose of that function.  O. Reg. 329/04, s. 14 (3).

(4) A person who receives a transfer of records of personal health information under subsection (2) or (3) or under clause 42 (3) (b) of the Act may,

(a) collect any health number contained in the records incidentally to receiving the transfer of the records;

(b) use personal health information contained in the records, including any health number contained in the records, as if it were a health information custodian for the purposes of clause 37 (1) (j) and subsection 37 (3) of the Act; and

(c) disclose personal health information contained in the records, including any health number contained in the records, as if it were a health information custodian for the purposes of sections 44, 45 and 47 of the Act.  O. Reg. 329/04, s. 14 (4).

(5) A person who, before November 1, 2004, received a transfer of a record of personal health information to which subsection (4) would have applied on or after November 1, 2004, may disclose and use it, including any health number contained in the record, for research as if it were a health information custodian under the Act.  O. Reg. 329/04, s. 14 (5).

Research ethics boards

15. The following are prescribed as requirements that must be met by a research ethics board:

1. The board must have at least five members, including,

i. at least one member with no affiliation with the person or persons that established the research ethics board,

ii. at least one member knowledgeable in research ethics, either as a result of formal training in research ethics, or practical or academic experience in research ethics,

iii. at least two members with expertise in the methods or in the areas of the research being considered, and

iv. at least one member knowledgeable in considering privacy issues.

2. The board may only act with respect to a proposal to approve a research plan where there is no conflict of interest existing or likely to be perceived between its duty under subsection 44 (3) of the Act and any participating board member’s personal interest in the disclosure of the personal health information or the performance of the research.  O. Reg. 329/04, s. 15.

15.1 Revoked:  O. Reg. 322/07, s. 5.

Requirements for research plans

16. The following are prescribed as additional requirements that must be set out in research plans for the purposes of clause 44 (2) (c) of the Act:

1. A description of the research proposed to be conducted and the duration of the research.

2. A description of the personal health information required and the potential sources.

3. A description of how the personal health information will be used in the research, and if it will be linked to other information, a description of the other information as well as how the linkage will be done.

4. An explanation as to why the research cannot reasonably be accomplished without the personal health information and, if it is to be linked to other information, an explanation as to why this linkage is required.

5. An explanation as to why consent to the disclosure of the personal health information is not being sought from the individuals to whom the information relates.

6. A description of the reasonably foreseeable harms and benefits that may arise from the use of the personal health information and how the researchers intend to address those harms.

7. A description of all persons who will have access to the information, why their access is necessary, their roles in relation to the research, and their related qualifications.

8. The safeguards that the researcher will impose to protect the confidentiality and security of the personal health information, including an estimate of how long information will be retained in an identifiable form and why.

9. Information as to how and when the personal health information will be disposed of or returned to the health information custodian.

10. The funding source of the research.

11. Whether the researcher has applied for the approval of another research ethics board and, if so the response to or status of the application.

12. Whether the researcher’s interest in the disclosure of the personal health information or the performance of the research would likely result in an actual or perceived conflict of interest with other duties of the researcher.  O. Reg. 329/04, s. 16.

Disclosure by researcher

17. Despite clause 44 (6) (d) of the Act, a researcher may disclose the information to an entity prescribed under subsection 45 (1) of the Act, to a person prescribed for the purposes of clause 39 (1) (c) of the Act for use in a registry compiled or maintained by that person, or to another researcher if,

(a) the disclosure is part of a research plan approved under section 44 of the Act; or

(b) the disclosure is necessary for the purpose of verifying or validating the information or the research.  O. Reg. 329/04, s. 17.

Prescribed entities for the purposes of s. 45 (1) of the Act

18. (1) Each of the following entities, including any registries maintained within the entity, is a prescribed entity for the purposes of subsection 45 (1) of the Act:

1. Cancer Care Ontario.

2. Canadian Institute for Health Information.

3. Institute for Clinical Evaluative Sciences.

4. Pediatric Oncology Group of Ontario.  O. Reg. 329/04, s. 18 (1).

(2) An entity that is a prescribed entity for the purposes of subsection 45 (1) of the Act shall make publicly available a plain language description of the functions of the entity including a summary of the practices and procedures described in subsection 45 (3) of the Act.  O. Reg. 329/04, s. 18 (2).

