GENERAL

Personal Health Information Protection Act, 2004

ONTARIO REGULATION 329/04

general

Historical version for the period January 1, 2024 to June 10, 2024.

Last amendment: 343/23.

Legislative History: 245/06, 537/06, 322/07, 340/08, 447/08, 424/09, 127/10, 141/11, 331/11 (as am. by 367/13, 269/14, 396/15, 475/16, 538/17, 377/19, 62/20), 397/15, 117/17, 224/17, CTR 18 JL 17 - 2, 538/17, 181/18, 260/19, 377/19 (as am. by 62/20), 62/20, 429/20 (as am. by 423/22), 534/20, CTR 05 OC 20 - 1, 569/20, 180/21, 209/21, 778/21, 192/22, 393/22, 394/22, 423/22, CTR 22 JL 22 - 1, 56/23, 343/23.

This is the English version of a bilingual regulation.

CONTENTS

1.

Definitions for the purposes of the Act

2.

Exemptions, “health care practitioner”

3.

Health information custodians

5.

Prevail over Act

6.

Persons who provide to custodians

6.1.1

Ontario Health

6.3

Notice to Commissioner, subs. 12 (3) of the Act

6.4

Annual report re: theft, loss, etc.

7.

Exception to s. 17 (2) of the Act

8.

s. 18 (4) (c) of the Act

8.1

Notification if no consent

10.

Fundraising

11.

Health number collection

12.

Disclosure of health number

13.

Registries of personal health information

14.

Archives

15.

Research ethics boards

16.

Requirements for research plans

17.

Disclosure by researcher

18.

Prescribed entities for the purposes of s. 45 (1) of the Act

18.0.1

Right to access record in electronic format

18.1

Prescribed organization

18.1.1

Application of s. 51 (5) of the Act

18.1.2

Application of s. 51 (6) of the Act

18.1.3

Information from hospitals

18.2

Data elements

18.3

S. 55.5 (7) (b) of the Act

18.4

Consent directives

18.5

Transitional, consent directives

18.6

Notice requirements, s. 55.7 (6) of the Act

18.7

Notice requirements, s. 55.7 (7) (a) of the Act

18.8

Notice requirements, s. 55.7 (7) (b) of the Act

18.9

Exemption

18.10

Provision to coroner

18.11

Logging, auditing and monitoring access by coroners

19.

Prescribed ministry

20.

Information received before commencement

21.

Exceptions to restrictions on recipients

22.

Extent of use or disclosure by recipient

23.

Freedom of information legislation

24.

Exclusions from access provisions

25.

Canadian Blood Services

26.

Interoperability specifications, definitions

27.

Agency and specifications

28.

Application of specifications

29.

Publicly available

30.

Compliance with specifications

31.

Certification process

32.

Reports

33.

Monitoring

34.

Enforcement

35.

Determination of amount of administrative penalty

 

Definitions for the purposes of the Act

1. (1) In the definition of “health care” in section 2 of the Act,

“a procedure that is done for a health-related purpose” includes taking a donation of blood or blood products from an individual.  O. Reg. 329/04, s. 1 (1).

(2) For the purposes of the Act,

“marketing” does not include,

(a)  a communication by a health care practitioner who provides insured services within the meaning of the Health Insurance Act to an individual or a member of the individual’s family or household by which the practitioner makes available to those persons an arrangement whereby they may receive ancillary uninsured services for a block fee or on the basis of a set fee for service, or

(b)  a communication by the Canadian Blood Services for the purpose of recruiting donors of blood, blood products or hematopoietic progenitor cells.  O. Reg. 329/04, s. 1 (2).

(3) In the definition of “disclose” in section 2 of the Act, the expression “to make the information available or to release it to another health information custodian or to another person” does not include a person’s providing personal health information to someone who provided it to or disclosed it to the person, whether or not the personal health information has been manipulated or altered, if it does not contain any additional identifying information.  O. Reg. 329/04, s. 1 (3).

(3.1) In paragraph 4 of the definition of “health information custodian” in subsection 3 (1) of the Act,

“person who operates” includes, with respect to a psychiatric facility within the meaning of the Mental Health Act, the officer in charge of the facility within the meaning of the Mental Health Act.  O. Reg. 537/06, s. 1.

(4) Revoked:  O. Reg. 322/07, s. 1 (1).

(5) For the purposes of subsection 7 (3) of the Act, if the Act or its regulations provides that an action, including a collection, use or disclosure, may be taken, and another Act or regulation provides that it may not be taken, then “it is not possible to comply with both”.  O. Reg. 329/04, s. 1 (5).

(5.1) In subsection 13 (1) of the Act,

“disposed of in a secure manner” does not include, in relation to the disposition of records of personal health information, the destruction of the records unless the records are destroyed in such a manner that the reconstruction of the records is not reasonably foreseeable in the circumstances.  O. Reg. 537/06, s. 1.

(6) For the purposes of clause 18 (4) (c) of the Act,

“information about an individual’s state of health” does not include information about medication or related goods or services provided by a member of the Ontario College of Pharmacists to the individual that the member discloses to a third party who is being requested to provide payment for the medication or related goods or services.  O. Reg. 329/04, s. 1 (6).

(7) For the purposes of paragraph 5 of subsection 23 (1) of the Act,

“a person whom an Act of Ontario or Canada authorizes or requires to act on behalf of the individual” includes a person who is an agent for the purposes of section 157 of the Drug and Pharmacies Regulation Act where the consent under section 23 of the Personal Health Information Protection Act, 2004 relates to a prescription being presented to a pharmacist to be dispensed.  O. Reg. 329/04, s. 1 (7).

(8) For the purposes of subsections 34 (2) and (3) of the Act,

“a person who is not a health information custodian” does not include,

(a)  Revoked:  O. Reg. 322/07, s. 1 (2).

(b)  the individual or the individual’s substitute decision-maker in respect of the individual’s health number.  O. Reg. 329/04, s. 1 (8); O. Reg. 322/07, s. 1 (2).

(8.1) In subclause 36 (1) (b) (i) of the Act,

“accurate” means, with respect to personal health information, correct and sufficient for the purposes for which the information is reasonably required.  O. Reg. 537/06, s. 1.

(8.2) Revoked:  O. Reg. 322/07, s. 1 (3).

(9) Revoked:  O. Reg. 322/07, s. 1 (4).

(10) For the purposes of subsections 42 (1) and (2) of the Act, “potential successor” and “successor” mean a potential successor or a successor that is a health information custodian or that will be a health information custodian if it becomes the successor.  O. Reg. 329/04, s. 1 (10).

(11) For the purposes of subsection 51 (3) of the Act,

“health information custodian acting as an agent of an institution” means a health care practitioner who is acting as part of the institution.  O. Reg. 537/06, s. 1.

Exemptions, “health care practitioner”

2. The following persons are not health care practitioners under clause (d) of the definition of “health care practitioner” in section 2 of the Act:

1.  Persons providing fitness or weight-management services.  O. Reg. 329/04, s. 2.

Health information custodians

3. (1) The Canadian Blood Services is prescribed as a health information custodian, and is prescribed as a single health information custodian with respect to all its functions.  O. Reg. 329/04, s. 3 (1).

(2) A health information custodian described in paragraph 6 of subsection 3 (1) of the Act shall be deemed to be included in the list of types of custodians referred to in subsections 20 (2) and (3) and clause 38 (1) (a) of the Act.  O. Reg. 424/09, s. 1.

(3) The Ontario Agency for Health Protection and Promotion,

(a)  is prescribed as a health information custodian;

(b)  is prescribed as a single health information custodian with respect to all its functions; and

(c)  shall be deemed to be included in the list of types of custodians referred to in subsections 20 (2) and (3) and clause 38 (1) (a) of the Act.  O. Reg. 447/08, s. 1.

(4) The Minister of Health Promotion, together with the Ministry of Health Promotion, if the context so requires, is prescribed as,

(a)  a health information custodian; and

(b)  a single health information custodian with respect to all functions of the Minister and the Ministry.  O. Reg. 537/06, s. 2.

