[41] Bill 119 Royal Assent (PDF)

Bill 119 2016

An Act to amend the Personal Health Information Protection Act, 2004,to make certain related amendments and to repeal and replace the Quality of Care Information Protection Act, 2004

Her Majesty, by and with the advice and consent of the Legislative Assembly of the Province of Ontario, enacts as follows:

Contents of Act

   1.  This Act consists of this section, sections 2 and 3 and the Schedules to this Act. 

Commencement

   2.  (1)  Subject to subsections (2) and (3), this Act comes into force on the day it receives Royal Assent.

Same

   (2)  The Schedules to this Act come into force as provided in each Schedule. 

Same

   (3)  If a Schedule to this Act provides that any provisions are to come into force on a day to be named by proclamation of the Lieutenant Governor, a proclamation may apply to one or more of those provisions, and proclamations may be issued at different times with respect to any of those provisions.

Short title

   3.  The short title of this Act is the Health Information Protection Act, 2016.

 

Schedule 1
Amendments to the Personal Health Information Protection act, 2004 and to certain related statutes

Personal Health Information Protection Act, 2004

   1.  (1)  Section 2 of the Personal Health Information Protection Act, 2004 is amended by adding the following definitions:

"Ministry" means the Ministry of Health and Long-Term Care; ("ministère")

"prescribed organization" means the organization prescribed for the purposes of Part V.1 and, if more than one organization is prescribed, means every applicable prescribed organization; ("organisation prescrite")

   (2)  The definition of "use" in section 2 of the Act is amended by striking out "means to handle or deal with the information" and substituting "means to view, handle or otherwise deal with the information".

   (3)  The Act is amended by adding the following section:

Steps to ensure collection

   11.1  A health information custodian shall take steps that are reasonable in the circumstances to ensure that personal health information is not collected without authority.

   (4)  Subsections 12 (2) and (3) of the Act are repealed and the following substituted:

Notice of theft, loss, etc. to individual

   (2)  Subject to subsection (4) and to the exceptions and additional requirements, if any, that are prescribed, if personal health information about an individual that is in the custody or control of a health information custodian is stolen or lost or if it is used or disclosed without authority, the health information custodian shall,

  (a)  notify the individual at the first reasonable opportunity of the theft or loss or of the unauthorized use or disclosure; and

  (b)  include in the notice a statement that the individual is entitled to make a complaint to the Commissioner under Part VI.

Notice to Commissioner

   (3)  If the circumstances surrounding a theft, loss or unauthorized use or disclosure referred to in subsection (2) meet the prescribed requirements, the health information custodian shall notify the Commissioner of the theft or loss or of the unauthorized use or disclosure.

Exception

   (4)  If the health information custodian is a researcher who has received the personal health information from another health information custodian under subsection 44 (1), the researcher shall not notify the individual if the information is stolen or lost or if it is used or disclosed without authority, unless the health information custodian that disclosed the personal health information under subsection 44 (1),

  (a)  first obtains the individual's consent to having the researcher contact the individual; and

  (b)  informs the researcher that the individual has given the consent.

   (5)  Clause 17 (1) (b) of the Act is repealed and the following substituted:

  (b)  the collection, use, disclosure, retention or disposal of the information, as the case may be, is necessary in the course of the agent's duties and is not contrary to this Act or another law; and

   (6)  Section 17 of the Act is amended by adding the following subsection:

Same

   (1.1)  A permission granted to an agent under subsection (1) may be subject to such conditions or restrictions as the health information custodian may impose.

   (7)  Subsections 17 (2) and (3) of the Act are repealed and the following substituted:

Restriction, collection, use, etc. by agents

   (2)  Subject to any exception that may be prescribed, an agent of a health information custodian may collect, use, disclose, retain or dispose of personal health information only if,

  (a)  the collection, use, disclosure, retention or disposal of the information, as the case may be,

           (i)  is permitted by the custodian in accordance with subsection (1),

          (ii)  is necessary for the purpose of carrying out his or her duties as agent of the custodian,

         (iii)  is not contrary to this Act or another law, and

         (iv)  complies with any conditions or restrictions that the custodian has imposed under subsection (1.1); and

  (b)  the prescribed requirements, if any, are met.

Responsibilities of health information custodian

   (3)  A health information custodian shall,

  (a)  take steps that are reasonable in the circumstances to ensure that no agent of the custodian collects, uses, discloses, retains or disposes of personal health information unless it is in accordance with subsection (2); and

  (b)  remain responsible for any personal health information that is collected, used, disclosed, retained or disposed of by the custodian's agents, regardless of whether or not the collection, use, disclosure, retention or disposal was carried out in accordance with subsection (2).

Responsibilities of the agent

   (4)  An agent of a health information custodian shall,

  (a)  comply with the conditions or restrictions imposed by the health information custodian on the agent's collection, use, disclosure, retention or disposal of personal health information under subsection (1.1); and

  (b)  notify the custodian at the first reasonable opportunity if personal health information that the agent collected, used, disclosed, retained or disposed of on behalf of the custodian is stolen or lost or if it is used or disclosed without authority.

