You're using an outdated browser. This website will not display correctly and some features will not work.
Learn more about the browsers we support for a faster and safer online experience.

Personal Health Information Protection Act, 2004

ONTARIO REGULATION 329/04

Amended to O. Reg. 537/06

GENERAL

Historical version for the period December 8, 2006 to July 3, 2007.

This is the English version of a bilingual regulation.

CONTENTS

1.

Definitions for the purposes of the Act

2.

Exemptions, “health care practitioner”

3.

Health information custodians

4.

Mixed records

5.

Prevail over Act

6.

Persons who provide to custodians

6.1

Smart Systems for Health Agency

7.

Exception to s. 17 (2) of the Act

8.

s. 18 (4) (c) of the Act

8.1

Notification if no consent

9.

Substitute decision maker

10.

Fundraising

11.

Health number collection

12.

Disclosure of health number

13.

Registries of personal health information

14.

Archives

15.

Research ethics boards

15.1

Disclosure by custodian, s. 43 (1) (f) of the Act

16.

Requirements for research plans

17.

Disclosure by researcher

18.

Prescribed entities for the purposes of s. 45 (1) of the Act

19.

Collection by institution

20.

Information received before commencement

21.

Exceptions to restrictions on recipients

22.

Extent of use or disclosure by recipient

23.

Freedom of information legislation

24.

Exclusions from access provisions

24.1

Permission to disclose

24.2

Notice, Part does not apply

25.

Canadian Blood Services

25.1

Sunnybrook Health Sciences Centre Foundation

Definitions for the purposes of the Act

1. (1) In the definition of “health care” in section 2 of the Act,

“a procedure that is done for a health-related purpose” includes taking a donation of blood or blood products from an individual. O. Reg. 329/04, s. 1 (1).

(2) For the purposes of the Act,

“marketing” does not include,

(a) a communication by a health care practitioner who provides insured services within the meaning of the Health Insurance Act to an individual or a member of the individual’s family or household by which the practitioner makes available to those persons an arrangement whereby they may receive ancillary uninsured services for a block fee or on the basis of a set fee for service, or

(b) a communication by the Canadian Blood Services for the purpose of recruiting donors of blood, blood products or hematopoietic progenitor cells. O. Reg. 329/04, s. 1 (2).

(3) In the definition of “disclose” in section 2 of the Act, the expression “to make the information available or to release it to another health information custodian or to another person” does not include a person’s providing personal health information to someone who provided it to or disclosed it to the person, whether or not the personal health information has been manipulated or altered, if it does not contain any additional identifying information. O. Reg. 329/04, s. 1 (3).

(3.1) In paragraph 4 of the definition of “health information custodian” in subsection 3 (1) of the Act,

“person who operates” includes, with respect to a psychiatric facility within the meaning of the Mental Health Act, the officer in charge of the facility within the meaning of the Mental Health Act. O. Reg. 537/06, s. 1.

(4) For the purposes of clause 4 (1) (d) of the Act, the expression “eligibility for health care” includes eligibility for coverage under the Health Insurance Act or for any other insurance or payment arrangement with respect to health care. O. Reg. 329/04, s. 1 (4).

(5) For the purposes of subsection 7 (3) of the Act, if the Act or its regulations provides that an action, including a collection, use or disclosure, may be taken, and another Act or regulation provides that it may not be taken, then “it is not possible to comply with both”. O. Reg. 329/04, s. 1 (5).

(5.1) In subsection 13 (1) of the Act,

“disposed of in a secure manner” does not include, in relation to the disposition of records of personal health information, the destruction of the records unless the records are destroyed in such a manner that the reconstruction of the records is not reasonably foreseeable in the circumstances. O. Reg. 537/06, s. 1.

(6) For the purposes of clause 18 (4) (c) of the Act,

“information about an individual’s state of health” does not include information about medication or related goods or services provided by a member of the Ontario College of Pharmacists to the individual that the member discloses to a third party who is being requested to provide payment for the medication or related goods or services. O. Reg. 329/04, s. 1 (6).

(7) For the purposes of paragraph 5 of subsection 23 (1) of the Act,

“a person whom an Act of Ontario or Canada authorizes or requires to act on behalf of the individual” includes a person who is an agent for the purposes of section 157 of the Drug and Pharmacies Regulation Act where the consent under section 23 of the Personal Health Information Protection Act, 2004 relates to a prescription being presented to a pharmacist to be dispensed. O. Reg. 329/04, s. 1 (7).

(8) For the purposes of subsections 34 (2) and (3) of the Act,

“a person who is not a health information custodian” does not include,

(a) a custodian’s agent who is using or disclosing the information on behalf of the custodian in accordance with the Act, or

(b) the individual or the individual’s substitute decision-maker in respect of the individual’s health number. O. Reg. 329/04, s. 1 (8).