(5) The Ontario Air Ambulance Services Corporation,

(a)  is prescribed as a health information custodian;

(b)  is prescribed as a single health information custodian with respect to all of its functions; and

(c)  shall be deemed to be included in the list of types of custodians referred to in subsections 20 (2) and (3) and clause 38 (1) (a) of the Act.  O. Reg. 537/06, s. 2.

(6) Every municipality that operates a communications service within the meaning of the Ambulance Act is prescribed as,

(a)  a health information custodian; and

(b)  a single health information custodian with respect to all of its functions in operating the communications service.  O. Reg. 537/06, s. 2.

(7) Every person who, as a result of the bankruptcy or insolvency of a health information custodian, obtains complete custody or control of records of personal health information held by the health information custodian, is prescribed as the health information custodian with respect to those records.  O. Reg. 537/06, s. 2.

(8) Every local health integration network,

(a)  is prescribed as a health information custodian;

(b)  is prescribed as a single health information custodian with respect to all of its functions; and

(c)  shall be deemed to be included in the list of types of custodians referred to in subsections 20 (2) and (3), clause 38 (1) (a) and subclause 39 (1) (d) (i) of the Act. O. Reg. 117/17, s. 1.

(8.1) Every Indigenous organization that provides home and community care services for Indigenous communities under an agreement under paragraph 4.1 of subsection 6 (1) of the Ministry of Health and Long-Term Care Act,

(a)  is prescribed as a health information custodian;

(b)  is prescribed as a single health information custodian with respect to all of its functions in providing those services; and

(c)  shall be deemed to be included in the list of types of custodians referred to in subsections 20 (2) and (3), clause 38 (1) (a) and subclause 39 (1) (d) (i) of the Act. O. Reg. 192/22, s. 1.

(9) The Minister of Long-Term Care, together with the Ministry of Long-Term Care if the context so requires, is prescribed as a health information custodian. O. Reg. 260/19, s. 1.

(10) The Minister of Long-Term Care, the Ministry of Long-Term Care, the Minister of Health and the Ministry of Health shall be deemed to be a single health information custodian with respect to all of the functions of those Ministers and those Ministries. O. Reg. 260/19, s. 1.

4. Revoked:  O. Reg. 127/10, s. 1.

Prevail over Act

5. (1) The confidentiality requirements in the following provisions prevail over the Act:

1.  Section 227 of the Child, Youth and Family Services Act, 2017.

2.  Subsection 85.3 (4) of the Health Professions Procedural Code set out in Schedule 2 to the Regulated Health Professions Act, 1991.

3.  Subsection 19 (8) of the Remedies for Organized Crime and Other Unlawful Activities Act, 2001.

3.1  Subsection 44 (3) of the Social Work and Social Service Work Act, 1998.

4.  Subsection 181 (3) of the Workplace Safety and Insurance Act, 1997.  O. Reg. 329/04, s. 5; O. Reg. 537/06, s. 3 (1); O. Reg. 424/09, s. 2; O. Reg. 181/18, s. 1.

(2) Section 5 of the Gift of Life Act prevails over the Personal Health Information Protection Act, 2004 in the event of a conflict.  O. Reg. 537/06, s. 3 (2); O. Reg. 209/21, s. 1.

Persons who provide to custodians

6. (1) Except as otherwise required by law, the following are prescribed as requirements for the purposes of subsection 10 (4) of the Act with respect to a person who supplies services for the purpose of enabling a health information custodian to use electronic means to collect, use, modify, disclose, retain or dispose of personal health information, and who is not an agent of the custodian:

1.  The person shall not use any personal health information to which it has access in the course of providing the services for the health information custodian except as necessary in the course of providing the services.

2.  The person shall not disclose any personal health information to which it has access in the course of providing the services for the health information custodian.

3.  The person shall not permit its employees or any person acting on its behalf to be able to have access to the information unless the employee or person acting on its behalf agrees to comply with the restrictions that apply to the person who is subject to this subsection.  O. Reg. 329/04, s. 6 (1).

(2) In subsection (3),

“health information network provider” or “provider” means a person who provides services to two or more health information custodians where the services are provided primarily to custodians to enable the custodians to use electronic means to disclose personal health information to one another, whether or not the person is an agent of any of the custodians.  O. Reg. 329/04, s. 6 (2).

(3) The following are prescribed as requirements with respect to a health information network provider in the course of providing services to enable a health information custodian to use electronic means to collect, use, disclose, retain or dispose of personal health information:

1.  The provider shall notify every applicable health information custodian at the first reasonable opportunity if,

i.  the provider accessed, used, disclosed or disposed of personal health information other than in accordance with paragraphs 1 and 2 of subsection (1), or

ii.  an unauthorized person accessed the personal health information.

2.  The provider shall provide to each applicable health information custodian a plain language description of the services that the provider provides to the custodians, that is appropriate for sharing with the individuals to whom the personal health information relates, including a general description of the safeguards in place to protect against unauthorized use and disclosure, and to protect the integrity of the information.

3.  The provider shall make available to the public,

i.  the description referred to in paragraph 2,

ii.  any directives, guidelines and policies of the provider that apply to the services that the provider provides to the health information custodians to the extent that these do not reveal a trade secret or confidential scientific, technical, commercial or labour relations information, and

iii.  a general description of the safeguards implemented by the person in relation to the security and confidentiality of the information.

4.  The provider shall to the extent reasonably practical, and in a manner that is reasonably practical, keep and make available to each applicable health information custodian, on the request of the custodian, an electronic record of,

i.  all accesses to all or part of the personal health information associated with the custodian being held in equipment controlled by the provider, which record shall identify the person who accessed the information and the date and time of the access, and

ii.  all transfers of all or part of the information associated with the custodian by means of equipment controlled by the provider, which record shall identify the person who transferred the information and the person or address to whom it was sent, and the date and time it was sent.

5.  The provider shall perform, and provide to each applicable health information custodian a written copy of the results of, an assessment of the services provided to the health information custodians, with respect to,

i.  threats, vulnerabilities and risks to the security and integrity of the personal health information, and

ii.  how the services may affect the privacy of the individuals who are the subject of the information.

6.  The provider shall ensure that any third party it retains to assist in providing services to a health information custodian agrees to comply with the restrictions and conditions that are necessary to enable the provider to comply with this section.

7.  The provider shall enter into a written agreement with each health information custodian concerning the services provided to the custodian that,

i.  describes the services that the provider is required to provide for the custodian,

ii.  describes the administrative, technical and physical safeguards relating to the confidentiality and security of the information, and

iii.  requires the provider to comply with the Act and the regulations.  O. Reg. 329/04, s. 6 (3).

(4) A health information custodian who uses goods or services supplied by a person referred to in subsection 10 (4) of the Act, other than a person who is an agent of the custodian, for the purpose of using electronic means to collect, use, modify, disclose, retain or dispose of personal health information shall not be considered in so doing to make the information available or to release it to that person for the purposes of the definition of “disclose” in section 2 of the Act if,

(a)  the person complies with subsections (1) and (3), to the extent that either is applicable, in supplying services; and

(b)  in the case of a person supplying goods to the health information custodian, the custodian does not, in returning the goods to the person, enable the person to access the personal health information except where subsection (1) applies and is complied with.  O. Reg. 329/04, s. 6 (4).

6.1 Revoked: O. Reg. 62/20, s. 1.

Ontario Health

6.1.1 Ontario Health shall put in place administrative, technical and physical safeguards, practices and procedures to protect both the privacy of the individuals in relation to whose personal health information it provides services and the confidentiality of such information, and that,

(a)  permit compliance with the Act by health information custodians who rely on services supplied by Ontario Health to use electronic means to collect, use, modify, disclose, retain or dispose of personal health information; and

(b)  permit Ontario Health to comply with section 6 of this Regulation. O. Reg. 377/19, s. 1; O. Reg. 62/20, s. 2.