   (8)  The Act is amended by adding the following section:

Notice to governing College

Definition

   17.1  (1)  In this section,

"College" means,

  (a)  in the case of a member of health profession regulated under the Regulated Health Professions Act, 1991, a College of the health profession named in Schedule 1 to that Act, and

  (b)  in the case of a member of the Ontario College of Social Workers and Social Service Workers, that College.

Termination, suspension, etc. of employed members

   (2)  Subject to any exceptions and additional requirements, if any, that are prescribed, if a health information custodian employs a health care practitioner who is a member of a College, the health information custodian shall give written notice of any of the following events to the College within 30 days of the event occurring:

    1.  The employee is terminated, suspended or subject to disciplinary action as a result of the unauthorized collection, use, disclosure, retention or disposal of personal health information by the employee.

    2.  The employee resigns and the health information custodian has reasonable grounds to believe that the resignation is related to an investigation or other action by the custodian with respect to an alleged unauthorized collection, use, disclosure, retention or disposal of personal health information by the employee.

Same, custodian's agent

   (3)  Subject to any exceptions and additional requirements, if any, that are prescribed, a health information custodian shall give written notice of an event described in subsection (4) to a College if,

  (a)  the health information custodian is a medical officer of health of a board of health within the meaning of the Health Protection and Promotion Act; and

  (b)  a health care practitioner, who is a member of the College, is employed to provide health care for the board of health and is an agent of the custodian.

Same

   (4)  The health information custodian shall give written notice of any of the following events to a College within 30 days of the event occurring:

    1.  The agent's employment is terminated or suspended, or the agent is subject to disciplinary action with respect to his or her employment, as a result of his or her unauthorized collection, use, disclosure, retention or disposal of personal health information.

    2.  The agent resigns from his or her employment and the health information custodian has reasonable grounds to believe that the resignation is related to an investigation or other action by the custodian with respect to an alleged unauthorized collection, use, disclosure, retention or disposal of personal health information by the agent.

Member's privileges revoked, etc.

   (5)  Subject to any exceptions and additional requirements, if any, that are prescribed, if a health information custodian extends privileges to, or is otherwise affiliated with, a health care practitioner who is a member of a College, the custodian shall give written notice of any of the following events to the College within 30 days of the event occurring:

    1.  The member's privileges are revoked, suspended or restricted, or his or her affiliation is revoked, suspended or restricted, as a result of the unauthorized collection, use, disclosure, retention or disposal of personal health information by the member.

    2.  The member relinquishes or voluntarily restricts his or her privileges or his or her affiliation and the health information custodian has reasonable grounds to believe that the relinquishment or restriction is related to an investigation or other action by the custodian with respect to an alleged unauthorized collection, use, disclosure, retention or disposal of personal health information by the member.

Contents of notice

   (6)  A notice made under this section shall meet the prescribed requirements, if any.

   (9)  Subsection 34 (2) of the Act is amended by striking out "or" at the end of clause (c), by adding "or" at the end of clause (d) and by adding the following clause:

  (e)  if the person is prescribed and is collecting or using the health number, as the case may be, for purposes related to the electronic health record developed and maintained by the prescribed organization.

   (10)  Section 51 of the Act is amended by adding the following subsections:

Application to prescribed organization

   (5)  Subject to any exceptions and additional requirements, if any, that are prescribed, this Part applies to the prescribed organization as if it were a health information custodian with respect to the following records and as if the prescribed organization has custody or control of the records:

    1.  A record of personal health information that is accessible to health information custodians by means of the electronic health record developed and maintained by the prescribed organization.

    2.  The electronic records kept by the prescribed organization under paragraphs 4, 5 and 6 of section 55.3.

Application to record of a custodian

   (6)  Subject to any exceptions and additional requirements, if any, that are prescribed, this Part applies to a record in the custody or control of a health information custodian respecting all instances where all or part of the personal health information of the individual that is accessible by means of the electronic health record developed and maintained by the prescribed organization is viewed, handled or otherwise dealt with by the custodian.

   (11)  The Act is amended by adding the following Part:

Part v.1
Electronic Health Record

Interpretation

   55.1  (1)  In this Part,

"advisory committee" means the advisory committee established by the Minister under section 55.11; ("comité consultatif")

"consent directive" means a directive under section 55.6 and includes a directive to modify or withdraw a directive that has already been made; ("directive en matière de consentement")

"de-identify" and related expressions have the same meaning as in subsection 47 (1); ("anonymiser")

"electronic health record" means the electronic systems that are developed and maintained by the prescribed organization for the purpose of enabling health information custodians to collect, use and disclose personal health information by means of the systems in accordance with this Part and the regulations made under this Part; ("dossier de santé électronique")

"identifying information" has the same meaning as in subsection 4 (2). ("renseignements identificatoires")

What constitutes collection, use, disclosure re: electronic health record

   (2)  Despite anything in section 2, for the purposes of this Part, a health information custodian is considered to be collecting, using or disclosing personal health information in the following circumstances:

    1.  When a health information custodian views, handles or otherwise deals with all or part of an individual's personal health information by means of the electronic health record and that information was provided to the prescribed organization by another health information custodian,

            i.  the health information custodian is considered to be collecting the personal health information if it is viewing, handling or otherwise dealing with the information for the first time, and

           ii.  the health information custodian is considered to be using the personal health information each time it subsequently views, handles or otherwise deals with the information.