(8.1) In subclause 36 (1) (b) (i) of the Act,

“accurate” means, with respect to personal health information, correct and sufficient for the purposes for which the information is reasonably required. O. Reg. 537/06, s. 1.

(8.2) In clause 37 (1) (g) of the Act,

“the individual’s consent” includes the consent of a substitute decision-maker given on the individual’s behalf in accordance with the Act; (“consentement du particulier”)

“the individual’s name and contact information” includes the name and contact information of the individual’s substitute decision-maker, if any. (“au nom du particulier et à ses coordonnées”) O. Reg. 537/06, s. 1.

(9) For the purposes of clause 39 (1) (a) of the Act, the expression “eligibility of the individual to receive health care or related goods, services or benefits provided under an Act of Ontario or Canada and funded in whole or in part by the Government of Ontario or Canada or by a municipality” includes eligibility of the individual for coverage under the Health Insurance Act or for any other insurance or payment arrangement with respect to health care or related goods, services or benefits that are provided under the authority of an Act of Ontario or Canada and are funded in whole or in part by the Government of Ontario or Canada or by a municipality. O. Reg. 329/04, s. 1 (9).

(10) For the purposes of subsections 42 (1) and (2) of the Act, “potential successor” and “successor” mean a potential successor or a successor that is a health information custodian or that will be a health information custodian if it becomes the successor. O. Reg. 329/04, s. 1 (10).

(11) For the purposes of subsection 51 (3) of the Act,

“health information custodian acting as an agent of an institution” means a health care practitioner who is acting as part of the institution. O. Reg. 537/06, s. 1.

Exemptions, “health care practitioner”

2. The following persons are not health care practitioners under clause (d) of the definition of “health care practitioner” in section 2 of the Act:

1. Persons providing fitness or weight-management services. O. Reg. 329/04, s. 2.

Health information custodians

3. (1) The Canadian Blood Services is prescribed as a health information custodian, and is prescribed as a single health information custodian with respect to all its functions. O. Reg. 329/04, s. 3 (1).

(2) Despite paragraph 6 of subsection 3 (1) of the Act, the medical officer of health of a board of health within the meaning of the Health Protection and Promotion Act is prescribed as a single health information custodian with respect to the performance of his or her duties under that or any other Act. O. Reg. 329/04, s. 3 (2).

(3) With respect to public health laboratory centres established and maintained under section 79 of the Health Protection and Promotion Act, the Director of the Laboratories Branch of the Ministry of Health and Long-Term Care,

(a) is prescribed as a health information custodian;

(b) is prescribed as a single health information custodian with respect to all the functions of the public health laboratory centres; and

(c) shall be deemed to be included in the list of types of custodians referred to in subsections 20 (2) and (3) and clause 38 (1) (a) of the Act. O. Reg. 537/06, s. 2.

(4) The Minister of Health Promotion, together with the Ministry of Health Promotion, if the context so requires, is prescribed as,

(a) a health information custodian; and

(b) a single health information custodian with respect to all functions of the Minister and the Ministry. O. Reg. 537/06, s. 2.

(5) The Ontario Air Ambulance Services Corporation,

(a) is prescribed as a health information custodian;

(b) is prescribed as a single health information custodian with respect to all of its functions; and

(c) shall be deemed to be included in the list of types of custodians referred to in subsections 20 (2) and (3) and clause 38 (1) (a) of the Act. O. Reg. 537/06, s. 2.

(6) Every municipality that operates a communications service within the meaning of the Ambulance Act is prescribed as,

(a) a health information custodian; and

(b) a single health information custodian with respect to all of its functions in operating the communications service. O. Reg. 537/06, s. 2.

(7) Every person who, as a result of the bankruptcy or insolvency of a health information custodian, obtains complete custody or control of records of personal health information held by the health information custodian, is prescribed as the health information custodian with respect to those records. O. Reg. 537/06, s. 2.

Mixed records

4. Except for the purposes of subsection 8 (4) of the Act, “personal health information” as defined under subsection 4 (1) of the Act includes all identifying information that is contained in a record that contains information of the type referred to in any one or more of clauses (a) to (g) of subsection 4 (1). O. Reg. 329/04, s. 4.

Prevail over Act

5. (1) The confidentiality requirements in the following provisions prevail over the Act:

1. Section 165 and subsection 168 (3) of the Child and Family Services Act.

2. Subsection 85.3 (4) of the Health Professions Procedural Code set out in Schedule 2 to the Regulated Health Professions Act, 1991.