6.2 Revoked: O. Reg. 534/20, s. 1.

6.2.1 Revoked: O. Reg. 62/20, s. 4.

Notice to Commissioner, subs. 12 (3) of the Act

6.3 (1) The following are the circumstances in which a health information custodian is required to notify the Commissioner for the purposes of subsection 12 (3) of the Act:

1.  The health information custodian has reasonable grounds to believe that personal health information in the custodian’s custody or control was used or disclosed without authority by a person who knew or ought to have known that they were using or disclosing the information without authority.

2.  The health information custodian has reasonable grounds to believe that personal health information in the custodian’s custody or control was stolen.

3.  The health information custodian has reasonable grounds to believe that, after an initial loss or unauthorized use or disclosure of personal health information in the custodian’s custody or control, the personal health information was or will be further used or disclosed without authority.

4.  The loss or unauthorized use or disclosure of personal health information is part of a pattern of similar losses or unauthorized uses or disclosures of personal health information in the custody or control of the health information custodian.

5.  The health information custodian is required to give notice to a College of an event described in section 17.1 of the Act that relates to a loss or unauthorized use or disclosure of personal health information.

6.  The health information custodian would be required to give notice to a College, if an agent of the health information custodian were a member of the College, of an event described in section 17.1 of the Act that relates to a loss or unauthorized use or disclosure of personal health information. 

7.  The health information custodian determines that the loss or unauthorized use or disclosure of personal health information is significant after considering all relevant circumstances, including the following:

i.  Whether the personal health information that was lost or used or disclosed without authority is sensitive.

ii.  Whether the loss or unauthorized use or disclosure involved a large volume of personal health information.

iii.  Whether the loss or unauthorized use or disclosure involved many individuals’ personal health information.

iv.  Whether more than one health information custodian or agent was responsible for the loss or unauthorized use or disclosure of the personal health information. O. Reg. 224/17, s. 1.

(2) In this section,

“College” means a College as defined in subsection 17.1 (1) of the Act. O. Reg. 224/17, s. 1.

(3) A health information custodian shall notify the Commissioner of the existence of a circumstance set out in subsection (1) at the first reasonable opportunity. O. Reg. 534/20, s. 2.

Annual report re: theft, loss, etc.

6.4 (1) On or before March 1 in each year starting in 2019, a health information custodian shall provide the Commissioner with a report setting out the number of times in the previous calendar year that each of the following occurred:

1.  Personal health information in the custodian’s custody or control was stolen.

2.  Personal health information in the custodian’s custody or control was lost.

3.  Personal health information in the custodian’s custody or control was used without authority.

4.  Personal health information in the custodian’s custody or control was disclosed without authority.

5.  Personal health information was collected by the custodian by means of the electronic health record without authority. O. Reg. 224/17, s. 1; O. Reg. 534/20, s. 3 (1).

(2) The report shall be transmitted to the Commissioner by the electronic means and format determined by the Commissioner. O. Reg. 224/17, s. 1.

(3) A health information custodian that disclosed the information collected by means of the electronic health record without authority is not required to include this disclosure in its annual report. O. Reg. 534/20, s. 3 (2).

Exception to s. 17 (2) of the Act

7. The following are prescribed as exceptions to subsection 17 (2) of the Act:

1.  An agent of a health information custodian to whom the custodian provides information to use for the purposes of clause 37 (1) (d) of the Act may use that information, together with other such information that the agent has received from other custodians to use for the purposes of that clause, for the purposes of systemic risk management analysis if,

i.  the agent is the Canadian Medical Protective Association or the Healthcare Insurance Reciprocal of Canada, and

ii.  the agent does not disclose personal health information provided to it by one health information custodian to another custodian.

2.  An agent of a health information custodian may disclose personal health information acquired in the course of the agent’s activities for or on behalf of the custodian, as if the agent were a health information custodian for the purposes of,

i.  subsection 40 (1) of the Act,

ii.  clauses 43 (1) (b), (c) and (d) of the Act, or

iii.  disclosures to the Public Guardian and Trustee or a children’s aid society under clause 43 (1) (e) of the Act.  O. Reg. 329/04, s. 7.

s. 18 (4) (c) of the Act

8. The disclosure of information by a member of the Ontario College of Pharmacists to a third party who is being requested to provide payment for medication or related goods or services provided to an individual is a prescribed type of disclosure for the purposes of clause 18 (4) (c) of the Act.  O. Reg. 329/04, s. 8.

Notification if no consent

8.1 For the purposes of subsection 20 (2) and clause 37 (1) (a) of the Act, if a health information custodian described in paragraph 1, 2, 3 or 4 of the definition of “health information custodian” in subsection 3 (1) of the Act or a health information custodian prescribed by subsection 3 (3), (5) or (8.1) of this Regulation provides personal health information about an individual to an agent of the custodian for the purpose of providing health care or assisting in the provision of health care to the individual and if the custodian does not have the consent of the individual to provide all the personal health information about the individual that the custodian considers reasonably necessary for that purpose, the custodian shall notify the agent to whom the custodian provides the information of that fact.  O. Reg. 537/06, s. 5; O. Reg. 192/22, s. 2.

9. Revoked:  O. Reg. 322/07, s. 3.

Fundraising

10. (1) The following types of contact information are prescribed for the purposes of clause 32 (1) (b) of the Act:

1.  The mailing address of the individual.

2.  The name and mailing address of the individual’s substitute decision-maker.  O. Reg. 537/06, s. 6 (1).

(2) For the purposes of subsection 32 (2) of the Act, the following are prescribed as requirements and restrictions on the manner in which consent is obtained and the resulting collection, use or disclosure of personal health information:

1.  Personal health information held by a health information custodian may only be collected, used or disclosed for the purpose of fundraising activities undertaken for a charitable or philanthropic purpose related to the custodian’s operations.

2.  For personal health information collected on or after November 1, 2004, consent under clause 32 (1) (b) of the Act may only be inferred where,

i.  the custodian has at the time of providing service to the individual, posted or made available to the individual, in a manner likely to come to the attention of the individual, a brief statement that unless he or she requests otherwise, his or her name and contact information may be disclosed and used for fundraising purposes on behalf of the custodian, together with information on how the individual can easily opt-out of receiving any future fundraising solicitations on behalf of the custodian, and

ii.  the individual has not opted out within 60 days of when the statement provided under subparagraph i was made available to him or her.

2.1  For personal health information collected before November 1, 2004, a health information custodian is entitled to assume that it has the individual’s implied consent to use or disclose the individual’s name and contact information for the purpose of fundraising activities, unless the custodian is aware that the individual has expressly withheld or withdrawn the consent.

3.  All solicitations for fundraising must provide the individual with an easy way to opt-out of receiving future solicitations.

4.  A communication from the custodian or a person conducting fundraising on its behalf to an individual for the purpose of fundraising must not include any information about the individual’s health care or state of health.  O. Reg. 329/04, s. 10 (2); O. Reg. 537/06, s. 6 (2, 3).

(3) Revoked:  O. Reg. 537/06, s. 6 (4).

Health number collection

11. The following are prescribed persons for the purposes of clause 34 (2) (d) of the Act:

1.  The Workplace Safety and Insurance Board.

2.  Every person that is prescribed under section 13.

3.  Every entity that is prescribed under section 18.

4.  A researcher mentioned in paragraph 2 of section 12, for the purposes of the research.

5.  A person conducting health research to the extent that the individual to whom the health number was issued has provided a valid consent to the collection or use of his or her health number for that purpose.  O. Reg. 329/04, s. 11; O. Reg. 537/06, s. 7.

Disclosure of health number

12. The following are prescribed as exceptions for the purposes of subsection 34 (3) of the Act:

1.  A person who is not a health information custodian may disclose a health number for a purpose related to the provision of provincially funded health resources.

2.  A researcher who has custody or control of personal health information, including a health number, by reason of a disclosure authorized under section 44 of the Act may disclose the health number to a person who is a prescribed person for the purposes of clause 39 (1) (c) of the Act, an entity prescribed for the purposes of subsection 45 (1) of the Act or another researcher if,

i.  the disclosure is part of a research plan approved under section 44 of the Act, or

ii.  the disclosure is necessary for the purpose of verifying or validating the information or the research.