    2.  Whenever a health information custodian views, handles or otherwise deals with all or part of an individual's personal health information by means of the electronic health record and that information was provided to the prescribed organization by the custodian, the custodian is considered to be using the personal health information.

    3.  A health information custodian who provides personal health information to the prescribed organization is considered to be disclosing the information only when another health information custodian collects the information by means of the electronic health record.

Same, where information provided to prescribed organization

   (3)  Despite anything in section 2, when a health information custodian provides personal health information to the prescribed organization,

  (a)  the custodian is considered not to be disclosing the information to the prescribed organization; and

  (b)  the prescribed organization is considered not to be collecting the information from the custodian.

   (12)  The Act is amended by adding the following section:

Electronic health record

   55.2  (1)  The prescribed organization has the power and the duty to develop and maintain the electronic health record in accordance with this Part and the regulations made under this Part.

Functions of prescribed organization

   (2)  The prescribed organization shall perform the following functions:

    1.  Manage and integrate personal health information it receives from health information custodians.

    2.  Ensure the proper functioning of the electronic health record by servicing the electronic systems that support the electronic health record.

    3.  Ensure the accuracy and quality of the personal health information that is accessible by means of the electronic health record by conducting data quality assurance activities on the personal health information it receives from health information custodians.

    4.  Conduct analyses of the personal health information that is accessible by means of the electronic health record in order to provide alerts and reminders to health information custodians for their use in the provision of health care to individuals.

Other powers and duties

   (3)  In addition to carrying out the powers, duties and functions described in this Part and in Part V, the prescribed organization shall carry out any prescribed powers, duties or functions.

   (13)  The Act is amended by adding the following section:

Requirements for electronic health record

   55.3  The prescribed organization shall comply with the following requirements in developing and maintaining the electronic health record:

    1.  It shall take reasonable steps to limit the personal health information it receives to that which is reasonably necessary for developing and maintaining the electronic health record.

    2.  It shall not permit its employees or any other person acting on its behalf to view, handle or otherwise deal with the personal health information received from health information custodians, unless the employee or person acting on behalf of the prescribed organization agrees to comply with the restrictions that apply to the prescribed organization.

    3.  It shall make available to the public and to each health information custodian that provides personal health information to it,

            i.  a plain language description of the electronic health record, including a general description of the administrative, technical and physical safeguards in place to,

                  A.  protect against theft, loss and unauthorized collection, use or disclosure of the personal health information that is accessible by means of the electronic health record,

                  B.  protect the personal health information that is accessible by means of the electronic health record against unauthorized copying, modification or disposal, and

                  C.  protect the integrity, security and confidentiality of the personal health information that is accessible by means of the electronic health record, and

           ii.  any directives, guidelines and policies of the prescribed organization that apply to the personal health information that is accessible by means of the electronic health record, to the extent that these do not reveal a trade secret or confidential scientific, technical, commercial or labour relations information.

    4.  It shall,

            i.  keep an electronic record of all instances where all or part of the personal health information that is accessible by means of the electronic health record is viewed, handled or otherwise dealt with, and ensure that the record identifies the individual to whom the information relates, the type of information that is viewed, handled or otherwise dealt with, all persons who have viewed, handled or otherwise dealt with the information, and the date, time and location of the viewing, handling, or dealing with, and

           ii.  in the event that a health information custodian has requested that the prescribed organization transmit to the custodian personal health information that is accessible by means of the electronic health record, keep an electronic record of all instances where personal health information is transmitted to the custodian by means of the electronic health record, and ensure that the record identifies the individual to whom the information relates, the type of information that is transmitted, the custodian requesting the information, the date and time that the information was transmitted, and the location to which the information was transmitted.

    5.  It shall keep an electronic record of all instances where a consent directive is made, withdrawn or modified, and shall ensure that the record identifies the individual who made, withdrew or modified the consent directive, the instructions that the individual provided regarding the consent directive, the health information custodian, agent or other person to whom the directive is made, withdrawn or modified, and the date and time that the consent directive was made, withdrawn or modified.

    6.  It shall keep an electronic record of all instances where all or part of the personal health information that is accessible by means of the electronic health record is disclosed under section 55.7 and shall ensure that the record identifies the health information custodian that disclosed the information, the health information custodian that collected the information, any agent of the health information custodian who collected the information, the individual to whom the information relates, the type of information that was disclosed, the date and time of the disclosure and the purpose of the disclosure.

    7.  It shall audit and monitor the electronic records that it is required to keep under paragraphs 4, 5 and 6.

    8.  It shall, upon the request of the Commissioner provide to the Commissioner, for the purposes of Part VI, the electronic records kept under paragraphs 4, 5 and 6.

    9.  It shall, upon request of a health information custodian that requires the records to audit and monitor its compliance with this Act, provide to the custodian or an agent acting on the custodian's behalf, the records kept under paragraphs 4, 5 and 6.

  10.  It shall perform, for each system that retrieves, processes or integrates personal health information that is accessible by means of the electronic health record, an assessment with respect to,

            i.  threats, vulnerabilities and risks to the security and integrity of the personal health information, and

           ii.          how each of those systems may affect the privacy of the individuals to whom the information relates.