3. Subsection 19 (8) of the Remedies for Organized Crime and Other Unlawful Activities Act, 2001.

3.1 Subsection 44 (3) of the Social Work and Social Service Work Act, 1998.

4. Subsection 181 (3) of the Workplace Safety and Insurance Act, 1997. O. Reg. 329/04, s. 5; O. Reg. 537/06, s. 3 (1).

(2) Section 5 of the Trillium Gift of Life Network Act prevails over the Personal Health Information Protection Act, 2004 in the event of a conflict. O. Reg. 537/06, s. 3 (2).

Persons who provide to custodians

6. (1) Except as otherwise required by law, the following are prescribed as requirements for the purposes of subsection 10 (4) of the Act with respect to a person who supplies services for the purpose of enabling a health information custodian to use electronic means to collect, use, modify, disclose, retain or dispose of personal health information, and who is not an agent of the custodian:

1. The person shall not use any personal health information to which it has access in the course of providing the services for the health information custodian except as necessary in the course of providing the services.

2. The person shall not disclose any personal health information to which it has access in the course of providing the services for the health information custodian.

3. The person shall not permit its employees or any person acting on its behalf to be able to have access to the information unless the employee or person acting on its behalf agrees to comply with the restrictions that apply to the person who is subject to this subsection. O. Reg. 329/04, s. 6 (1).

(2) In subsection (3),

“health information network provider” or “provider” means a person who provides services to two or more health information custodians where the services are provided primarily to custodians to enable the custodians to use electronic means to disclose personal health information to one another, whether or not the person is an agent of any of the custodians. O. Reg. 329/04, s. 6 (2).

(3) The following are prescribed as requirements with respect to a health information network provider in the course of providing services to enable a health information custodian to use electronic means to collect, use, disclose, retain or dispose of personal health information:

1. The provider shall notify every applicable health information custodian at the first reasonable opportunity if,

i. the provider accessed, used, disclosed or disposed of personal health information other than in accordance with paragraphs 1 and 2 of subsection (1), or

ii. an unauthorized person accessed the personal health information.

2. The provider shall provide to each applicable health information custodian a plain language description of the services that the provider provides to the custodians, that is appropriate for sharing with the individuals to whom the personal health information relates, including a general description of the safeguards in place to protect against unauthorized use and disclosure, and to protect the integrity of the information.

3. The provider shall make available to the public,

i. the description referred to in paragraph 2,

ii. any directives, guidelines and policies of the provider that apply to the services that the provider provides to the health information custodians to the extent that these do not reveal a trade secret or confidential scientific, technical, commercial or labour relations information, and

iii. a general description of the safeguards implemented by the person in relation to the security and confidentiality of the information.

4. The provider shall to the extent reasonably practical, and in a manner that is reasonably practical, keep and make available to each applicable health information custodian, on the request of the custodian, an electronic record of,

i. all accesses to all or part of the personal health information associated with the custodian being held in equipment controlled by the provider, which record shall identify the person who accessed the information and the date and time of the access, and

ii. all transfers of all or part of the information associated with the custodian by means of equipment controlled by the provider, which record shall identify the person who transferred the information and the person or address to whom it was sent, and the date and time it was sent.

5. The provider shall perform, and provide to each applicable health information custodian a written copy of the results of, an assessment of the services provided to the health information custodians, with respect to,

i. threats, vulnerabilities and risks to the security and integrity of the personal health information, and

ii. how the services may affect the privacy of the individuals who are the subject of the information.

6. The provider shall ensure that any third party it retains to assist in providing services to a health information custodian agrees to comply with the restrictions and conditions that are necessary to enable the provider to comply with this section.

7. The provider shall enter into a written agreement with each health information custodian concerning the services provided to the custodian that,

i. describes the services that the provider is required to provide for the custodian,

ii. describes the administrative, technical and physical safeguards relating to the confidentiality and security of the information, and

iii. requires the provider to comply with the Act and the regulations. O. Reg. 329/04, s. 6 (3).

(4) A health information custodian who uses goods or services supplied by a person referred to in subsection 10 (4) of the Act, other than a person who is an agent of the custodian, for the purpose of using electronic means to collect, use, modify, disclose, retain or dispose of personal health information shall not be considered in so doing to make the information available or to release it to that person for the purposes of the definition of “disclose” in section 2 of the Act if,

(a) the person complies with subsections (1) and (3), to the extent that either is applicable, in supplying services; and

(b) in the case of a person supplying goods to the health information custodian, the custodian does not, in returning the goods to the person, enable the person to access the personal health information except where subsection (1) applies and is complied with. O. Reg. 329/04, s. 6 (4).