3.  A person that is prescribed for the purposes of clause 39 (1) (c) of the Act may disclose the health number for the purposes of its functions under clause 39 (1) (c).

4.  The Workplace Safety and Insurance Board may disclose the health number in the course of exercising its powers under section 159 of the Workplace Safety and Insurance Act, 1997.  O. Reg. 329/04, s. 12; O. Reg. 537/06, s. 8.

Registries of personal health information

13. (1) The following are prescribed persons for the purposes of clause 39 (1) (c) of the Act if the requirements of subsection (2) are satisfied:

1.  Ontario Health in respect of its registry of cardiac and vascular services.

2.  INSCYTE (Information System for Cytology etc.) Corporation in respect of CytoBase.

3.  Revoked: O. Reg. 537/06, s. 9 (2).

4.  Revoked: O. Reg. 397/15, s. 1 (2).

5.  Hamilton Health Sciences Corporation in respect of the Critical Care Information System.

6.  Revoked: O. Reg. 62/20, s. 5.

6.1  Ontario Health in respect of the Ontario Cancer Screening Registry.

7.  Children’s Hospital of Eastern Ontario — Ottawa Children’s Treatment Centre in respect of the Better Outcomes Registry and Network.

8.  Ontario Institute for Cancer Research in respect of the Ontario Tumour Bank.  O. Reg. 329/04, s. 13 (1); O. Reg. 537/06, s. 9 (1-4); O. Reg. 322/07, s. 4; O. Reg. 424/09, s. 3; O. Reg. 141/11, s. 1; O. Reg. 397/15, s. 1; O. Reg. 377/19, s. 3; O. Reg. 62/20, s. 5; O. Reg. 778/21, s. 1.

(2) A person who is a prescribed person for the purposes of clause 39 (1) (c) of the Act shall put into place practices and procedures,

(a)  that are for the purpose of protecting the privacy of the individuals whose personal health information it receives and for maintaining the confidentiality of the information; and

(b)  that are approved by the Commissioner every three years.  O. Reg. 537/06, s. 9 (5).

(3) A person that is a prescribed person for the purposes of clause 39 (1) (c) of the Act shall make publicly available a plain language description of the functions of the registry compiled or maintained by the person, including a summary of the practices and procedures described in subsection (2).  O. Reg. 329/04, s. 13 (3).

(4) A person that is a prescribed person for the purposes of clause 39 (1) (c) of the Act may use personal health information as if it were a health information custodian for the purposes of clause 37 (1) (j) or subsection 37 (3) of the Act.  O. Reg. 329/04, s. 13 (4).

(5) A person that is a prescribed person for the purposes of clause 39 (1) (c) of the Act may disclose personal health information as if it were a health information custodian for the purposes of sections 44, 45 and 47 of the Act.  O. Reg. 329/04, s. 13 (5).

Archives

14. (1) Subject to clause 42 (3) (b) of the Act, a health information custodian may transfer records of personal health information under that clause to a person who,

(a)  has put in place reasonable measures to ensure that personal health information in the person’s custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copying, modification or disposal;

(b)  has put in place measures to allow an individual to have reasonable access to the individual’s own record of personal health information held by the person;

(c)  has made available to the public a written statement that,

(i)  provides a general description of the person’s information practices,

(ii)  describes how an individual may obtain access to a record of personal health information about the individual that is in the custody or control of the person,

(iii)  describes the mandate, and organizational links and affiliations, of the person in maintaining the archive, and

(iv)  describes how to make a complaint to the person and to the Commissioner under the Act; and

(d)  has registered with the Commissioner the intention to act as a recipient of information under this section, and provided to the Commissioner the statement set out in (c), and any further information reasonably requested by the Commissioner.  O. Reg. 329/04, s. 14 (1).

(2) If a person that received records under clause 42 (3) (b) of the Act ceases to exercise the functions of collecting and preserving records of historical or archival importance or ceases to comply with the conditions set out in subsection (1), the person shall immediately transfer the records, including any health number contained in the records, to another person who is authorized to receive transfers of records under clause 42 (3) (a) or (b) of the Act, subject to the agreement of the person who is to receive the transfer.  O. Reg. 329/04, s. 14 (2).

(3) Despite subsection 49 (1) of the Act, and subject to the agreement of the person who is to receive the transfer, a person who is not a health information custodian to whom a health information custodian disclosed personal health information may transfer any records containing the personal health information, including any health number contained in the records to,

(a)  the Archives of Ontario; or

(b)  a person prescribed under subsection (1), if the disclosure is made for the purpose of that function.  O. Reg. 329/04, s. 14 (3).

(4) A person who receives a transfer of records of personal health information under subsection (2) or (3) or under clause 42 (3) (b) of the Act may,

(a)  collect any health number contained in the records incidentally to receiving the transfer of the records;

(b)  use personal health information contained in the records, including any health number contained in the records, as if it were a health information custodian for the purposes of clause 37 (1) (j) and subsection 37 (3) of the Act; and

(c)  disclose personal health information contained in the records, including any health number contained in the records, as if it were a health information custodian for the purposes of sections 44, 45 and 47 of the Act.  O. Reg. 329/04, s. 14 (4).

(5) A person who, before November 1, 2004, received a transfer of a record of personal health information to which subsection (4) would have applied on or after November 1, 2004, may disclose and use it, including any health number contained in the record, for research as if it were a health information custodian under the Act.  O. Reg. 329/04, s. 14 (5).

Research ethics boards

15. The following are prescribed as requirements that must be met by a research ethics board:

1.  The board must have at least five members, including,

i.  at least one member with no affiliation with the person or persons that established the research ethics board,

ii.  at least one member knowledgeable in research ethics, either as a result of formal training in research ethics, or practical or academic experience in research ethics,

iii.  at least two members with expertise in the methods or in the areas of the research being considered, and

iv.  at least one member knowledgeable in considering privacy issues.

2.  The board may only act with respect to a proposal to approve a research plan where there is no conflict of interest existing or likely to be perceived between its duty under subsection 44 (3) of the Act and any participating board member’s personal interest in the disclosure of the personal health information or the performance of the research.  O. Reg. 329/04, s. 15.

15.1 Revoked:  O. Reg. 322/07, s. 5.

Requirements for research plans

16. The following are prescribed as additional requirements that must be set out in research plans for the purposes of clause 44 (2) (c) of the Act:

1.  A description of the research proposed to be conducted and the duration of the research.

2.  A description of the personal health information required and the potential sources.

3.  A description of how the personal health information will be used in the research, and if it will be linked to other information, a description of the other information as well as how the linkage will be done.

4.  An explanation as to why the research cannot reasonably be accomplished without the personal health information and, if it is to be linked to other information, an explanation as to why this linkage is required.

5.  An explanation as to why consent to the disclosure of the personal health information is not being sought from the individuals to whom the information relates.

6.  A description of the reasonably foreseeable harms and benefits that may arise from the use of the personal health information and how the researchers intend to address those harms.

7.  A description of all persons who will have access to the information, why their access is necessary, their roles in relation to the research, and their related qualifications.

8.  The safeguards that the researcher will impose to protect the confidentiality and security of the personal health information, including an estimate of how long information will be retained in an identifiable form and why.

9.  Information as to how and when the personal health information will be disposed of or returned to the health information custodian.

10.  The funding source of the research.

11.  Whether the researcher has applied for the approval of another research ethics board and, if so the response to or status of the application.

12.  Whether the researcher’s interest in the disclosure of the personal health information or the performance of the research would likely result in an actual or perceived conflict of interest with other duties of the researcher.  O. Reg. 329/04, s. 16.

Disclosure by researcher

17. Despite clause 44 (6) (d) of the Act, a researcher may disclose the information to an entity prescribed under subsection 45 (1) of the Act, to a person prescribed for the purposes of clause 39 (1) (c) of the Act for use in a registry compiled or maintained by that person, or to another researcher if,

(a)  the disclosure is part of a research plan approved under section 44 of the Act; or

(b)  the disclosure is necessary for the purpose of verifying or validating the information or the research.  O. Reg. 329/04, s. 17.

