O. Reg. 314/25: GENERAL"

O. Reg. 314/25: GENERAL, PERSONAL HEALTH INFORMATION PROTECTION ACT, 2004

ontario regulation 314/25

made under the

Personal Health Information Protection Act, 2004

Made: December 11, 2025
Filed: December 12, 2025
Published on e-Laws: December 12, 2025
Published in The Ontario Gazette: December 27, 2025

Amending O. Reg. 329/04

(GENERAL)

1. Ontario Regulation 329/04 is amended by adding the following section:

Definition for the purposes of this Regulation

1.1 In this Regulation,

“digital means of access” means the electronic system or systems made available by the Agency in accordance with subsection 18.1.1 (3).

2. The Regulation is amended by adding the following sections:

Health number collection and use for purposes related to electronic health record

11.1 The Agency and any of its agents are prescribed persons for the purposes of clause 34 (2) (e) of the Act.

Health number collection and use by Agency

11.2 (1) For the purposes of clause 34 (2) (f) of the Act, the Agency and any of its agents may, with an individual’s express consent, collect or use the individual’s health number for the purpose of carrying out the Agency’s powers or duties under Part V.2 of the Act.

(2) In this section,

“agent”, in relation to the Agency, means a person that, with the authorization of the Agency, acts for or on behalf of the Agency in respect of personal health information for the purposes of the Agency, and not the agent’s own purposes, whether or not the agent has the authority to bind the Agency, whether or not the agent is employed by the Agency and whether or not the agent is being remunerated.

3. (1) Section 12 of the Regulation is amended by adding the following subsections:

(2) Despite subsection 34 (3) of the Act, the Agency and any of its agents may disclose a health number of an individual that the Agency has custody or control of if,

(a) the individual gives their express consent to the disclosure; and

(b) the disclosure is made to the Minister for the purpose of assisting the Agency in,

(i) providing validation and verification services,

(ii) validating the identity of an individual who contacted the Agency because they require support accessing the digital means of access referred to in subsection 18.1.1 (3), or

(iii) validating the identity of an individual who is seeking access to electronic records kept by the Agency under paragraph 4, 5 or 6 of section 55.3 of the Act or digital health identifier records in accordance with subsection 51 (7) of the Act.

(3) In this section,

(2) Clause 12 (2) (b) of the Regulation, as made by subsection (1), is amended by striking out “or” at the end of subclause (ii) and by adding the following subclause:

(ii.1) validating the identity of an individual who is seeking to use an alternative process described in clause 18.1.1 (3) (b).

4. Section 18.1 of the Regulation is revoked and the following substituted:

Prescribed organization

18.1 (1) The Agency is prescribed as the prescribed organization for the purposes of the Act.

(2) Subject to subsection (3), the provisions of Part III of the Act apply to the Agency, with necessary modifications, when it is carrying out its powers, functions and responsibilities as the prescribed organization under any other Part of the Act and under this Regulation.

(3) Section 55.18 of the Act describes how the provisions of Part III of the Act apply to the Agency when it acts under Part V.2 of the Act.

5. (1) The Regulation is amended by adding the following sections:

Application of s. 51 (5) of the Act

18.1.1 (1) This section applies to the Agency when it is acting as the prescribed organization under subsection 51 (5) of the Act.

(2) Subsection 51 (5) of the Act provides a right of access to only the following records:

1. Records that are derived from the Digital Health Drug Repository, or a successor repository, and that are provided to the electronic health record by the Minister.

2. Records that are derived from the Ontario Laboratories Information System, or a successor repository, and that are provided to the electronic health record by the Minister.

(3) The Agency shall make available an electronic system or systems to act as a digital means of access that permits individuals who have a digital health identifier and who are specified by the Agency on the Agency’s website to access, in accordance with the requirements in Part V of the Act and in this section, the records described in subsection (2).

(4) The Agency shall publish instructions on the Agency’s website to instruct persons who wish to access the records described in subsection (2), but who cannot or do not wish to use the digital means of access, on how to request access to the records from the applicable health information custodian or custodians.