  11.  It shall notify, at the first reasonable opportunity, each health information custodian that provided personal health information to the prescribed organization if the personal health information that the health information custodian provided is stolen or lost or if it is collected, used or disclosed without authority.

  12.  It shall,

            i.  make available to each health information custodian that provided personal health information to the prescribed organization a written copy of the results of the assessments carried out under paragraph 10 that relates to the personal health information the custodian provided, and

           ii.  make available to the public a summary of the results of the assessments carried out under paragraph 10.

  13.  It shall ensure that any third party it retains to assist in providing services for the purpose of developing or maintaining the electronic health record agrees to comply with the restrictions and conditions that are necessary to enable the prescribed organization to comply with all these requirements.

  14.  On and after the first anniversary of the day this section comes into force, it shall have in place and comply with practices and procedures,

            i.  that are for the purpose of protecting the privacy of the individuals whose personal health information it receives and for maintaining the confidentiality of the information, and

           ii.  that are approved by the Commissioner.

  15.  It shall notify the Commissioner, in writing, immediately after becoming aware that personal health information that is accessible by means of the electronic health record,

            i.  has been viewed, handled or otherwise dealt with by the prescribed organization or a third party retained by the prescribed organization, other than in accordance with this Act or its regulations, or

           ii.  has been made available or released by the prescribed organization or a third party retained by the prescribed organization, other than in accordance with this Act or its regulations.

  16.  It shall submit to the Commissioner, at least annually, a report in the form and manner specified by the Commissioner, and based on or containing any information, other than personal health information, that is kept in the electronic record required under paragraph 6 that the Commissioner may specify, respecting every instance in which personal health information was disclosed under section 55.7 since the time of the last report.

  17.  It shall comply with the practices and procedures prescribed in the regulations when managing consent directives.

  18.  It shall have in place and comply with practices and procedures that have been approved by the Minister for responding to or facilitating a response to a request made by an individual under Part V in respect of the individual's record of personal health information that is accessible by means of the electronic health record.

  19.  It shall comply with such other requirements as may be prescribed in the regulations.

   (14)  The Act is amended by adding the following section:

Minister's directives

   55.4  (1)  The Minister may make directives to the prescribed organization with respect to the carrying out of its powers, duties and functions under this Part, and the prescribed organization shall comply with the directives of the Minister.

Consultation

   (2)  Before making a directive under subsection (1), the Minister shall,

  (a)  submit a draft of the directive to the Commissioner and the advisory committee for the purpose of reviewing and making recommendations on the draft directive; and

  (b)  consider the recommendations, if any, made by the Commissioner and the advisory committee and amend the directive if the Minister considers it appropriate to do so.

Timing

   (3)  The Minister shall allow the Commissioner and the advisory committee a period of at least 30 days for the purposes of review and recommendation under subsection (2), unless the Minister believes that there are urgent circumstances involving a significant risk to privacy or the confidentiality of personal health information, in which case the Minister may abridge the review period for both the Commissioner and the advisory committee to not less than five business days.

   (15)  The Act is amended by adding the following section:

Collection, use, disclosure by custodians

Restrictions on collection

   55.5  (1)  A health information custodian shall not collect personal health information by means of the electronic health record except for the purpose of,

  (a)  providing or assisting in the provision of health care to the individual to whom the information relates; or

  (b)  eliminating or reducing a significant risk of serious bodily harm to a person or group of persons, where the health information custodian believes on reasonable grounds that the collection is necessary for this purpose.

Unique identification

   (2)  A health information custodian may collect, use and disclose prescribed data elements for the purpose of uniquely identifying an individual in order to collect personal health information under subsection (1).

Where consent directive exists

   (3)  Despite subsection (1), where personal health information that is accessible by means of the electronic health record is subject to a consent directive made by an individual under subsection 55.6 (1), a health information custodian may only collect the personal health information in the circumstances permitted under subsection 55.7 (1), (2) or (3).

Use or disclosure

   (4)  A health information custodian that collects personal health information under clause (1) (a) may use or disclose the information for any purpose for which this Act permits or requires a custodian to use or disclose personal health information.

Same

   (5)  Despite any other provision in this Act or the regulations, a health information custodian that collects personal health information under clause (1) (b) may only use or disclose the information for the purpose for which the information was collected.

 

Section 12 obligations

   (6)  If a health information custodian requests that the prescribed organization transmit personal health information to the custodian by means of the electronic health record and the prescribed organization transmits the information as requested, the custodian shall comply with the obligations referred to in subsection 12 (1) with respect to the transmitted information, regardless of whether the custodian has viewed, handled or otherwise dealt with the information.

Same, notice of unauthorized collection

   (7)  Subject to the exceptions and additional requirements, if any, that are prescribed, and in addition to any notice that is required to be given in the case of an unauthorized use or disclosure under subsections 12 (2) and (3), if personal health information about an individual is collected without authority by means of the electronic health record, the health information custodian who is responsible for the unauthorized collection shall,

  (a)  notify the individual at the first reasonable opportunity of the unauthorized collection, and include in the notice a statement that the individual is entitled to make a complaint to the Commissioner under Part VI; and

  (b)  if the circumstances surrounding the unauthorized collection meet the prescribed requirements, notify the Commissioner of the unauthorized collection.