Prescribed entities for the purposes of s. 45 (1) of the Act

18. (1) Each of the following entities, including any registries maintained within the entity, is a prescribed entity for the purposes of subsection 45 (1) of the Act:

1.  Revoked: O. Reg. 62/20, s. 6 (1).

2.  Canadian Institute for Health Information.

3.  Institute for Clinical Evaluative Sciences.

4.  Pediatric Oncology Group of Ontario.

5.  Ontario Health.  O. Reg. 329/04, s. 18 (1); O. Reg. 377/19, s. 4 (1); O. Reg. 62/20, s. 6 (1).

(2) An entity that is a prescribed entity for the purposes of subsection 45 (1) of the Act shall make publicly available a plain language description of the functions of the entity including a summary of the practices and procedures described in subsection 45 (3) of the Act.  O. Reg. 329/04, s. 18 (2).

(3) Despite subsection 45 (6) of the Act, every entity that is a prescribed entity for the purposes of subsection 45 (1) of the Act may use personal health information as if it were a health information custodian for the purposes of clause 37 (1) (j) and subsection 37 (3) of the Act.  O. Reg. 329/04, s. 18 (3).

(4) Despite subsection 45 (6) of the Act, every entity that is a prescribed entity for the purposes of subsection 45 (1) of the Act may disclose personal health information as if it were a health information custodian for the purposes of clause 39 (1) (c) and sections 44, 45 and 47 of the Act.  O. Reg. 329/04, s. 18 (4).

(5) An entity that is a prescribed entity for the purposes of subsection 45 (1) of the Act may disclose the information that it receives under subsection 45 (1) of the Act to a health information custodian who provided it to or disclosed it directly or indirectly to the person from whom the entity collected the information, whether or not the information has been manipulated or altered, if it does not contain any additional identifying information.  O. Reg. 329/04, s. 18 (5).

(6) An entity that is a prescribed entity for the purposes of subsection 45 (1) of the Act may disclose the information that it receives under subsection 45 (1) of the Act to a governmental institution of Ontario or Canada as if the entity were a health information custodian for the purposes of clause 43 (1) (h) of the Act.  O. Reg. 329/04, s. 18 (6).

(7) Despite subsection 45 (6) of the Act, the Canadian Institute for Health Information may disclose personal health information about an individual to a person outside Ontario where,

(a)  the disclosure is for the purpose of health planning or health administration;

(b)  the information relates to health care provided in Ontario to a person who is a resident of another province or territory of Canada; and

(c)  the disclosure is made to the government of that province or territory.  O. Reg. 329/04, s. 18 (7).

(8) An entity that is a prescribed entity for the purposes of subsection 45 (1) of the Act may disclose the information it receives under subsection 45 (1) of the Act to the Minister and any person designated by the Minister for the purpose of developing and maintaining an electronic master person index for the Province of Ontario’s health sector to accurately identify and organize records of personal health information about an individual.  O. Reg. 245/06, s. 1.

(9) Revoked: O. Reg. 62/20, s. 6 (2).

(10) Despite subsection 45 (6) of the Act, Ontario Health may disclose personal health information about an individual to a person outside Ontario where,

(a)  the disclosure is for the purpose of health planning or health administration;

(b)  the information relates to health care provided in Ontario to a person who is a resident of another province or territory of Canada; and

(c)  the disclosure is made to a body responsible for the provision, planning, analysis or payment of cancer services in that province or territory. O. Reg. 377/19, s. 4 (2).

(11) Despite subsection 45 (6) of the Act and subject to subsection (12), the Institute for Clinical Evaluative Sciences and Ontario Health shall, upon request of the Minister, disclose personal health information to the Minister where the Minister has determined that such disclosure is necessary for the purposes of,

(a)  researching, analyzing, investigating, preventing, responding to or alleviating COVID-19 or its effects; or

(b)  evaluating or monitoring the impact of COVID-19 on the management of, the allocation of resources to or planning for all or part of the health system. O. Reg. 429/20, s. 1 (1).

Note: On July 31, 2024, subsection 18 (11) of the Regulation is revoked. (See: O. Reg. 429/20, s. 1 (2); O. Reg. 423/22, s. 1)

(12) The Institute for Clinical Evaluative Sciences and Ontario Health are not required to disclose personal health information under subsection (11) if the disclosure is otherwise prohibited by law or by the terms of an agreement to which the Institute for Clinical Evaluative Sciences or Ontario Health, as applicable, is a party. O. Reg. 429/20, s. 1 (1).

Note: On July 31, 2024, subsection 18 (12) of the Regulation is revoked. (See: O. Reg. 429/20, s. 1 (2); O. Reg. 423/22, s. 1)

Right to access record in electronic format

18.0.1 (1) For the purposes of subsection 52 (1.1) of the Act, the right of an individual to access a record of personal health information about the individual that is in the custody or under the control of a health information custodian includes the right to have the health information custodian provide the record to the individual in,

(a)  an electronic format specified by the Agency in accordance with this section;

(b)  a PDF file; or

(c)  any other electronic format that is agreed to by the health information custodian and the individual. O. Reg. 56/23, s. 1.

(2) The Agency shall make the electronic formats that are specified for the purposes of clause (1) (a) available to the public by posting them on the Agency’s website. O. Reg. 56/23, s. 1.

(3) The Agency shall ensure that the most up-to-date specifications of electronic formats, including any amendments to the specifications, are posted in accordance with subsection (2). O. Reg. 56/23, s. 1.

(4) Before making or amending the specifications of electronic formats referred to in subsection (2), the Agency shall,

(a)  make the proposed specification or amendment available to the public by posting the proposal on the Agency’s website and allowing members of the public to make recommendations on it for at least 30 days;

(b)  consult with the Commissioner on the proposal, in a manner that the Agency and the Commissioner mutually consider appropriate in the circumstances;

(c)  consider the recommendations, if any, made by the public and the Commissioner before providing the proposal to the Minister for review and approval; and

(d)  obtain the Minister’s approval of the proposal. O. Reg. 56/23, s. 1.

(5) For greater certainty, the Agency may, after considering the recommendations referred to in clause (4) (c), make changes to the proposed specification or amendment before submitting it for the Minister’s approval and does not need to consult further on those changes. O. Reg. 56/23, s. 1.

(6) For greater certainty, the electronic format that is specified or agreed to under subsection (1) may include a secure online application, such as a portal. O. Reg. 56/23, s. 1.

Prescribed organization

18.1 The Agency is prescribed as the organization for the purposes of Part V.1 of the Act. O. Reg. 534/20, s. 4.

Note: On the day subsection 1 (10) of Schedule 1 to the Health Information Protection Act, 2016 comes into force, the Regulation is amended by adding the following sections: (See: O. Reg. 394/22, s. 1 (1))

Application of s. 51 (5) of the Act

18.1.1 (1) This section applies to the Agency when it is acting as the prescribed organization under subsection 51 (5) of the Act. O. Reg. 394/22, s. 1 (1).

(2) The Agency,

(a)  is not required to consider the factors described in section 52 of the Act, but shall ensure that the health information custodian that provided the personal health information has been notified that the Agency may provide access to the record of personal health information pursuant to Part V of the Act and, if the custodian does not identify a reason to refuse access under section 52 of the Act, shall provide access in accordance with Part V of the Act and this section;

(b)  is not required to comply with the requirements under section 55 of the Act; and

(c)  when applying paragraph 2 of subsection 51 (5) of the Act with respect to the electronic records described in paragraph 4 of section 55.3 of the Act, is only required to provide a summary of the information contained in the electronic records, and is not required to provide access to the actual record. O. Reg. 394/22, s. 1 (1).