Smart Systems for Health Agency

6.1 The Smart Systems for Health Agency shall put in place administrative, technical and physical safeguards, practices and procedures that have been reviewed by the Commissioner to protect both the privacy of the individuals in relation to whose personal health information it provides services and the confidentiality of such information, and that,

(a) permit compliance with the Act by health information custodians who rely on services supplied by the Agency to use electronic means to collect, use, modify, disclose, retain or dispose of personal health information; and

(b) permit the Agency to comply with section 6 of this Regulation. O. Reg. 537/06, s. 4.

Exception to s. 17 (2) of the Act

7. The following are prescribed as exceptions to subsection 17 (2) of the Act:

1. An agent of a health information custodian to whom the custodian provides information to use for the purposes of clause 37 (1) (d) of the Act may use that information, together with other such information that the agent has received from other custodians to use for the purposes of that clause, for the purposes of systemic risk management analysis if,

i. the agent is the Canadian Medical Protective Association or the Healthcare Insurance Reciprocal of Canada, and

ii. the agent does not disclose personal health information provided to it by one health information custodian to another custodian.

2. An agent of a health information custodian may disclose personal health information acquired in the course of the agent’s activities for or on behalf of the custodian, as if the agent were a health information custodian for the purposes of,

i. subsection 40 (1) of the Act,

ii. clauses 43 (1) (b), (c) and (d) of the Act, or

iii. disclosures to the Public Guardian and Trustee or a children’s aid society under clause 43 (1) (e) of the Act. O. Reg. 329/04, s. 7.

s. 18 (4) (c) of the Act

8. The disclosure of information by a member of the Ontario College of Pharmacists to a third party who is being requested to provide payment for medication or related goods or services provided to an individual is a prescribed type of disclosure for the purposes of clause 18 (4) (c) of the Act. O. Reg. 329/04, s. 8.

Notification if no consent

8.1 For the purposes of subsection 20 (2) and clause 37 (1) (a) of the Act, if a health information custodian described in paragraph 1, 2, 3 or 4 of the definition of “health information custodian” in subsection 3 (1) of the Act or a health information custodian prescribed by subsection 3 (3) or (5) of this Regulation provides personal health information about an individual to an agent of the custodian for the purpose of providing health care or assisting in the provision of health care to the individual and if the custodian does not have the consent of the individual to provide all the personal health information about the individual that the custodian considers reasonably necessary for that purpose, the custodian shall notify the agent to whom the custodian provides the information of that fact. O. Reg. 537/06, s. 5.

Substitute decision maker

9. An application to the Board under subsection 24 (2), 27 (1) or (2) of the Act shall be deemed to include an application to the Board under subsection 22 (3) of the Act with respect to the individual’s capacity to consent to the collection, use or disclosure of his or her personal health information unless the individual’s capacity has been determined by the Board within the previous six months. O. Reg. 329/04, s. 9.

Fundraising

10. (1) The following types of contact information are prescribed for the purposes of clause 32 (1) (b) of the Act:

1. The mailing address of the individual.

2. The name and mailing address of the individual’s substitute decision-maker. O. Reg. 537/06, s. 6 (1).

(2) For the purposes of subsection 32 (2) of the Act, the following are prescribed as requirements and restrictions on the manner in which consent is obtained and the resulting collection, use or disclosure of personal health information:

1. Personal health information held by a health information custodian may only be collected, used or disclosed for the purpose of fundraising activities undertaken for a charitable or philanthropic purpose related to the custodian’s operations.

2. For personal health information collected on or after November 1, 2004, consent under clause 32 (1) (b) of the Act may only be inferred where,

i. the custodian has at the time of providing service to the individual, posted or made available to the individual, in a manner likely to come to the attention of the individual, a brief statement that unless he or she requests otherwise, his or her name and contact information may be disclosed and used for fundraising purposes on behalf of the custodian, together with information on how the individual can easily opt-out of receiving any future fundraising solicitations on behalf of the custodian, and

ii. the individual has not opted out within 60 days of when the statement provided under subparagraph i was made available to him or her.

2.1 For personal health information collected before November 1, 2004, a health information custodian is entitled to assume that it has the individual’s implied consent to use or disclose the individual’s name and contact information for the purpose of fundraising activities, unless the custodian is aware that the individual has expressly withheld or withdrawn the consent.

3. All solicitations for fundraising must provide the individual with an easy way to opt-out of receiving future solicitations.

4. A communication from the custodian or a person conducting fundraising on its behalf to an individual for the purpose of fundraising must not include any information about the individual’s health care or state of health. O. Reg. 329/04, s. 10 (2); O. Reg. 537/06, s. 6 (2, 3).

(3) Revoked: O. Reg. 537/06, s. 6 (4).