   (16)  The Act is amended by adding the following section:

Consent directives

   55.6  (1)  Subject to the limitations prescribed in the regulations, if any, an individual may at any time make a directive that withholds or withdraws, in whole or in part, the individual's consent to the collection, use and disclosure of his or her personal health information by means of the electronic health record by a health information custodian for the purposes of providing or assisting in the provision of health care to the individual.

Compliance

   (2)  Where the prescribed organization receives a directive made under subsection (1), it shall, in accordance with the requirements prescribed in the regulations, if any, implement the directive.

Withdrawal or modifications

   (3)  Subject to the limitations prescribed in the regulations, if any, an individual who has made a directive under subsection (1) may withdraw or modify the directive.

How to make directive

   (4)  An individual may make a directive under subsection (1) or withdraw or modify a directive under subsection (3) by submitting the directive to the prescribed organization.

Must contain sufficient detail

   (5)  The directive must contain sufficient detail to enable the prescribed organization to implement the directive.

Assistance

   (6)  If the directive does not contain sufficient detail to enable the prescribed organization to implement the directive with reasonable efforts, the prescribed organization shall offer assistance to the person in reformulating the directive to comply with subsection (5).

Information re directives

   (7)  If a health information custodian seeks to collect personal health information that is subject to a consent directive, the prescribed organization shall notify the custodian that an individual has made a directive under subsection (1) and shall ensure that no personal health information that is subject to the directive is provided.

   (17)  The Act is amended by adding the following section:

Consent overrides

   55.7  (1)  Despite the contents of a consent directive, a health information custodian may disclose personal health information that is subject to the directive by means of the electronic health record if the custodian that is seeking to collect the information obtains the express consent of the individual to whom the information relates.

Same, protection of individual

   (2)  Despite the contents of a consent directive, a health information custodian may disclose personal health information that is subject to the directive by means of the electronic health record if,

  (a)  the custodian that is seeking to collect the personal health information believes, on reasonable grounds, that the collection is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to the individual to whom the information relates; and

  (b)  it is not reasonably possible for the health information custodian that is seeking to collect the personal health information to obtain the individual's consent in a timely manner.

Same, protection of others

   (3)  Despite the contents of a consent directive, a health information custodian may disclose personal health information that is subject to the directive by means of the electronic health record, if the health information custodian that is seeking to collect the personal health information believes on reasonable grounds that the collection is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to a person other than the individual to whom the information relates or to a group of persons.

Use or disclosure

   (4)  Despite any other provision in this Act or its regulations, a health information custodian that collects personal health information under subsection (1), (2) or (3) may only use or disclose the information for the purpose for which the information was collected.

Audit, etc.

   (5)  The prescribed organization shall audit and monitor every instance where personal health information is collected in the circumstances described in subsection (1), (2) or (3).

Notice re consent overrides

   (6)  Where personal health information has been collected in the circumstances described in subsection (1), (2) or (3), the prescribed organization shall immediately provide written notice, in accordance with the requirements in the regulations, to the health information custodian that collected the personal health information.

Same

   (7)  Upon receiving notice under subsection (6), the custodian that collected the personal health information in the circumstances described in subsection (1), (2) or (3) shall, at the first reasonable opportunity,

  (a)  notify the individual to whom the information relates, in accordance with the requirements in the regulations; and

  (b)  if the personal health information has been collected in the circumstances described in subsection (3), give written notice to the Commissioner, in accordance with the regulations, in a manner that does not provide identifying information about the individual to whom the information relates or the person or group of persons at significant risk of serious bodily harm.

No identifying information

   (8)  Where personal health information has been collected in the circumstances described in subsection (3), in notifying the individual to whom the information relates, the custodian shall not provide identifying information about the person or group of persons at significant risk of serious bodily harm.

   (18)  The Act is amended by adding the following section:

Medication interaction checks

   55.8  Despite the contents of a consent directive, personal health information may be utilized by a system that is maintained by the prescribed organization and that retrieves, processes or integrates personal health information that is accessible by means of the electronic health record to provide alerts to health information custodians about potentially harmful medication interactions, as long as the alerts do not reveal personal health information that is subject to the consent directive.

   (19)  The Act is amended by adding the following section:

Collection of information by Ministry

   55.9  (1)  Despite section 55.5, and subject to subsection (2), the Minister may collect personal health information by means of the electronic health record for the purposes of,

  (a)  funding, planning or delivering health services that the Government of Ontario funds in whole or in part, directly or indirectly, or allocating resources to any of them; or

  (b)  detecting, monitoring or preventing fraud or inappropriate receipt of a payment, service or good, including any subsidy or other benefit funded in whole or in part, directly or indirectly, by the Government of Ontario, where such payment, service or good is health-related or is prescribed in the regulations.

Practices and procedures

   (2)  The Minister may only collect personal health information under subsection (1), if,

  (a)  the Lieutenant Governor in Council has prescribed not more than one unit of the Ministry to collect personal health information under subsection (1) on the Minister's behalf; and

  (b)  the prescribed unit of the Ministry has put in place practices and procedures,

           (i)  to protect the privacy of the individuals whose personal health information the Minister collects, and to maintain the confidentiality of the information, and

          (ii)  that are approved by the Commissioner.