(3) For the purposes of applying paragraph 1 of subsection 51 (5) of the Act,

(a)  the Agency is not required to act as if it were a health information custodian with respect to records derived from the Provincial Client Registry or a successor repository; and

(b)  the Agency is only required to act as if it were a health information custodian with respect to the records accessible by means of the electronic health record that are described in subclauses (i) to (iv), and is only required to act as if it were a health information custodian,

(i)  on and after the day this section comes into force, with respect to records that are derived from the Ontario Laboratories Information System or a successor repository,

(ii)  on and after December 31, 2022, with respect to records that are derived from the Digital Health Drug Repository or a successor repository,

(iii)  on and after March 31, 2023, with respect to records that are derived from the Diagnostic Imaging-Common Service or a successor repository, and is not required to act as if it were a health information custodian with respect to information contributed to that repository before that date, and

(iv)  on and after September 30, 2023, with respect to records that are derived from the Acute and Community Clinical Data Repository or a successor repository, and is not required to act as if it were a health information custodian with respect to information contributed to that Repository before that date. O. Reg. 394/22, s. 1 (1).

(4) The Agency,

(a)  is only required to respond to requests for access to personal health information that are made through a digital means of access specified by the Agency; and

(b)  is only required to provide access to personal health information through a digital means of access specified by the Agency. O. Reg. 394/22, s. 1 (1).

(5) The Agency shall make a digital means of access mentioned in subsection (4) available to individuals in accordance with the timelines described in clause (3) (b) and is not required to comply with the requirements under subsection 54 (2) of the Act until the applicable dates described in that clause. O. Reg. 394/22, s. 1 (1).

(6) For the purposes of clause (2) (a), the Agency is permitted to establish reasons for refusal of access through prior arrangements with health information custodians, and for an entire class or category of records. O. Reg. 394/22, s. 1 (1).

Application of s. 51 (6) of the Act

18.1.2 For the purposes of applying subsection 51 (6) of the Act, a health information custodian is only required to provide a summary of the information contained in the records described in that subsection, if the information is available, and is not required to provide access to the actual record. O. Reg. 394/22, s. 1 (1).

Information from hospitals

18.1.3 (1) Every hospital within the meaning of the Public Hospitals Act shall provide to the Agency for the electronic health record personal health information contained in a digital health asset,

(a)  as requested by the Agency; and

(b)  in accordance with the interoperability specifications of the Agency. O. Reg. 394/22, s. 1 (2).

(2) In this section,

“digital health asset” has the same meaning as in section 26 of this Regulation; (“actif de soins de santé numérique”)

“electronic health record” has the same meaning as in section 55.1 of the Act; (“dossier de santé électronique”)

“interoperability specification” has the same meaning as in section 26 of this Regulation. (“spécification d’interopérabilité”) O. Reg. 394/22, s. 1 (2).

Data elements

18.2 The following are prescribed as data elements for the purposes of subsection 55.5 (2) of the Act:

1.  A health number.

2.  Either or both of a number or version code assigned to an insured person by a province or territory in Canada other than Ontario for the purposes of a health care insurance plan within the meaning of the Canada Health Act.

3.  A medical record number or other unique number assigned by a health information custodian to uniquely identify individuals receiving health care from the custodian.

4.  A unique number relating to an individual on a form of identification that,

i.  has been issued by a government or governmental agency, and

ii.  bears the name of the individual.

5.  The name or names of an individual, including a legal name, an alternate name or an alias.

6.  The date of birth of an individual.

7.  The administrative gender of an individual.

8.  The address of an individual.

9.  A telephone number of an individual.

10.  The primary or preferred language of an individual.

11.  A binary value indicating if an individual is deceased.

12.  The date of death of an individual. O. Reg. 534/20, s. 4.

S. 55.5 (7) (b) of the Act

18.3 (1) A health information custodian is required to notify the Commissioner for the purposes of clause 55.5 (7) (b) of the Act under any circumstance where the custodian would be required to notify the Commissioner if the collection by means of the electronic health record had been for a use or disclosure to which section 6.3 of this Regulation applied. O. Reg. 534/20, s. 4.

(2) The health information custodian shall inform the Commissioner of an unauthorized collection to which subsection (1) applies at the first reasonable opportunity. O. Reg. 534/20, s. 4.

Consent directives

18.4 (1) This section applies to consent directives made under section 55.6 of the Act. O. Reg. 534/20, s. 4.

(2) For the purposes of paragraph 17 of section 55.3 of the Act, the prescribed organization shall put into place and comply with practices and procedures that are for the purposes of managing consent directives and that are approved by the Commissioner under paragraph 14 of section 55.3 of the Act and under section 55.12 of the Act. O. Reg. 534/20, s. 4.

(3) Where an individual makes a consent directive, it applies to all of the individual’s personal health information that is accessible by means of the electronic health record, unless it is reasonably possible for the prescribed organization to apply the consent directive only to the specific personal health information that has been identified by the individual, in which case the consent directive applies only to that personal health information. O. Reg. 534/20, s. 4.

(4) Despite subsection (3), the data elements prescribed under section 18.2 may not be made subject to a consent directive. O. Reg. 534/20, s. 4.

(5) Where an individual has made a consent directive and additional personal health information has subsequently been added to the individual’s personal health information that is accessible by means of the electronic health record, the prescribed organization shall implement the consent directive with respect to the additional information in accordance with subsection (3). O. Reg. 534/20, s. 4.

Transitional, consent directives

18.5 (1) Where, before section 55.6 of the Act came into force, an individual made a directive withholding or withdrawing, in whole or in part, the individual’s consent to the collection, use or disclosure of personal health information that is accessible by means of the electronic health record developed and maintained by the prescribed organization, the prescribed organization shall continue to implement the individual’s directive as it existed before the coming into force, subject to subsection (2). O. Reg. 534/20, s. 4.

(2) Where an individual has made a directive described in subsection (1) and has subsequently made a consent directive under subsection 55.6 (1) of the Act, the prescribed organization shall implement the consent directive. O. Reg. 534/20, s. 4.

Notice requirements, s. 55.7 (6) of the Act

18.6 Where the prescribed organization is required to provide written notice under subsection 55.7 (6) of the Act, the notice must include,

(a)  the name of the individual to whom the information relates;

(b)  the name of any agent of the health information custodian who collected the information, if available;

(c)  a general description of the type of personal health information that was collected;

(d)  the reason or reasons for the consent override as described in subsection 55.7 (1), (2) or (3) of the Act; and

(e)  the date and time of the collection. O. Reg. 534/20, s. 4.

Notice requirements, s. 55.7 (7) (a) of the Act

18.7 (1) Where a health information custodian is required to notify an individual under clause 55.7 (7) (a) of the Act, the notice must include,

(a)  the name of the individual to whom the information relates;

(b)  a general description of the type of personal health information that was collected;

(c)  the date and time of the collection;

(d)  the reason or reasons for the consent override as described in subsection 55.7 (1), (2) or (3) of the Act;

(e)  the name of the individual, including a substitute decision-maker, who provided express consent under subsection 55.7 (1) of the Act, if applicable;

(f)  the name of any agent of the health information custodian who authorized the override;

(g)  contact information for the health information custodian that collected the information; and

(h)  contact information for the Commissioner and the fact that the individual may make a complaint to the Commissioner under Part VI of the Act. O. Reg. 534/20, s. 4.

(2) Despite subsection (1), in the event that the custodian collected the personal health information in the circumstances described in subsection 55.7 (3) of the Act, the custodian may, in their discretion, decide not to include any identifying information in the notice about any person other than the individual to whom the information relates if the custodian believes on reasonable grounds that not providing the identifying information is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to a person or group of persons. O. Reg. 534/20, s. 4.

Notice requirements, s. 55.7 (7) (b) of the Act

18.8 Where a health information custodian is required to provide written notice under clause 55.7 (7) (b) of the Act, the notice must include,

(a)  the identity of any health information custodian that disclosed the information;

(b)  a description of the significant risk of serious bodily harm to a person or group of persons other than the individual to whom the information relates;

(c)  the reason the personal health information was necessary for the purpose of eliminating or reducing the significant risk of serious bodily harm;

(d)  the name of any agent of the health information custodian who collected the information;

(e)  a description of the personal health information collected by the custodian; and

(f)  the date and time of the collection. O. Reg. 534/20, s. 4.