(5) The Agency shall,

(a) respond to requests for access to the records described in subsection (2) through the digital means of access if the request is made through the digital means of access by an individual specified by the Agency who has a digital health identifier; and

(b) subject to the other requirements of this Regulation, act as if it is a health information custodian in providing the requester access to the requested records through the digital means of access.

(6) The Agency is not required to respond to any requests for access to the records described in subsection (2) other than a request described in clause (5) (a).

(7) The Agency is not required to consider the exceptions from the right to access a record listed in clauses 52 (1) (a) to (f) of the Act, but shall,

(a) ensure that the health information custodian that provides the personal health information to the electronic health record has been notified that the Agency may provide access to the record of personal health information pursuant to Part V of the Act; and

(b) if the health information custodian does not identify an exception listed in clauses 52 (1) (a) to (f) of the Act that applies, provide access to the record in accordance with Part V of the Act and this section.

(8) The Agency is exempt from the requirement in subsection 52 (1.1) of the Act to provide the records through the digital means of access in the electronic formats specified in that subsection.

(9) The Agency is exempt from subsections 52 (4) to (7) of the Act when providing access to the records.

(10) In this section,

“electronic health record” has the same meaning as in section 55.1 of the Act.

Notification and disabling of access if exception applies

18.1.2 (1) A health information custodian may notify the Agency if the custodian determines that an exception listed in clauses 52 (1) (a) to (f) of the Act applies to one of the records the custodian provides to the electronic health record.

(2) The right of an individual to access a record described in subsection 51 (5) of the Act through the digital means of access, including the right to access a part of such a record through the digital means of access that has been severed in accordance with subsection 52 (2) of the Act, does not apply to a record in a repository referred to in subsection 18.1.1 (2) of this Regulation if any of the individual’s records in that repository have been the subject of a notification under subsection (1).

(3) If the Agency has received a notice under subsection (1), the Agency shall provide confirmation to the health information custodian who provided the notice that access to the record has been disabled along with a request for the health information custodian to assess whether the exception still applies,

(a) at least once every three months; or

(b) in accordance with whatever schedule is agreed to by the Agency and the custodian.

(4) If an individual requests access via the digital means of access to a record in respect of which the Agency has received a notification under subsection (1), the Agency shall redirect the individual to the health information custodian or custodians that provided the applicable records so that the individual can request the records directly from them in accordance with Part V of the Act.

(5) Despite subsections (3) and (4), if an individual’s access through the digital means to records in a repository referred to in subsection 18.1.1 (2) has been disabled because one of their records was the subject of a notification under subsection (1), the Agency shall restore the individual’s access through the digital means of access and shall cease providing confirmation under subsection (3) and redirection under subsection (4) if,

(a) the health information custodian who provided the notice indicates that the exceptions listed in clauses 52 (1) (a) to (f) of the Act no longer apply to the record; and

(b) no other exceptions listed in clauses 52 (1) (a) to (f) of the Act have been identified as applying to any of the affected individual’s records in that repository.

(6) In this section,

“electronic health record” has the same meaning as in section 55.1 of the Act.

Application of s. 51 (6) of the Act

18.1.2.1 (1) This section applies to the Agency when it is acting as the prescribed organization under subsection 51 (6) of the Act.

(2) Despite subsection 51 (6) of the Act and subsection (2) of this section, the Agency is not required to provide records described in subsection 51 (6) of the Act, and any summaries of those records, in respect of any period before January 1, 2024.

Application of s. 51 (7) of the Act to digital health identifier records

18.1.2.2 (1) For the purposes of subsection 51 (7) of the Act, the Agency is only required to act as if it were a health information custodian with respect to the following digital health identifier records:

1. Records related to a change in the identifying information used in the creation or maintenance of the digital health identifier.