De-identification

   (3)  Where personal health information has been collected by the Minister under subsection (1), the prescribed unit shall, subject to the additional requirements, if any, that are prescribed, and in accordance with the practices and procedures approved by the Commissioner under subclause (2) (b) (ii),

  (a)  create a record containing the minimal amount of personal health information necessary for the purpose of de-identifying the information and linking it to other information in the custody or control of the Minister; and

  (b)  de-identify the personal health information.

Link

   (4)  The prescribed unit of the Ministry may link the personal health information that has been de-identified under subsection (3) to other de-identified personal health information under the custody and control of the Minister.

Use in auditing, etc.

   (5)  The Minister may use personal health information collected under subsection (1) to conduct audits where there are reasonable grounds to believe there has been inappropriate receipt of a payment, service or good, including any subsidy or other benefit funded in whole or in part, directly or indirectly, by the Government of Ontario and where such payment, service or good is health-related or is prescribed in the regulations, if,

  (a)  the Lieutenant Governor in Council has prescribed not more than one unit of the Ministry to use the personal health information for the purpose set out in this subsection on the Minister's behalf; and

  (b)  the prescribed unit of the Ministry has put in place practices and procedures,

           (i)  to protect the privacy of the individuals whose personal health information the Minister collects, and to maintain the confidentiality of the information, and

          (ii)  that are approved by the Commissioner.

Disclosure

   (6)  The Minister may disclose personal health information used in an audit mentioned in subsection (5) if,

  (a)  the disclosure is required by law;

  (b)  the disclosure is for the purpose of a proceeding or contemplated proceeding in which the Minister or an agent or former agent of the Minister is, or is expected to be, a party or witness and the information relates to or is a matter in issue in the proceeding or contemplated proceeding; or

   (c)  the Minister has reasonable grounds to believe the audit reveals a contravention of the laws of Ontario or Canada and the disclosure is to a law enforcement agency in Canada to aid in an ongoing investigation by the agency or to enable the agency to determine whether to conduct an investigation, with a view to a law enforcement proceeding or from which a law enforcement proceeding is likely to result. 

No other uses and disclosures permitted

   (7)  Despite any other provision in this Act or the regulations, the Minister shall not use or disclose the personal health information collected under subsection (1) except as authorized by this section.

Direction to prescribed organization

   (8)  The Minister may issue a direction requiring the prescribed organization to provide the Minister with the information that the Minister is authorized to collect under subsection (1), and the prescribed organization must comply with the direction.

Terms and conditions

   (9)  A direction made under subsection (8) may specify the form, manner and timeframe in which the information that is the subject of the direction is to be provided to the Minister.

Disclosure

   (10)  If the Minister collects personal health information by means of the electronic health record under subsection (1), the disclosure of the personal health information to the Minister by the health information custodian who provided it to the prescribed organization is deemed to be permitted under this Act.

   (20)  The Act is amended by adding the following section:

Provision of information for purposes other than health care

   55.10  (1)  Despite any other provision in this Act or the regulations, the Minister may direct the disclosure of personal health information that is accessible by means of the electronic health record to a person, as if the Minister had custody or control of the information, if,

  (a)  a person has requested that the Minister disclose the personal health information in accordance with clause 39 (1) (c), subsection 39 (2), section 44 or 45 of this Act;

  (b)  the personal health information requested by the person was provided to the prescribed organization under this Part by more than one health information custodian;

   (c)  the Minister has,

           (i)  submitted the request to the advisory committee,

          (ii)  provided the advisory committee with 30 days to review the request and make recommendations to the Minister, and

         (iii)  considered the recommendations, if any, made by the advisory committee; and

  (d)  the Minister has determined that the disclosure of the personal health information would be in accordance with clause 39 (1) (c), subsection 39 (2) or section 44 or 45.

Shorter time period

   (2)  The Minister may shorten the time period in subclause (1) (c) (ii) if,

  (a)  in the Minister's opinion, the urgency of the situation requires it; and

  (b)  the request is for the disclosure of personal health information in accordance with subsection 39 (2).

Must comply

   (3)  The prescribed organization must comply with a direction under this section.

Terms and conditions

   (4)  A direction under this section may specify the form, manner and timeframe in which the information that is the subject of the direction is to be disclosed.

Disclosure only if necessary

   (5)  The Minister shall not direct the disclosure of personal health information under this section if other information will serve the purpose of the disclosure.

Only necessary disclosure

   (6)  The Minister shall not direct the disclosure of more personal health information than is reasonably necessary to meet the purpose of the disclosure.

   (21)  The Act is amended by adding the following section:

Advisory committee

   55.11  (1)  The Minister shall establish an advisory committee for the purpose of making recommendations to the Minister concerning,

  (a)  practices and procedures that the prescribed organization must have in place to protect the privacy of the individuals whose personal health information it receives and to maintain the confidentiality of the information;

  (b)  practices and procedures that the prescribed organization must have in place for responding or facilitating a response to a request made by an individual under Part V for a record of personal health information relating to the individual that is accessible by means of the electronic health record;

   (c)  the administrative, technical and physical safeguards the prescribed organization should have in place to protect the privacy of the individuals whose personal health information it receives and to maintain the confidentiality of the information;

  (d)  the role of the prescribed organization in assisting a health information custodian to fulfil its obligations to give notice to individuals under subsections 12 (2) and 55.5 (7) in the event that personal health information that is accessible by means of the electronic health record is stolen or lost or is collected, used or disclosed without authority;

  (e)  the provision of notice in the event that personal health information that is accessible by means of the electronic health record is stolen or lost or is collected, used or disclosed without authority;

   (f)  anything that is referred to in this Part or in the regulations as capable of being the subject of a recommendation of the advisory committee; and

  (g)  any other matter referred to the advisory committee by the Minister.