Health number collection

11. The following are prescribed persons for the purposes of clause 34 (2) (d) of the Act:

1. The Workplace Safety and Insurance Board.

2. Every person that is prescribed under section 13.

3. Every entity that is prescribed under section 18.

4. A researcher mentioned in paragraph 2 of section 12, for the purposes of the research.

5. A person conducting health research to the extent that the individual to whom the health number was issued has provided a valid consent to the collection or use of his or her health number for that purpose. O. Reg. 329/04, s. 11; O. Reg. 537/06, s. 7.

Disclosure of health number

12. The following are prescribed as exceptions for the purposes of subsection 34 (3) of the Act:

1. A person who is not a health information custodian may disclose a health number for a purpose related to the provision of provincially funded health resources.

2. A researcher who has custody or control of personal health information, including a health number, by reason of a disclosure authorized under section 44 of the Act may disclose the health number to a person who is a prescribed person for the purposes of clause 39 (1) (c) of the Act, an entity prescribed for the purposes of subsection 45 (1) of the Act or another researcher if,

i. the disclosure is part of a research plan approved under section 44 of the Act, or

ii. the disclosure is necessary for the purpose of verifying or validating the information or the research.

3. A person that is prescribed for the purposes of clause 39 (1) (c) of the Act may disclose the health number for the purposes of its functions under clause 39 (1) (c).

4. The Workplace Safety and Insurance Board may disclose the health number in the course of exercising its powers under section 159 of the Workplace Safety and Insurance Act, 1997. O. Reg. 329/04, s. 12; O. Reg. 537/06, s. 8.

Registries of personal health information

13. (1) The following are prescribed persons for the purposes of clause 39 (1) (c) of the Act if the requirements of subsection (2) are satisfied:

1. Cardiac Care Network of Ontario in respect of its registry of cardiac services.

2. INSCYTE (Information System for Cytology etc.) Corporation in respect of CytoBase.

3. Revoked: O. Reg. 537/06, s. 9 (2).

4. Canadian Stroke Network in respect of the Registry of the Canadian Stroke Network.

5. Hamilton Health Sciences Corporation in respect of the Critical Care Information System. O. Reg. 329/04, s. 13 (1); O. Reg. 537/06, s. 9 (1-4).

(2) A person who is a prescribed person for the purposes of clause 39 (1) (c) of the Act shall put into place practices and procedures,

(a) that are for the purpose of protecting the privacy of the individuals whose personal health information it receives and for maintaining the confidentiality of the information; and

(b) that are approved by the Commissioner every three years. O. Reg. 537/06, s. 9 (5).

(3) A person that is a prescribed person for the purposes of clause 39 (1) (c) of the Act shall make publicly available a plain language description of the functions of the registry compiled or maintained by the person, including a summary of the practices and procedures described in subsection (2). O. Reg. 329/04, s. 13 (3).

(4) A person that is a prescribed person for the purposes of clause 39 (1) (c) of the Act may use personal health information as if it were a health information custodian for the purposes of clause 37 (1) (j) or subsection 37 (3) of the Act. O. Reg. 329/04, s. 13 (4).

(5) A person that is a prescribed person for the purposes of clause 39 (1) (c) of the Act may disclose personal health information as if it were a health information custodian for the purposes of sections 44, 45 and 47 of the Act. O. Reg. 329/04, s. 13 (5).

Archives

14. (1) Subject to clause 42 (3) (b) of the Act, a health information custodian may transfer records of personal health information under that clause to a person who,

(a) has put in place reasonable measures to ensure that personal health information in the person’s custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copying, modification or disposal;

(b) has put in place measures to allow an individual to have reasonable access to the individual’s own record of personal health information held by the person;

(c) has made available to the public a written statement that,

(i) provides a general description of the person’s information practices,

(ii) describes how an individual may obtain access to a record of personal health information about the individual that is in the custody or control of the person,

(iii) describes the mandate, and organizational links and affiliations, of the person in maintaining the archive, and

(iv) describes how to make a complaint to the person and to the Commissioner under the Act; and

(d) has registered with the Commissioner the intention to act as a recipient of information under this section, and provided to the Commissioner the statement set out in (c), and any further information reasonably requested by the Commissioner. O. Reg. 329/04, s. 14 (1).

(2) If a person that received records under clause 42 (3) (b) of the Act ceases to exercise the functions of collecting and preserving records of historical or archival importance or ceases to comply with the conditions set out in subsection (1), the person shall immediately transfer the records, including any health number contained in the records, to another person who is authorized to receive transfers of records under clause 42 (3) (a) or (b) of the Act, subject to the agreement of the person who is to receive the transfer. O. Reg. 329/04, s. 14 (2).

(3) Despite subsection 49 (1) of the Act, and subject to the agreement of the person who is to receive the transfer, a person who is not a health information custodian to whom a health information custodian disclosed personal health information may transfer any records containing the personal health information, including any health number contained in the records to,

(a) the Archives of Ontario; or

(b) a person prescribed under subsection (1), if the disclosure is made for the purpose of that function. O. Reg. 329/04, s. 14 (3).