2. Records of consents that have been given or withdrawn in relation to the digital health identifier.

3. Records related to validation and verification services.

4. Records of the date on which a digital health identifier was used to access the digital means of access.

(2) The Agency shall keep, audit and monitor the electronic records described in subsection (1).

Annual report to Commissioner

18.1.2.3 (1) The Agency shall provide an annual report to the Commissioner with respect to the previous calendar year.

(2) The annual report must specify,

(a) the number of requests the Agency has received in the year for records described in subsections 51 (5), (6) and (7) of the Act;

(b) the number of refusals by the Agency to disclose records described in subsections 51 (5), (6) and (7) of the Act, the provisions of the Act under which disclosure was refused and the number of occasions on which each provision was invoked;

(d) any other metrics or indicators specified by the Commissioner.

(3) The Agency shall provide the report to the Commissioner on or before March 1 in each year starting in 2027 by the electronic means and in a format determined by the Commissioner.

(2) Paragraph 1 of subsection 18.1.1 (2) of the Regulation, as made by subsection (1), is revoked and the following substituted:

1. Records that are derived from the Digital Health Drug Repository or a successor repository.

(3) Subsection 18.1.1 (3) of the Regulation, as made by subsection (1), is revoked and the following substituted:

(3) The Agency shall make available,

(a) an electronic system or systems to act as a digital means of access to permit individuals who have a digital health identifier to access the records described in subsection (2); and

(b) an alternative process to permit individuals who cannot or do not wish to use the digital means of access to access the records described in subsection (2).

(4) Subsection 18.1.1 (5) and (6) of the Regulation, as made by subsection (1), are revoked and the following substituted:

(5) The Agency shall,

(a) respond to requests for access to the records described in subsection (2) through the digital means of access, if the request is made through the digital means of access by an individual who has a digital health identifier; and

(b) subject to the other requirements of this Regulation, act as if it is a health information custodian in providing access to the requested records through the digital means of access.

(5.1) The Agency shall,

(a) respond to all requests for access to the records described in subsection (2) through the alternative process, if the request is made through the alternative process; and

(b) subject to the other requirements of this Regulation, act as if it is a health information custodian in providing access to the requested records through the alternative process.

(6) The Agency is not required to respond to any requests for access to the records described in subsection (2) other than a request described in clause (5) (a) or (5.1) (a).

(5) Subsection 18.1.2 (4) of the Regulation, as made by subsection (1), is revoked and the following substituted:

(4) If an individual requests access via the digital means of access to a record in respect of which the Agency has received a notification under subsection (1), the Agency shall redirect the individual to the alternative process and provide the individual access through the alternative process to any of their records described in subsection (2),

(a) that are not subject to an exception listed in clauses 52 (1) (a) to (f) of the Act; and

(b) for which access through the digital means of access has been disabled.

(6) Subsection 18.1.2.1 (2) of the Regulation, as made by subsection (1), is revoked.

6. (1) The Regulation is amended by adding the following sections:

Effect of withdrawal of consent

18.12 (1) This section applies if an individual with a digital health identifier withdraws their consent for the Agency to,

(a) collect, use or disclose the individual’s personal health information under section 55.17 of the Act for the purpose of carrying out digital health identifier activities; or

(b) collect or use the individual’s health number under section 11.2 of this Regulation for the purpose of carrying out the Agency’s powers or duties under Part V.2 of the Act.

(2) Despite the withdrawal of consent, the Agency may continue to use and disclose the applicable personal health information for the following purposes:

1. Retention, maintenance and disposal of the personal health information.

2. Incident and breach management activities, including maintenance, auditing and responding to such incidents or breaches.

Notice to Commissioner, s. 55.24 (3) of the Act

18.13 (1) The following are prescribed for the purposes of subsection 55.24 (3) of the Act as circumstances in which the Agency must notify the Commissioner:

1. The Agency has reasonable grounds to believe that a digital health identifier record was used or disclosed without authority by a person who knew or ought to have known that they were using or disclosing the information without authority.