Exemption

18.9 Where a health information custodian that collected personal health information is required to notify an individual under clause 55.5 (7) (a) of the Act or notify the Commissioner under clause 55.5 (7) (b) of the Act, the health information custodian that disclosed the personal health information is exempt from the notice obligations under subsections 12 (2) and (3) of the Act with respect to the personal health information. O. Reg. 534/20, s. 4.

Provision to coroner

18.10 (1) A coroner to whom the prescribed organization provides personal health information under subsection 55.9.1 (1) of the Act shall, with respect to that information, comply with section 11.1, subsections 12 (1), (2) and (3), subsection 13 (1) and sections 17, 17.1, 30 and 31 of the Act as if the coroner were a health information custodian. O. Reg. 534/20, s. 4.

(2) A coroner to whom the prescribed organization provides personal health information under subsection 55.9.1 (1) of the Act may only use or disclose the information for the purpose for which the information was provided or for the purpose of carrying out a statutory or legal duty. O. Reg. 534/20, s. 4.

(3) If a coroner requests that the prescribed organization transmit personal health information to the coroner by means of the electronic health record and the prescribed organization transmits the information as requested, the coroner shall comply with the obligations set out in subsection 12 (1) of the Act with respect to the transmitted information, regardless of whether the coroner has viewed, handled or otherwise dealt with the information. O. Reg. 534/20, s. 4.

(4) If personal health information about an individual is collected without authority by a coroner by means of the electronic health record, the coroner shall,

(a)  notify the individual at the first reasonable opportunity of the unauthorized collection and include in the notice a statement that the individual is entitled to make a complaint to the Commissioner under Part VI of the Act; and

(b)  notify the Commissioner of the unauthorized collection at the first reasonable opportunity, if any circumstance exists where the coroner would be required to notify the Commissioner if the coroner were a custodian to which subsection 18.3 (1) of this Regulation applied. O. Reg. 534/20, s. 4.

(5) A coroner to whom the prescribed organization provides personal health information under subsection 55.9.1 (1) of the Act shall, in respect of that information, comply with section 6.4 of this Regulation, with any necessary modification, as if the coroner were a health information custodian. O. Reg. 534/20, s. 4.

Logging, auditing and monitoring access by coroners

18.11 For greater clarity, the prescribed organization shall comply with section 55.3 of the Act in respect of personal health information provided to a coroner under subsection 55.9.1 (1) of the Act as if the coroner were a health information custodian, and shall comply with the practices and procedures approved by the Commissioner under paragraph 14 of section 55.3 of the Act and under section 55.12 of the Act in respect of such information. O. Reg. 534/20, s. 4.

Prescribed ministry

19. The Ministry of Children, Community and Social Services is a prescribed ministry for the purposes of subsection 46 (1) of the Act. O. Reg. 180/21, s. 1.

Information received before commencement

20. For the purposes of subsection 49 (1) of the Act, a person who is not a health information custodian and to whom a health information custodian disclosed personal health information prior to November 1, 2004 may use or disclose the information for the purpose for which it was disclosed to the person, except where otherwise prohibited by law.  O. Reg. 329/04, s. 20.

Exceptions to restrictions on recipients

21. (1) Section 49 of the Act does not apply,

(a)  to an individual or a substitute decision maker of an individual in respect of personal health information about the individual; or

(b)  to prevent a person who received personal health information from a health information custodian from using or disclosing the information pursuant to a valid consent.  O. Reg. 329/04, s. 21 (1).

(2) Despite subsection 49 (1) of the Act, a person who is not a health information custodian and who provides coverage for payment to or on behalf of individuals in respect of medications or related goods or services may, where a claim is made to the person through a member of the Ontario College of Pharmacists for such a payment to or on behalf of an individual, disclose personal health information about the individual to the member to assist the member in advising the individual or providing health care to the individual.  O. Reg. 329/04, s. 21 (2).

(3) Despite subsection 49 (1) of the Act, a person who is not a health information custodian and to whom a health information custodian discloses personal health information shall not disclose the personal health information where the disclosure is otherwise prohibited by law.  O. Reg. 329/04, s. 21 (3).

Extent of use or disclosure by recipient

22. Subsection 49 (2) of the Act does not apply to,

(a)  a College under the Regulated Health Professions Act, 1991, the College under the Social Work and Social Service Work Act, 1998 or the Board under the Drugless Practitioners Act;

(b)  a children’s aid society or any person providing services on behalf of or on the request of a children’s aid society; or

(c)  a foster parent.  O. Reg. 329/04, s. 22.

Freedom of information legislation

23. (1) Subsections 49 (1) and (2) of the Act do not apply to a person employed by or acting for an institution within the meaning of the Freedom of Information and Protection of Privacy Act or the Municipal Freedom of Information and Protection of Privacy Act, to the extent that the person is acting within the scope of one of those Acts.  O. Reg. 329/04, s. 23 (1).

(2) Subsection 49 (3) of the Act does not apply to an institution within the meaning of the Freedom of Information and Protection of Privacy Act or the Municipal Freedom of Information and Protection of Privacy Act that is a health information custodian.  O. Reg. 329/04, s. 23 (2).

Exclusions from access provisions

24. (1) The following types of personal health information in the custody or control of the following types of health information custodians are not subject to Part V of the Act:

1.  Personal health information that a researcher uses solely for the purposes of research, where the research is conducted in accordance with a research plan approved under subsection 44 (4) of the Act, or has been approved under clause 44 (10) (b) of the Act.

2.  Personal health information that is in the custody or control of a laboratory in respect of a test requested by a health care practitioner for the purpose of providing health care to the individual where the following conditions apply:

i.  the individual has a right of access to the information through the health care practitioner, or will have such a right when the information is provided by the laboratory to the health care practitioner within a reasonable time, and

ii.  the health care practitioner has not directed the laboratory to provide the information directly to the individual.  O. Reg. 329/04, s. 24 (1).

(2) For the purposes of paragraph 2 of subsection (1),

“laboratory” means,

(a)  a laboratory or a specimen collection centre as defined in section 5 of the Laboratory and Specimen Collection Centre Licensing Act, or

(b)  a laboratory operated by a ministry of the Crown in right of Ontario.  O. Reg. 329/04, s. 24 (2).

(3) Part V of the Act does not apply to entitle a person to a right of access to information about the person that is contained in a record that is dedicated primarily to the personal health information of another person.  O. Reg. 329/04, s. 24 (3).

24.1, 24.2 Revoked:  O. Reg. 322/07, s. 7.

Canadian Blood Services

25. (1) The Canadian Blood Services may indirectly collect personal health information about an individual who donates or attempts to donate blood or blood products, if the information is reasonably necessary to ensure the safety of the blood system and it is not reasonably possible to collect, directly from the individual,

(a)  personal health information that can reasonably be relied on as accurate; or

(b)  personal health information in a timely way.  O. Reg. 329/04, s. 25 (1).

(2) The Canadian Blood Services may use the personal health information of an individual who donates or attempts to donate blood or blood products for the purpose of ensuring the safety of the blood system.  O. Reg. 329/04, s. 25 (2).

(3) The Canadian Blood Services may collect personal health information from, and disclose personal health information to, Héma-Québec as necessary for the purpose of ensuring the safety of the supply of blood and blood products, where the personal health information relates to an individual who donates or attempts to donate blood or blood products.  O. Reg. 329/04, s. 25 (3).

(4) The Canadian Blood Services shall not disclose personal health information for the purpose of recruiting donors of blood, blood products or hematopoietic progenitor cells without the express consent of the individual, despite subsection 18 (2) of the Act.  O. Reg. 329/04, s. 25 (4).

(5) The Canadian Blood Services may disclose personal health information about a deceased individual who has received blood or blood products to a relative of the individual or the executor or administrator of the individual’s estate for the purpose of determining eligibility for compensation.  O. Reg. 329/04, s. 25 (5).