(4) A person who receives a transfer of records of personal health information under subsection (2) or (3) or under clause 42 (3) (b) of the Act may,

(a) collect any health number contained in the records incidentally to receiving the transfer of the records;

(b) use personal health information contained in the records, including any health number contained in the records, as if it were a health information custodian for the purposes of clause 37 (1) (j) and subsection 37 (3) of the Act; and

(c) disclose personal health information contained in the records, including any health number contained in the records, as if it were a health information custodian for the purposes of sections 44, 45 and 47 of the Act. O. Reg. 329/04, s. 14 (4).

(5) A person who, before November 1, 2004, received a transfer of a record of personal health information to which subsection (4) would have applied on or after November 1, 2004, may disclose and use it, including any health number contained in the record, for research as if it were a health information custodian under the Act. O. Reg. 329/04, s. 14 (5).

Research ethics boards

15. The following are prescribed as requirements that must be met by a research ethics board:

1. The board must have at least five members, including,

i. at least one member with no affiliation with the person or persons that established the research ethics board,

ii. at least one member knowledgeable in research ethics, either as a result of formal training in research ethics, or practical or academic experience in research ethics,

iii. at least two members with expertise in the methods or in the areas of the research being considered, and

iv. at least one member knowledgeable in considering privacy issues.

2. The board may only act with respect to a proposal to approve a research plan where there is no conflict of interest existing or likely to be perceived between its duty under subsection 44 (3) of the Act and any participating board member’s personal interest in the disclosure of the personal health information or the performance of the research. O. Reg. 329/04, s. 15.

Disclosure by custodian, s. 43 (1) (f) of the Act

15.1 For greater certainty, for the purposes of clause 43 (1) (f) of the Act, the reference in clause 43 (1) (f) of the Act to a health information custodian who is subject to the Freedom of Information and Protection of Privacy Act or the Municipal Freedom of Information and Protection of Privacy Act includes a reference to a health information custodian who is subject to either of those Acts because the custodian is acting as part of an institution, as defined in the applicable Act. O. Reg. 537/06, s. 10.

Requirements for research plans

16. The following are prescribed as additional requirements that must be set out in research plans for the purposes of clause 44 (2) (c) of the Act:

1. A description of the research proposed to be conducted and the duration of the research.

2. A description of the personal health information required and the potential sources.

3. A description of how the personal health information will be used in the research, and if it will be linked to other information, a description of the other information as well as how the linkage will be done.

4. An explanation as to why the research cannot reasonably be accomplished without the personal health information and, if it is to be linked to other information, an explanation as to why this linkage is required.

5. An explanation as to why consent to the disclosure of the personal health information is not being sought from the individuals to whom the information relates.

6. A description of the reasonably foreseeable harms and benefits that may arise from the use of the personal health information and how the researchers intend to address those harms.

7. A description of all persons who will have access to the information, why their access is necessary, their roles in relation to the research, and their related qualifications.

8. The safeguards that the researcher will impose to protect the confidentiality and security of the personal health information, including an estimate of how long information will be retained in an identifiable form and why.

9. Information as to how and when the personal health information will be disposed of or returned to the health information custodian.

10. The funding source of the research.

11. Whether the researcher has applied for the approval of another research ethics board and, if so the response to or status of the application.

12. Whether the researcher’s interest in the disclosure of the personal health information or the performance of the research would likely result in an actual or perceived conflict of interest with other duties of the researcher. O. Reg. 329/04, s. 16.

Disclosure by researcher

17. Despite clause 44 (6) (d) of the Act, a researcher may disclose the information to an entity prescribed under subsection 45 (1) of the Act, to a person prescribed for the purposes of clause 39 (1) (c) of the Act for use in a registry compiled or maintained by that person, or to another researcher if,

(a) the disclosure is part of a research plan approved under section 44 of the Act; or

(b) the disclosure is necessary for the purpose of verifying or validating the information or the research. O. Reg. 329/04, s. 17.

Prescribed entities for the purposes of s. 45 (1) of the Act

18. (1) Each of the following entities, including any registries maintained within the entity, is a prescribed entity for the purposes of subsection 45 (1) of the Act:

1. Cancer Care Ontario.

2. Canadian Institute for Health Information.

3. Institute for Clinical Evaluative Sciences.

4. Pediatric Oncology Group of Ontario. O. Reg. 329/04, s. 18 (1).

(2) An entity that is a prescribed entity for the purposes of subsection 45 (1) of the Act shall make publicly available a plain language description of the functions of the entity including a summary of the practices and procedures described in subsection 45 (3) of the Act. O. Reg. 329/04, s. 18 (2).

