O. Reg. 331/11: GENERAL, Filed June 30, 2011 under Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A

ontario regulation 331/11

made under the

Personal Health Information Protection Act, 2004

Made: June 1, 2011
Filed: June 30, 2011
Published on e-Laws: July 4, 2011
Printed in The Ontario Gazette: July 16, 2011

Amending O. Reg. 329/04

(General)

1. (1) Clause 6.1 (b) of Ontario Regulation 329/04 is revoked and the following substituted:

(b) permit eHealth Ontario to comply with sections 6 and 6.2 of this Regulation, as applicable. 

(2) Clause 6.1 (b) of the Regulation, as remade by subsection (1), is revoked and the following substituted:

(b) permit eHealth Ontario to comply with section 6 of this Regulation.

2. (1) The Regulation is amended by adding the following section:

eHealth Ontario

6.2 (1) Where a health information custodian provides personal health information to eHealth Ontario for the purpose of eHealth Ontario creating or maintaining one or more electronic health records, and eHealth Ontario satisfies the requirements listed in subsection (2),

(a) the health information custodian shall not be considered in so providing the personal health information to be making it available or to be releasing it to eHealth Ontario for the purposes of those expressions as used in the definition of “disclose” in section 2 of the Act;

(b) eHealth Ontario shall not be considered to be gathering, acquiring, receiving or obtaining the personal health information for the purposes of those expressions as used in the definition of “collect” in section 2 of the Act.

(2) eHealth Ontario shall comply with the following requirements in creating or maintaining one or more electronic health records:

1. It shall limit the personal health information it receives to that which is reasonably necessary for the purpose of creating or maintaining one or more electronic health records.

2. It shall not permit its employees or any other person acting on its behalf to access the personal health information received for the purpose of creating or maintaining one or more electronic health records unless the employee or person acting on behalf of eHealth Ontario agrees to comply with the restrictions that apply to eHealth Ontario.

3. It shall notify, at the first reasonable opportunity, every health information custodian that provided it with personal health information for the purpose of creating or maintaining one or more electronic health records if the personal health information is stolen, lost or accessed by unauthorized persons.

4. It shall make available, to the public and to each health information custodian that provided personal health information to it for the purpose of creating or maintaining one or more electronic health records,

i. a plain language description of the electronic health record, including a general description of the administrative, technical and physical safeguards in place to,

A. protect against theft, loss and unauthorized use or disclosure of personal health information contained in the electronic health record,

B. protect the electronic health record against unauthorized copying, modification or disposal, and

C. protect the integrity, security and confidentiality of the personal health information contained in the electronic health record, and

ii. any directives, guidelines and policies of eHealth Ontario that apply to the personal health information contained in the electronic health record to the extent that these do not reveal a trade secret or confidential scientific, technical, commercial or labour relations information.

5. It shall take steps that are reasonable in the circumstances to keep an electronic record of all accesses to all or part of the personal health information contained in the electronic health record, and shall ensure that record identifies the person who accessed the information and the date, time and location of the access.

6. It shall perform, for each electronic health record created or maintained, an assessment with respect to,

i. threats, vulnerabilities and risks to the security and integrity of the personal health information contained in the electronic health record, and

ii. how the electronic health record may affect the privacy of the individuals who are the subject of the information.

7. It shall,

i. make available to each health information custodian that provides personal health information to it for the purposes of creating or maintaining one or more electronic health records a written copy of the results of the assessment carried out under paragraph 6 for each record created or maintained for that custodian, and

ii. make available to the public a summary of the results of the assessments carried out under paragraph 6.

8. It shall ensure that any third party it retains to assist in providing services for the purposes of creating or maintaining one or more electronic health records agrees to comply with the restrictions and conditions that are necessary to enable the eHealth Ontario to comply with all these requirements.

(3) Section 6 does not apply to eHealth Ontario when it is creating or maintaining one or more electronic health records under this section.

(4) In this section,

“creating or maintaining one or more electronic health records” includes creating, integrating, managing, maintaining or servicing one or more electronic health records, and includes,

(a) conducting data quality assurance activities on the personal health information provided to eHealth Ontario by health information custodians, and

(b) conducting analyses of the personal health information in order to provide alerts and reminders to health information custodians who have provided personal health information to eHealth Ontario, for the custodian’s use in the provision of health care to individuals; (“créer ou tenir un ou plusieurs dossiers de santé électroniques”)

“electronic health record” means a record of personal health information created or maintained in electronic form by eHealth Ontario to enable health information custodians to use electronic means to disclose personal health information to one another for the purpose of providing or assisting in the provision of health care to the individual whose personal health information is contained in the record. (“dossier de santé électronique”)

(2) Section 6.2 of the Regulation, as made by subsection (1), is revoked.

Commencement

3. (1) Subject to subsection (2), this Regulation comes into force on the day it is filed.

(2) Subsections 1 (2) and 2 (2) come into force on December 31, 2013.