2. The Agency has reasonable grounds to believe that a digital health identifier record was stolen.

3. The Agency has reasonable grounds to believe that, after an initial loss or unauthorized use or disclosure of a digital health identifier record, the digital health identifier record was or will be further used or disclosed without authority.

4. The loss or unauthorized use or disclosure of a digital health identifier record is part of a pattern of similar losses or unauthorized uses or disclosures of digital health identifier records in the custody or control of the Agency.

5. The Agency determines that the loss or unauthorized use or disclosure of a digital health identifier record is significant after considering all relevant circumstances, including the following:

i. Whether the personal health information that was lost or used or disclosed without authority is sensitive.

ii. Whether the loss or unauthorized use or disclosure involved a large volume of personal health information.

iii. Whether the loss or unauthorized use or disclosure involved many individuals’ personal health information.

iv. Whether one or more agents of the Agency were responsible for the loss or unauthorized use or disclosure of the digital health identifier record.

(2) The Agency shall notify the Commissioner of the existence of a circumstance set out in subsection (1) at the first reasonable opportunity.

Annual report by Agency re: theft, loss, etc.

18.14 (1) On or before March 1 in each year starting in 2027, the Agency shall provide the Commissioner with a report setting out the number of times in the previous calendar year that each of the following occurred:

1. Digital health identifier records were stolen.

2. Digital health identifier records were lost.

3. Digital health identifier records were used without authority.

4. Digital health identifier records were disclosed without authority.

5. Personal health information was collected by the Agency for the purposes of Part V.2 of the Act without authority.

(2) The report shall be transmitted to the Commissioner by the electronic means and in a format determined by the Commissioner.

Digital health identifier activity assessment

18.15 The Agency shall perform the assessments described in subsection 55.25 (1) of the Act at the following times:

1. Before the Agency first begins to collect, use and disclose personal health information for the purpose of providing digital health identifier activities.

2. Whenever a new significant security threat to the Agency’s digital health identifier activities is identified.

3. Before a significant change is made to the Agency’s digital health identifier activities.

4. At any time when the practices and procedures the Agency is required to have in place and comply with pursuant to section 55.19 of the Act require the assessment to be performed.

Collection and use by Agency, access requests and issues with access

18.16 (1) The Agency and any of its agents may, with the express consent of the individual to whom the personal health information relates, collect or use personal health information for the purposes of validating the identity of an individual who,

(a) contacted the Agency because they require support accessing the digital means of access referred to in subsection 18.1.1 (3); or

(b) is seeking access to electronic records kept by the Agency under paragraph 4, 5 or 6 of section 55.3 of the Act or digital health identifier records in accordance with subsection 51 (7) of the Act.

(2) The Agency and any of its agents, may, with the express consent of the individual to whom the personal health information relates, disclose personal health information to the Minister for the purposes of validating the identity of an individual described in subsection (1).

(2) Subsection 18.16 (1) of the Regulation, as made by subsection (1), is amended by striking out “or” at the end of clause (a), by adding “or” at the end of clause (b) and by adding the following clause:

(c) validating the identity of an individual who is seeking to use an alternative process described in clause 18.1.1 (3) (b).

Revocation

7. Subsection 1 (1) of Ontario Regulation 394/22 is revoked.

Commencement

8. (1) Except as otherwise provided in this section, this Regulation comes into force on the later of the day subsection 1 (1) of Schedule 6 to the More Convenient Care Act, 2025 comes into force and the day this Regulation is filed.

(2) Subsection 5 (2) comes into force on the later of the day that is one year after the day subsection 1 (1) of Schedule 6 to the More Convenient Care Act, 2025 comes into force and the day that is one year after the day this Regulation is filed.

(3) Subsections 3 (2), 5 (3) to (6) and 6 (2) come into force on the later of the day that is two years after the day subsection 1 (1) of Schedule 6 to the More Convenient Care Act, 2025 comes into force and the day that is two years after the day this Regulation is filed.

(4) Section 7 comes into force on the day this Regulation is filed.