(3) Despite subsection 45 (6) of the Act, every entity that is a prescribed entity for the purposes of subsection 45 (1) of the Act may use personal health information as if it were a health information custodian for the purposes of clause 37 (1) (j) and subsection 37 (3) of the Act. O. Reg. 329/04, s. 18 (3).

(4) Despite subsection 45 (6) of the Act, every entity that is a prescribed entity for the purposes of subsection 45 (1) of the Act may disclose personal health information as if it were a health information custodian for the purposes of clause 39 (1) (c) and sections 44, 45 and 47 of the Act. O. Reg. 329/04, s. 18 (4).

(5) An entity that is a prescribed entity for the purposes of subsection 45 (1) of the Act may disclose the information that it receives under subsection 45 (1) of the Act to a health information custodian who provided it to or disclosed it directly or indirectly to the person from whom the entity collected the information, whether or not the information has been manipulated or altered, if it does not contain any additional identifying information. O. Reg. 329/04, s. 18 (5).

(6) An entity that is a prescribed entity for the purposes of subsection 45 (1) of the Act may disclose the information that it receives under subsection 45 (1) of the Act to a governmental institution of Ontario or Canada as if the entity were a health information custodian for the purposes of clause 43 (1) (h) of the Act. O. Reg. 329/04, s. 18 (6).

(7) Despite subsection 45 (6) of the Act, the Canadian Institute for Health Information may disclose personal health information about an individual to a person outside Ontario where,

(a) the disclosure is for the purpose of health planning or health administration;

(b) the information relates to health care provided in Ontario to a person who is a resident of another province or territory of Canada; and

(c) the disclosure is made to the government of that province or territory. O. Reg. 329/04, s. 18 (7).

(8) An entity that is a prescribed entity for the purposes of subsection 45 (1) of the Act may disclose the information it receives under subsection 45 (1) of the Act to the Minister and any person designated by the Minister for the purpose of developing and maintaining an electronic master person index for the Province of Ontario’s health sector to accurately identify and organize records of personal health information about an individual. O. Reg. 245/06, s. 1.

Collection by institution

19. An institution within the meaning of the Freedom of Information and Protection of Privacy Act or the Municipal Freedom of Information and Protection of Privacy Act that is not a health information custodian may collect personal health information from a health information custodian if and only if the custodian has authority to disclose the information to the institution under the Act. O. Reg. 329/04, s. 19.

Information received before commencement

20. For the purposes of subsection 49 (1) of the Act, a person who is not a health information custodian and to whom a health information custodian disclosed personal health information prior to November 1, 2004 may use or disclose the information for the purpose for which it was disclosed to the person, except where otherwise prohibited by law. O. Reg. 329/04, s. 20.

Exceptions to restrictions on recipients

21. (1) Section 49 of the Act does not apply,

(a) to an individual or a substitute decision maker of an individual in respect of personal health information about the individual; or

(b) to prevent a person who received personal health information from a health information custodian from using or disclosing the information pursuant to a valid consent. O. Reg. 329/04, s. 21 (1).

(2) Despite subsection 49 (1) of the Act, a person who is not a health information custodian and who provides coverage for payment to or on behalf of individuals in respect of medications or related goods or services may, where a claim is made to the person through a member of the Ontario College of Pharmacists for such a payment to or on behalf of an individual, disclose personal health information about the individual to the member to assist the member in advising the individual or providing health care to the individual. O. Reg. 329/04, s. 21 (2).

(3) Despite subsection 49 (1) of the Act, a person who is not a health information custodian and to whom a health information custodian discloses personal health information shall not disclose the personal health information where the disclosure is otherwise prohibited by law. O. Reg. 329/04, s. 21 (3).

Extent of use or disclosure by recipient

22. Subsection 49 (2) of the Act does not apply to,

(a) a College under the Regulated Health Professions Act, 1991, the College under the Social Work and Social Service Work Act, 1998 or the Board under the Drugless Practitioners Act;

(b) a children’s aid society or any person providing services on behalf of or on the request of a children’s aid society; or

(c) a foster parent. O. Reg. 329/04, s. 22.

Freedom of information legislation

23. (1) Subsections 49 (1) and (2) of the Act do not apply to a person employed by or acting for an institution within the meaning of the Freedom of Information and Protection of Privacy Act or the Municipal Freedom of Information and Protection of Privacy Act, to the extent that the person is acting within the scope of one of those Acts. O. Reg. 329/04, s. 23 (1).

(2) Subsection 49 (3) of the Act does not apply to an institution within the meaning of the Freedom of Information and Protection of Privacy Act or the Municipal Freedom of Information and Protection of Privacy Act that is a health information custodian. O. Reg. 329/04, s. 23 (2).