25.1 Revoked:  O. Reg. 424/09, s. 5.

Interoperability specifications, definitions

26. In sections 27 to 34,

“digital health asset” means a product or service that,

(a)  is selected, developed or used by a health information custodian, and

(b)  enables the custodian to use electronic means to collect, use, modify, disclose, transmit, retain or dispose of personal health information to provide care or assist in the provision of care; (“actif de soins de santé numérique”)

“interoperability specification” means a business or technical requirement established by the Agency that applies to a digital health asset or to a digital health asset’s interaction with other digital health assets, and that may include, without being limited to, a requirement related to,

(a)  the content of data or a common data set for electronic data,

(b)  the format or structure of messages exchanged between digital health assets,

(c)  the migration, translation or mapping of data from one digital health asset to another,

(d)  terminology, including vocabulary, code sets or classification systems, or

(e)  privacy or security. (“spécification d’interopérabilité”) O. Reg. 569/20, s. 1.

Agency and specifications

27. (1) The Agency shall, subject to the review and approval of the Minister, establish, maintain and amend interoperability specifications. O. Reg. 569/20, s. 1.

(2) The Agency shall consult, in a manner the Agency considers appropriate, with any health care provider organizations, individuals, stakeholders and other parties that the Agency considers appropriate, in order to inform its decisions concerning the establishment, maintenance or amendment of interoperability specifications. O. Reg. 569/20, s. 1.

(3) The Minister may direct the Agency to establish or amend interoperability specifications, including issuing a direction respecting,

(a)  the subject matter of the interoperability specification to be established or amended;

(b)  the digital health assets to which an interoperability specification is or is not to apply;

(c)  which health information custodians or classes of custodians must select, develop or use digital health assets that comply with the interoperability specification;

(d)  the timing within which the specification is required to be established and the timing within which the specification becomes effective so as to require custodians or classes of custodians to comply with the specification;

(e)  the circumstances when a health information custodian may be exempted from the requirement to select, develop or use a digital health asset that complies with a specification; and

(f)  any other matter relating to an interoperability specification that the Minister determines is necessary or advisable to be dealt with in a direction. O. Reg. 569/20, s. 1.

(4) Before issuing a direction under subsection (3), the Minister shall consult with the Agency with respect to the content of the direction and the effect of the direction on the Agency. O. Reg. 569/20, s. 1.

(5) If the Minister issues a direction to the Agency under subsection (3), the Agency shall comply with that direction. O. Reg. 569/20, s. 1.

(6) Where the Agency is establishing or amending an interoperability specification that relates to the confidentiality of personal health information, the privacy of individuals or the rights of individuals to access or correct records of their personal health information, the Agency shall,

(a)  consult with the Commissioner, in a manner the Agency and the Commissioner mutually consider appropriate in the circumstances; and

(b)  consider the recommendations, if any, made by the Commissioner before providing the specification to the Minister for review and approval. O. Reg. 569/20, s. 1.

Application of specifications

28. (1) An interoperability specification may be general or specific in its application and may be limited to a custodian’s selection, development or use of particular digital health assets or classes of digital health assets. O. Reg. 569/20, s. 1.

(2) The Agency shall ensure that each interoperability specification,

(a)  names or describes the health information custodian or class of health information custodians that must select, develop or use the digital health assets that comply with the specification;

(b)  describes the types of digital health assets to which it applies;

(c)  specifies the date on which the specification becomes effective, and if the specification is amended, specifies the date when an amendment to the specification becomes effective; and

(d)  specifies the circumstances, if any, when a health information custodian may be exempted from the requirement to select, develop or use digital health assets that comply with the specification. O. Reg. 569/20, s. 1.

Publicly available

29. (1) The Agency shall make the interoperability specifications available to the public by posting them on the Agency’s website or by such other means as the Agency considers advisable. O. Reg. 569/20, s. 1.

(2) The Agency shall ensure that the most up-to-date specifications, including any amendments to the specifications, are posted in accordance with subsection (1). O. Reg. 569/20, s. 1.

Compliance with specifications

30. (1) A health information custodian shall ensure that every digital health asset that it selects, develops or uses complies with every applicable interoperability specification, as it may be amended from time to time, within the time period set out in the specification. O. Reg. 569/20, s. 1.

(2) For greater certainty, compliance with subsection (1) does not relieve a custodian of its obligation to comply with the other provisions of the Act and its regulations. O. Reg. 569/20, s. 1.

Certification process

31. (1) The Agency shall establish a process for certifying digital health assets that are compliant with interoperability specifications. O. Reg. 569/20, s. 1.

(2) The Agency shall make a list of those digital health assets that have been certified by the Agency and shall make the list available to the public by posting it on the Agency’s website or by such other means as the Agency considers advisable. O. Reg. 569/20, s. 1.

Reports

32. (1) Every health information custodian that selects, develops or uses digital health assets shall provide a report to the Agency, upon the request of the Agency, that sets out the custodian’s compliance with the requirement to select, develop or use digital health assets that comply with the applicable specifications. O. Reg. 569/20, s. 1.

(2) The custodian shall provide the report to the Agency by the means and in the format determined by the Agency and within the time period set by the Agency. O. Reg. 569/20, s. 1.

(3) The report shall not contain personal health information. O. Reg. 569/20, s. 1.

(4) Upon receipt of the report, the Agency shall determine, in accordance with the process established under section 33, whether the custodian is in compliance with section 30 and shall advise the custodian of its determination. O. Reg. 569/20, s. 1.

Monitoring

33. (1) The Agency shall establish a process for monitoring health information custodians’ compliance with the requirements under section 30. O. Reg. 569/20, s. 1.

(2) A health information custodian shall co-operate with and assist the Agency in monitoring its own compliance with the requirements under subsection 30 (1) and, subject to subsection (3) of this section, shall provide any information or records to the Agency upon request. O. Reg. 569/20, s. 1.

(3) Information and records provided under subsection (2) shall not include personal health information. O. Reg. 569/20, s. 1.

(4) If the Agency has reasonable grounds to believe that the custodian is not in compliance with the requirements under subsection 30 (1), the Agency may consult with the health information custodian and provide advice to the custodian on how compliance may be achieved. O. Reg. 569/20, s. 1.

Enforcement

34. For greater certainty, if the Agency has reasonable grounds to believe that a health information custodian has contravened or is about to contravene subsection 30 (1), the Agency may make a complaint to the Commissioner under Part VI of the Act and may provide to the Commissioner any information and records obtained under sections 32 and 33 of this Regulation. O. Reg. 569/20, s. 1.

Determination of amount of administrative penalty

35. (1) For the purpose of clause 61.1 (2) (b) of the Act, the amount of an administrative penalty determined by the Commissioner for any number of contraventions of the Act or its regulations set out in an order under clause 61 (1) (h.1) of the Act shall not exceed the following:

1.  If the person required to pay the administrative penalty is a natural person, $50,000.

2.  If the person required to pay the administrative penalty is not a natural person, $500,000. O. Reg. 343/23, s. 1.

(2) Despite subsection (1), the Commissioner may increase the amount of an administrative penalty that a person is required to pay by an amount equal to the economic benefit acquired by, or that accrued to, the person as a result of the contraventions. O. Reg. 343/23, s. 1.

(3) In determining the amount of an administrative penalty, the Commissioner shall consider the following criteria, and may consider any other criteria that the Commissioner considers relevant:

1.  The extent to which the contraventions deviate from the requirements of the Act or its regulations.

2.  The extent to which the person could have taken steps to prevent the contraventions.

3.  The extent of the harm or potential harm to others resulting from the contraventions.

4.  The extent to which the person tried to mitigate any harm or potential harm or took any other remedial action.

5.  The number of individuals, health information custodians and other persons affected by the contraventions.

6.  Whether the person notified the Commissioner and any individuals whose personal health information was affected by the contraventions.

7.  The extent to which the person derived or reasonably might have expected to derive, directly or indirectly, any economic benefit from the contraventions.

8.  Whether the person has previously contravened the Act or its regulations. O. Reg. 343/23, s. 1.