(3) Despite subsection 45 (6) of the Act, every entity that is a prescribed entity for the purposes of subsection 45 (1) of the Act may use personal health information as if it were a health information custodian for the purposes of clause 37 (1) (j) and subsection 37 (3) of the Act.  O. Reg. 329/04, s. 18 (3).

(4) Despite subsection 45 (6) of the Act, every entity that is a prescribed entity for the purposes of subsection 45 (1) of the Act may disclose personal health information as if it were a health information custodian for the purposes of clause 39 (1) (c) and sections 44, 45 and 47 of the Act.  O. Reg. 329/04, s. 18 (4).

(5) An entity that is a prescribed entity for the purposes of subsection 45 (1) of the Act may disclose the information that it receives under subsection 45 (1) of the Act to a health information custodian who provided it to or disclosed it directly or indirectly to the person from whom the entity collected the information, whether or not the information has been manipulated or altered, if it does not contain any additional identifying information.  O. Reg. 329/04, s. 18 (5).

(6) An entity that is a prescribed entity for the purposes of subsection 45 (1) of the Act may disclose the information that it receives under subsection 45 (1) of the Act to a governmental institution of Ontario or Canada as if the entity were a health information custodian for the purposes of clause 43 (1) (h) of the Act.  O. Reg. 329/04, s. 18 (6).

(7) Despite subsection 45 (6) of the Act, the Canadian Institute for Health Information may disclose personal health information about an individual to a person outside Ontario where,

(a) the disclosure is for the purpose of health planning or health administration;

(b) the information relates to health care provided in Ontario to a person who is a resident of another province or territory of Canada; and

(c) the disclosure is made to the government of that province or territory.  O. Reg. 329/04, s. 18 (7).

(8) An entity that is a prescribed entity for the purposes of subsection 45 (1) of the Act may disclose the information it receives under subsection 45 (1) of the Act to the Minister and any person designated by the Minister for the purpose of developing and maintaining an electronic master person index for the Province of Ontario’s health sector to accurately identify and organize records of personal health information about an individual.  O. Reg. 245/06, s. 1.

(9) Despite subsection 45 (6) of the Act, Cancer Care Ontario may disclose personal health information about an individual to a person outside Ontario where,

(a) the disclosure is for the purpose of health planning or health administration;

(b) the information relates to health care provided in Ontario to a person who is a resident of another province or territory of Canada; and

(c) the disclosure is made to a body responsible for the provision, planning, analysis or payment of cancer services in that province or territory.  O. Reg. 424/09, s. 4.

19. Revoked:  O. Reg. 322/07, s. 6.

Information received before commencement

20. For the purposes of subsection 49 (1) of the Act, a person who is not a health information custodian and to whom a health information custodian disclosed personal health information prior to November 1, 2004 may use or disclose the information for the purpose for which it was disclosed to the person, except where otherwise prohibited by law.  O. Reg. 329/04, s. 20.

Exceptions to restrictions on recipients

21. (1) Section 49 of the Act does not apply,

(a) to an individual or a substitute decision maker of an individual in respect of personal health information about the individual; or

(b) to prevent a person who received personal health information from a health information custodian from using or disclosing the information pursuant to a valid consent.  O. Reg. 329/04, s. 21 (1).

(2) Despite subsection 49 (1) of the Act, a person who is not a health information custodian and who provides coverage for payment to or on behalf of individuals in respect of medications or related goods or services may, where a claim is made to the person through a member of the Ontario College of Pharmacists for such a payment to or on behalf of an individual, disclose personal health information about the individual to the member to assist the member in advising the individual or providing health care to the individual.  O. Reg. 329/04, s. 21 (2).

(3) Despite subsection 49 (1) of the Act, a person who is not a health information custodian and to whom a health information custodian discloses personal health information shall not disclose the personal health information where the disclosure is otherwise prohibited by law.  O. Reg. 329/04, s. 21 (3).

