You're using an outdated browser. This website will not display correctly and some features will not work.
Learn more about the browsers we support for a faster and safer online experience.

contact us français

Welcome to the new e-Laws. It’s now easier than ever to find Ontario laws. We welcome your feedback.

Français

ontario regulation 534/20

made under the

Personal Health Information Protection Act, 2004

Made: September 30, 2020
Filed: October 1, 2020
Published on e-Laws: October 1, 2020
Printed in The Ontario Gazette: October 17, 2020

Amending O. Reg. 329/04

(GENERAL)

1. Section 6.2 of Ontario Regulation 329/04 is revoked.

2. Section 6.3 of the Regulation is amended by adding the following subsection:

(3) A health information custodian shall notify the Commissioner of the existence of a circumstance set out in subsection (1) at the first reasonable opportunity.

3. (1) Subsection 6.4 (1) of the Regulation is amended by adding the following paragraph:

5. Personal health information was collected by the custodian by means of the electronic health record without authority.

(2) Section 6.4 of the Regulation is amended by adding the following subsection:

(3) A health information custodian that disclosed the information collected by means of the electronic health record without authority is not required to include this disclosure in its annual report.

4. The Regulation is amended by adding the following sections:

Prescribed organization

18.1 The Agency is prescribed as the organization for the purposes of Part V.1 of the Act.

Data elements

18.2 The following are prescribed as data elements for the purposes of subsection 55.5 (2) of the Act:

1. A health number.

2. Either or both of a number or version code assigned to an insured person by a province or territory in Canada other than Ontario for the purposes of a health care insurance plan within the meaning of the Canada Health Act.

3. A medical record number or other unique number assigned by a health information custodian to uniquely identify individuals receiving health care from the custodian.

4. A unique number relating to an individual on a form of identification that,

i. has been issued by a government or governmental agency, and

ii. bears the name of the individual.

5. The name or names of an individual, including a legal name, an alternate name or an alias.

6. The date of birth of an individual.

7. The administrative gender of an individual.

8. The address of an individual.

9. A telephone number of an individual.

10. The primary or preferred language of an individual.

11. A binary value indicating if an individual is deceased.

12. The date of death of an individual.

S. 55.5 (7) (b) of the Act

18.3 (1) A health information custodian is required to notify the Commissioner for the purposes of clause 55.5 (7) (b) of the Act under any circumstance where the custodian would be required to notify the Commissioner if the collection by means of the electronic health record had been for a use or disclosure to which section 6.3 of this Regulation applied.

(2) The health information custodian shall inform the Commissioner of an unauthorized collection to which subsection (1) applies at the first reasonable opportunity.

Consent directives

18.4 (1) This section applies to consent directives made under section 55.6 of the Act.

(2) For the purposes of paragraph 17 of section 55.3 of the Act, the prescribed organization shall put into place and comply with practices and procedures that are for the purposes of managing consent directives and that are approved by the Commissioner under paragraph 14 of section 55.3 of the Act and under section 55.12 of the Act.

(3) Where an individual makes a consent directive, it applies to all of the individual’s personal health information that is accessible by means of the electronic health record, unless it is reasonably possible for the prescribed organization to apply the consent directive only to the specific personal health information that has been identified by the individual, in which case the consent directive applies only to that personal health information.

(4) Despite subsection (3), the data elements prescribed under section 18.2 may not be made subject to a consent directive.

(5) Where an individual has made a consent directive and additional personal health information has subsequently been added to the individual’s personal health information that is accessible by means of the electronic health record, the prescribed organization shall implement the consent directive with respect to the additional information in accordance with subsection (3).

Transitional, consent directives

18.5 (1) Where, before section 55.6 of the Act came into force, an individual made a directive withholding or withdrawing, in whole or in part, the individual’s consent to the collection, use or disclosure of personal health information that is accessible by means of the electronic health record developed and maintained by the prescribed organization, the prescribed organization shall continue to implement the individual’s directive as it existed before the coming into force, subject to subsection (2).

(2) Where an individual has made a directive described in subsection (1) and has subsequently made a consent directive under subsection 55.6 (1) of the Act, the prescribed organization shall implement the consent directive.

Notice requirements, s. 55.7 (6) of the Act

18.6 Where the prescribed organization is required to provide written notice under subsection 55.7 (6) of the Act, the notice must include,

(a) the name of the individual to whom the information relates;

(b) the name of any agent of the health information custodian who collected the information, if available;

(c) a general description of the type of personal health information that was collected;

(d) the reason or reasons for the consent override as described in subsection 55.7 (1), (2) or (3) of the Act; and

(e) the date and time of the collection.