Terms of reference

   (2)  Subject to the other provisions of this Part, the Minister shall determine the terms of reference of the advisory committee, including terms of reference with respect to conflicts of interest, the membership of the committee and the organization and governance of the committee.

Appointments

   (3)  The Minister shall appoint the members of the advisory committee in accordance with the requirements, if any, prescribed in the regulations.

Support by Ministry

   (4)  The Ministry,

  (a)  shall provide administrative support for the advisory committee;

  (b)  shall have custody and control of the records of the advisory committee for the purposes of the Freedom of Information and Protection of Privacy Act; and

   (c)  is responsible for compliance with the Archives and Recordkeeping Act, 2006, in connection with records created by or supplied to the advisory committee.

   (22)  The Act is amended by adding the following section:

Practices and procedures review

   55.12  (1)  The Commissioner shall review the practices and procedures of the prescribed organization referred to in paragraph 14 of section 55.3 and those of a prescribed unit of the Ministry referred to in clauses 55.9 (2) (b) and (5) (b) every three years after they are first approved to determine if the practices and procedures continue to meet the requirements of subparagraph 14 i of section 55.3 or of subclause 55.9 (2) (b) (i) or (5) (b) (i), as the case may be, and, after the review, the Commissioner may renew the approval.

Notice by Commissioner

   (2)  The Commissioner shall advise health information custodians of the results of a review conducted under subsection (1).

   (23)  The Act is amended by adding the following section:

Protection from liability for health information custodian

   55.13  A health information custodian who, acting in good faith, provides personal health information to the prescribed organization by means of the electronic health record is not liable for damages resulting from,

  (a)  any unauthorized viewing or handling of the provided information, or any unauthorized dealing with the provided information, by the prescribed organization, its employees or any other person acting on its behalf; or

  (b)  any unauthorized collection of the provided information by another health information custodian.

   (24)  The Act is amended by adding the following section:

Regulations

   55.14  (1)  The Lieutenant Governor in Council may make regulations for carrying out the purposes and provisions of this Part.

Same

   (2)  Without limiting the generality of subsection (1), the Lieutenant Governor in Council may make regulations,

  (a)  prescribing an organization as the prescribed organization for the purposes of this Part and respecting the purposes for which the organization is prescribed, subject to subsection (3); 

  (b)  prescribing additional powers, duties and functions of the prescribed organization;

   (c)  prescribing additional requirements with which the prescribed organization must comply in developing or maintaining the electronic health record;

  (d)  specifying data elements collected, used or disclosed by a health information custodian under subsection 55.5 (2) that may not be made subject to a consent directive provided by an individual under subsection 55.6 (1);

  (e)  governing the notices that are required under section 55.7 and requiring notices under other circumstances and governing such notices;

   (f)  prescribing the level of specificity at which personal health information may be made subject to a consent directive, including whose collection, use and disclosure of the information may be restricted;

  (g)  prescribing the units of the Ministry that will be permitted to collect, use and disclose personal health information by means of the electronic health record on behalf of the Minister for the purposes described in section 55.9;

  (h)  requiring classes of health information custodians or specific health information custodians to provide personal health information to the prescribed organization under this Part and specifying what personal health information they are required to provide;

    (i)  respecting the provision of services related to the electronic health record by the prescribed organization directly to individuals;

    (j)  providing for anything that under this Part may or must be provided for or prescribed by the regulations.

Same, two or more organizations prescribed

   (3)  A regulation made under clause (2) (a) may prescribe more than one organization to act as the prescribed organization for the purposes of this Part and may provide for the respective powers, duties and functions of each organization under this Part.

Review

   (4)  The Minister shall review every regulation made under the authority of clause (2) (f) at least once in every three-year period.

Public consultation

   (5)  Section 74 applies, with necessary modification, to the making of a regulation under this section.

   (25)  Subsection 60 (1) of the Act is amended by adding "and" at the end of clause (a), by striking out "and" at the end of clause (b) and by striking out clause (c).

   (26)  Clauses 72 (2) (a) and (b) of the Act are repealed and the following substituted:

  (a)  if the person is a natural person, to a fine of not more than $100,000; and

  (b)  if the person is not a natural person, to a fine of not more than $500,000.

   (27)  Subsection 72 (5) of the Act is repealed and the following substituted:

Consent of Attorney General

   (5)  A prosecution shall not be commenced under subsection (1) without the consent of the Attorney General.

Presiding judge

   (6)  The Crown may, by notice to the clerk of the Ontario Court of Justice, require that a provincial judge preside over a proceeding in respect of an offence under subsection (1).

