O. Reg. 569/20: GENERAL
filed October 9, 2020 under Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. ASkip to content
ontario regulation 569/20
made under the
Personal Health Information Protection Act, 2004
Made: October 1, 2020
Filed: October 9, 2020
Published on e-Laws: October 9, 2020
Printed in The Ontario Gazette: October 24, 2020
Amending O. Reg. 329/04
1. Section 26 of Ontario Regulation 329/04 is revoked and the following substituted:
Interoperability specifications, definitions
26. In sections 27 to 34,
“digital health asset” means a product or service that,
(a) is selected, developed or used by a health information custodian, and
(b) enables the custodian to use electronic means to collect, use, modify, disclose, transmit, retain or dispose of personal health information to provide care or assist in the provision of care; (“actif de soins de santé numérique”)
“interoperability specification” means a business or technical requirement established by the Agency that applies to a digital health asset or to a digital health asset’s interaction with other digital health assets, and that may include, without being limited to, a requirement related to,
(a) the content of data or a common data set for electronic data,
(b) the format or structure of messages exchanged between digital health assets,
(c) the migration, translation or mapping of data from one digital health asset to another,
(d) terminology, including vocabulary, code sets or classification systems, or
(e) privacy or security. (“spécification d’interopérabilité”)
Agency and specifications
27. (1) The Agency shall, subject to the review and approval of the Minister, establish, maintain and amend interoperability specifications.
(2) The Agency shall consult, in a manner the Agency considers appropriate, with any health care provider organizations, individuals, stakeholders and other parties that the Agency considers appropriate, in order to inform its decisions concerning the establishment, maintenance or amendment of interoperability specifications.
(3) The Minister may direct the Agency to establish or amend interoperability specifications, including issuing a direction respecting,
(a) the subject matter of the interoperability specification to be established or amended;
(b) the digital health assets to which an interoperability specification is or is not to apply;
(c) which health information custodians or classes of custodians must select, develop or use digital health assets that comply with the interoperability specification;
(d) the timing within which the specification is required to be established and the timing within which the specification becomes effective so as to require custodians or classes of custodians to comply with the specification;
(e) the circumstances when a health information custodian may be exempted from the requirement to select, develop or use a digital health asset that complies with a specification; and
(f) any other matter relating to an interoperability specification that the Minister determines is necessary or advisable to be dealt with in a direction.
(4) Before issuing a direction under subsection (3), the Minister shall consult with the Agency with respect to the content of the direction and the effect of the direction on the Agency.
(5) If the Minister issues a direction to the Agency under subsection (3), the Agency shall comply with that direction.
(6) Where the Agency is establishing or amending an interoperability specification that relates to the confidentiality of personal health information, the privacy of individuals or the rights of individuals to access or correct records of their personal health information, the Agency shall,
(a) consult with the Commissioner, in a manner the Agency and the Commissioner mutually consider appropriate in the circumstances; and
(b) consider the recommendations, if any, made by the Commissioner before providing the specification to the Minister for review and approval.
Application of specifications
28. (1) An interoperability specification may be general or specific in its application and may be limited to a custodian’s selection, development or use of particular digital health assets or classes of digital health assets.
(2) The Agency shall ensure that each interoperability specification,
(a) names or describes the health information custodian or class of health information custodians that must select, develop or use the digital health assets that comply with the specification;
(b) describes the types of digital health assets to which it applies;
(c) specifies the date on which the specification becomes effective, and if the specification is amended, specifies the date when an amendment to the specification becomes effective; and
(d) specifies the circumstances, if any, when a health information custodian may be exempted from the requirement to select, develop or use digital health assets that comply with the specification.
29. (1) The Agency shall make the interoperability specifications available to the public by posting them on the Agency’s website or by such other means as the Agency considers advisable.
(2) The Agency shall ensure that the most up-to-date specifications, including any amendments to the specifications, are posted in accordance with subsection (1).
Compliance with specifications
30. (1) A health information custodian shall ensure that every digital health asset that it selects, develops or uses complies with every applicable interoperability specification, as it may be amended from time to time, within the time period set out in the specification.
(2) For greater certainty, compliance with subsection (1) does not relieve a custodian of its obligation to comply with the other provisions of the Act and its regulations.
31. (1) The Agency shall establish a process for certifying digital health assets that are compliant with interoperability specifications.
(2) The Agency shall make a list of those digital health assets that have been certified by the Agency and shall make the list available to the public by posting it on the Agency’s website or by such other means as the Agency considers advisable.
32. (1) Every health information custodian that selects, develops or uses digital health assets shall provide a report to the Agency, upon the request of the Agency, that sets out the custodian’s compliance with the requirement to select, develop or use digital health assets that comply with the applicable specifications.
(2) The custodian shall provide the report to the Agency by the means and in the format determined by the Agency and within the time period set by the Agency.
(3) The report shall not contain personal health information.
(4) Upon receipt of the report, the Agency shall determine, in accordance with the process established under section 33, whether the custodian is in compliance with section 30 and shall advise the custodian of its determination.
33. (1) The Agency shall establish a process for monitoring health information custodians’ compliance with the requirements under section 30.
(2) A health information custodian shall co-operate with and assist the Agency in monitoring its own compliance with the requirements under subsection 30 (1) and, subject to subsection (3) of this section, shall provide any information or records to the Agency upon request.
(3) Information and records provided under subsection (2) shall not include personal health information.
(4) If the Agency has reasonable grounds to believe that the custodian is not in compliance with the requirements under subsection 30 (1), the Agency may consult with the health information custodian and provide advice to the custodian on how compliance may be achieved.
34. For greater certainty, if the Agency has reasonable grounds to believe that a health information custodian has contravened or is about to contravene subsection 30 (1), the Agency may make a complaint to the Commissioner under Part VI of the Act and may provide to the Commissioner any information and records obtained under sections 32 and 33 of this Regulation.