Notice requirements, s. 55.7 (7) (a) of the Act

18.7 (1) Where a health information custodian is required to notify an individual under clause 55.7 (7) (a) of the Act, the notice must include,

(a) the name of the individual to whom the information relates;

(b) a general description of the type of personal health information that was collected;

(c) the date and time of the collection;

(d) the reason or reasons for the consent override as described in subsection 55.7 (1), (2) or (3) of the Act;

(e) the name of the individual, including a substitute decision-maker, who provided express consent under subsection 55.7 (1) of the Act, if applicable;

(f) the name of any agent of the health information custodian who authorized the override;

(g) contact information for the health information custodian that collected the information; and

(h) contact information for the Commissioner and the fact that the individual may make a complaint to the Commissioner under Part VI of the Act.

(2) Despite subsection (1), in the event that the custodian collected the personal health information in the circumstances described in subsection 55.7 (3) of the Act, the custodian may, in their discretion, decide not to include any identifying information in the notice about any person other than the individual to whom the information relates if the custodian believes on reasonable grounds that not providing the identifying information is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to a person or group of persons.

Notice requirements, s. 55.7 (7) (b) of the Act

18.8 Where a health information custodian is required to provide written notice under clause 55.7 (7) (b) of the Act, the notice must include,

(a) the identity of any health information custodian that disclosed the information;

(b) a description of the significant risk of serious bodily harm to a person or group of persons other than the individual to whom the information relates;

(c) the reason the personal health information was necessary for the purpose of eliminating or reducing the significant risk of serious bodily harm;

(d) the name of any agent of the health information custodian who collected the information;

(e) a description of the personal health information collected by the custodian; and

(f) the date and time of the collection.

Exemption

18.9 Where a health information custodian that collected personal health information is required to notify an individual under clause 55.5 (7) (a) of the Act or notify the Commissioner under clause 55.5 (7) (b) of the Act, the health information custodian that disclosed the personal health information is exempt from the notice obligations under subsections 12 (2) and (3) of the Act with respect to the personal health information.

Provision to coroner

18.10 (1) A coroner to whom the prescribed organization provides personal health information under subsection 55.9.1 (1) of the Act shall, with respect to that information, comply with section 11.1, subsections 12 (1), (2) and (3), subsection 13 (1) and sections 17, 17.1, 30 and 31 of the Act as if the coroner were a health information custodian.

(2) A coroner to whom the prescribed organization provides personal health information under subsection 55.9.1 (1) of the Act may only use or disclose the information for the purpose for which the information was provided or for the purpose of carrying out a statutory or legal duty.

(3) If a coroner requests that the prescribed organization transmit personal health information to the coroner by means of the electronic health record and the prescribed organization transmits the information as requested, the coroner shall comply with the obligations set out in subsection 12 (1) of the Act with respect to the transmitted information, regardless of whether the coroner has viewed, handled or otherwise dealt with the information.

(4) If personal health information about an individual is collected without authority by a coroner by means of the electronic health record, the coroner shall,

(a) notify the individual at the first reasonable opportunity of the unauthorized collection and include in the notice a statement that the individual is entitled to make a complaint to the Commissioner under Part VI of the Act; and

(b) notify the Commissioner of the unauthorized collection at the first reasonable opportunity, if any circumstance exists where the coroner would be required to notify the Commissioner if the coroner were a custodian to which subsection 18.3 (1) of this Regulation applied.

(5) A coroner to whom the prescribed organization provides personal health information under subsection 55.9.1 (1) of the Act shall, in respect of that information, comply with section 6.4 of this Regulation, with any necessary modification, as if the coroner were a health information custodian.

Logging, auditing and monitoring access by coroners

18.11 For greater clarity, the prescribed organization shall comply with section 55.3 of the Act in respect of personal health information provided to a coroner under subsection 55.9.1 (1) of the Act as if the coroner were a health information custodian, and shall comply with the practices and procedures approved by the Commissioner under paragraph 14 of section 55.3 of the Act and under section 55.12 of the Act in respect of such information.

Commencement

5. This Regulation comes into force on the later of the day subsection 1 (11) of Schedule 1 to the Health Information Protection Act, 2016 comes into force and the day this Regulation is filed.

 

Français