Exclusions from access provisions

24. (1) The following types of personal health information in the custody or control of the following types of health information custodians are not subject to Part V of the Act:

1. Personal health information that a researcher uses solely for the purposes of research, where the research is conducted in accordance with a research plan approved under subsection 44 (4) of the Act, or has been approved under clause 44 (10) (b) of the Act.

2. Personal health information that is in the custody or control of a laboratory in respect of a test requested by a health care practitioner for the purpose of providing health care to the individual where the following conditions apply:

i. the individual has a right of access to the information through the health care practitioner, or will have such a right when the information is provided by the laboratory to the health care practitioner within a reasonable time, and

ii. the health care practitioner has not directed the laboratory to provide the information directly to the individual. O. Reg. 329/04, s. 24 (1).

(2) For the purposes of paragraph 2 of subsection (1),

“laboratory” means,

(a) a laboratory or a specimen collection centre as defined in section 5 of the Laboratory and Specimen Collection Centre Licensing Act, or

(b) a laboratory operated by a ministry of the Crown in right of Ontario. O. Reg. 329/04, s. 24 (2).

(3) Part V of the Act does not apply to entitle a person to a right of access to information about the person that is contained in a record that is dedicated primarily to the personal health information of another person. O. Reg. 329/04, s. 24 (3).

Permission to disclose

24.1 A health information custodian mentioned in subsection 51 (3) of the Act may disclose the record mentioned in that subsection to an institution to enable the institution to process the individual’s request under the Freedom of Information and Protection of Privacy Act or the Municipal Freedom of Information and Protection of Privacy Act, as the case may be. O. Reg. 537/06, s. 11.

Notice, Part does not apply

24.2 For the purposes of clause 54 (1) (b) of the Act, written notice shall also be provided if the health information custodian concludes that the record is one to which Part V of the Act does not apply. O. Reg. 537/06, s. 11.

Canadian Blood Services

25. (1) The Canadian Blood Services may indirectly collect personal health information about an individual who donates or attempts to donate blood or blood products, if the information is reasonably necessary to ensure the safety of the blood system and it is not reasonably possible to collect, directly from the individual,

(a) personal health information that can reasonably be relied on as accurate; or

(b) personal health information in a timely way. O. Reg. 329/04, s. 25 (1).

(2) The Canadian Blood Services may use the personal health information of an individual who donates or attempts to donate blood or blood products for the purpose of ensuring the safety of the blood system. O. Reg. 329/04, s. 25 (2).

(3) The Canadian Blood Services may collect personal health information from, and disclose personal health information to, Héma-Québec as necessary for the purpose of ensuring the safety of the supply of blood and blood products, where the personal health information relates to an individual who donates or attempts to donate blood or blood products. O. Reg. 329/04, s. 25 (3).

(4) The Canadian Blood Services shall not disclose personal health information for the purpose of recruiting donors of blood, blood products or hematopoietic progenitor cells without the express consent of the individual, despite subsection 18 (2) of the Act. O. Reg. 329/04, s. 25 (4).

(5) The Canadian Blood Services may disclose personal health information about a deceased individual who has received blood or blood products to a relative of the individual or the executor or administrator of the individual’s estate for the purpose of determining eligibility for compensation. O. Reg. 329/04, s. 25 (5).

Sunnybrook Health Sciences Centre Foundation

25.1 The Sunnybrook Health Sciences Centre Foundation may disclose personal health information of an individual that it receives from a health information custodian to the Women’s College Hospital Foundation for the purpose of fundraising activities undertaken for a charitable or philanthropic purpose related to the operations of the Women’s College Hospital if the following requirements are satisfied:

1. The only information disclosed is the individual’s name and mailing address.

2. The Sunnybrook Health Sciences Centre Foundation has provided to the individual a brief statement that, unless the individual requests otherwise, the individual’s name and mailing address may be disclosed to the Women’s College Hospital Foundation for the purpose of fundraising activities undertaken for a charitable or philanthropic purpose related to the operations of the Women’s College Hospital.

3. The statement provided in accordance with paragraph 2 contains information on one or more simple ways by which the individual may request that the Sunnybrook Health Sciences Centre Foundation not disclose the individual’s name and mailing address to the Women’s College Hospital Foundation.

4. The individual has not requested that his or her name and mailing address not be disclosed to the Women’s College Hospital Foundation.

5. The disclosure by the Sunnybrook Health Sciences Centre Foundation to the Women’s College Hospital Foundation is made no earlier than 60 days after the individual is provided with the statement described in paragraph 2. O. Reg. 245/06, s. 2.

26. Omitted (provides for coming into force of provisions of this Regulation). O. Reg. 329/04, s. 26.