Extent of use or disclosure by recipient

22. Subsection 49 (2) of the Act does not apply to,

(a) a College under the Regulated Health Professions Act, 1991, the College under the Social Work and Social Service Work Act, 1998 or the Board under the Drugless Practitioners Act;

(b) a children’s aid society or any person providing services on behalf of or on the request of a children’s aid society; or

(c) a foster parent.  O. Reg. 329/04, s. 22.

Freedom of information legislation

23. (1) Subsections 49 (1) and (2) of the Act do not apply to a person employed by or acting for an institution within the meaning of the Freedom of Information and Protection of Privacy Act or the Municipal Freedom of Information and Protection of Privacy Act, to the extent that the person is acting within the scope of one of those Acts.  O. Reg. 329/04, s. 23 (1).

(2) Subsection 49 (3) of the Act does not apply to an institution within the meaning of the Freedom of Information and Protection of Privacy Act or the Municipal Freedom of Information and Protection of Privacy Act that is a health information custodian.  O. Reg. 329/04, s. 23 (2).

Exclusions from access provisions

24. (1) The following types of personal health information in the custody or control of the following types of health information custodians are not subject to Part V of the Act:

1. Personal health information that a researcher uses solely for the purposes of research, where the research is conducted in accordance with a research plan approved under subsection 44 (4) of the Act, or has been approved under clause 44 (10) (b) of the Act.

2. Personal health information that is in the custody or control of a laboratory in respect of a test requested by a health care practitioner for the purpose of providing health care to the individual where the following conditions apply:

i. the individual has a right of access to the information through the health care practitioner, or will have such a right when the information is provided by the laboratory to the health care practitioner within a reasonable time, and

ii. the health care practitioner has not directed the laboratory to provide the information directly to the individual.  O. Reg. 329/04, s. 24 (1).

(2) For the purposes of paragraph 2 of subsection (1),

“laboratory” means,

(a) a laboratory or a specimen collection centre as defined in section 5 of the Laboratory and Specimen Collection Centre Licensing Act, or

(b) a laboratory operated by a ministry of the Crown in right of Ontario.  O. Reg. 329/04, s. 24 (2).

(3) Part V of the Act does not apply to entitle a person to a right of access to information about the person that is contained in a record that is dedicated primarily to the personal health information of another person.  O. Reg. 329/04, s. 24 (3).

24.1, 24.2 Revoked:  O. Reg. 322/07, s. 7.

Canadian Blood Services

25. (1) The Canadian Blood Services may indirectly collect personal health information about an individual who donates or attempts to donate blood or blood products, if the information is reasonably necessary to ensure the safety of the blood system and it is not reasonably possible to collect, directly from the individual,

(a) personal health information that can reasonably be relied on as accurate; or

(b) personal health information in a timely way.  O. Reg. 329/04, s. 25 (1).

(2) The Canadian Blood Services may use the personal health information of an individual who donates or attempts to donate blood or blood products for the purpose of ensuring the safety of the blood system.  O. Reg. 329/04, s. 25 (2).

(3) The Canadian Blood Services may collect personal health information from, and disclose personal health information to, Héma-Québec as necessary for the purpose of ensuring the safety of the supply of blood and blood products, where the personal health information relates to an individual who donates or attempts to donate blood or blood products.  O. Reg. 329/04, s. 25 (3).

(4) The Canadian Blood Services shall not disclose personal health information for the purpose of recruiting donors of blood, blood products or hematopoietic progenitor cells without the express consent of the individual, despite subsection 18 (2) of the Act.  O. Reg. 329/04, s. 25 (4).

(5) The Canadian Blood Services may disclose personal health information about a deceased individual who has received blood or blood products to a relative of the individual or the executor or administrator of the individual’s estate for the purpose of determining eligibility for compensation.  O. Reg. 329/04, s. 25 (5).

25.1 Revoked:  O. Reg. 424/09, s. 5.

26. Omitted (provides for coming into force of provisions of this Regulation).  O. Reg. 329/04, s. 26.