Protection of information

   (7)  In a prosecution for an offence under subsection (1) or where documents or materials are filed with a court under sections 158 to 160 of the Provincial Offences Act in relation to an investigation into an offence under this Act, the court may, at any time, take precautions to avoid the disclosure by the court or any person of any personal health information about an individual, including, where appropriate,

  (a)  removing the identifying information of any person whose personal health information is referred to in any documents or materials;

  (b)  receiving representations without notice;

   (c)  conducting hearings or parts of hearings in private; or

  (d)  sealing all or part of the court files.

No limitation

   (8)  Section 76 of the Provincial Offences Act does not apply to a prosecution under this Act.

   (28)  Subsection 73 (1) of the Act is amended by adding the following clause:

(n.1) requiring health information custodians to provide information to the Commissioner and specifying the type of information to be provided and the time at which and manner in which it is to be provided;

Drug Interchangeability and Dispensing Fee Act

   2.  Clause 4 (6) (a) of the Drug Interchangeability and Dispensing Fee Act is amended by striking out "handwritten" and substituting "written".

Narcotics Safety and Awareness Act, 2010

   3.  Subsections 5 (5) and (6) of the Narcotics Safety and Awareness Act, 2010 are repealed and the following substituted:

Disclosure to prescriber, dispenser etc.

   (5)  The Minister or the executive officer may disclose personal information about any monitored drugs that have or have not been prescribed or dispensed to a person to,

  (a)  a prescriber, if the prescriber is determining whether to prescribe a monitored drug to the person or has prescribed a monitored drug to the person;

  (b)  a dispenser, if the dispenser is determining whether to dispense a monitored drug to the person or has dispensed a monitored drug to the person; or

   (c)  an operator of a pharmacy, if a dispenser employed or retained by the pharmacy has dispensed a monitored drug to the person through the pharmacy.

Disclosure to health care practitioner

   (6)  The Minister or the executive officer may disclose personal information about any monitored drugs that have or have not been prescribed or dispensed to a person, to a health care practitioner who is providing health care to the person or assisting in providing health care to the person.

Definition, health care practitioner

   (7)  In subsection (6),

"health care practitioner" means a health care practitioner as defined in clause (a) of the definition of health care practitioner in section 2 of the Personal Health Information Protection Act, 2004.

Regulated Health Professions Act, 1991

   4.  The Regulated Health Professions Act, 1991 is amended by adding the following section:

Electronic health record

   36.2  (1)  The Minister may make regulations,

  (a)  requiring one or more Colleges to collect from their members information relating to their members that is specified in those regulations and that is, in the Minister's opinion, necessary for the purpose of developing or maintaining the electronic health record under Part V.1 of the Personal Health Information Protection Act, 2004, including ensuring that members are accurately identified for purposes of the electronic health record;

  (b)  requiring the College or Colleges to provide the information to the prescribed organization in the form, manner and timeframe specified by the prescribed organization;

   (c)  respecting the notice mentioned in subsection (4).

Members to provide information

   (2)  Where the Minister has made a regulation under subsection (1), and a College has requested information from a member in compliance with the regulation, the member shall comply with the College's request.

Use and disclosure by prescribed organization

   (3)  Despite a regulation made under subsection (1), the prescribed organization,

  (a)  may only collect, use or disclose information under this section for the purpose provided for in subsection (1);

  (b)  shall not use or disclose personal information collected under this section if other information will serve the purpose; and

   (c)  shall not use or disclose more personal information collected under this section than is necessary for the purpose.

Notice required by s. 39 (2) of FIPPA

   (4)  Where the Minister has made a regulation under subsection (1), and a College is required to collect personal information from its members, the notice required by subsection 39 (2) of the Freedom of Information and Protection of Privacy Act is given by,

  (a)  a public notice posted on the prescribed organization's website; or

  (b)  any other public method that may be prescribed in regulations made by the Minister under subsection (1).

Same

   (5)  If the prescribed organization publishes a notice referred to under subsection (4), the prescribed organization shall advise the College of the notice and the College shall also publish a notice about the collection on the College's website within 20 days.

Definitions

   (6)  In this section,

"information" includes personal information, but does not include personal health information; ("renseignements")

"personal health information" has the same meaning as in section 4 of the Personal Health Information Protection Act, 2004; ("renseignements personnels sur la santé")

"prescribed organization" has the same meaning as in section 2 of the Personal Health Information Protection Act, 2004. ("organisation prescrite")

Commencement

   5.  This Schedule comes into force on a day to be named by proclamation of the Lieutenant Governor.

 

schedule 2
Quality of Care Information Protection Act, 2016

CONTENTS

Preamble

1.

Purpose

2.

Interpretation

3.

Application of Freedom of Information and Protection of Privacy Act

4.

Interviews and disclosure not affected

5.

Conflict

6.

Restrictions on use of committee

7.

Quality of care information continues

8.

Disclosure to quality of care committee

9.

Restriction on disclosure

10.

Non-disclosure in proceeding

11.

Non-retaliation

12.

Offence

13.

Immunity

14.

Review

15.

Regulations

16.

Public consultation before making regulations

17.

Repeal

18.

Commencement

19.

Short title

______________

Preamble

The people of Ontario and their Government:

Believe in patient-centred health care;

Remain committed to improving the quality of health care provided by health facilities and maintaining the safety of patients;

Believe that quality health care and patient safety is best achieved in a manner that supports openness and transparency to patients and their authorized representatives regarding patient health care;

Recognize that health care providers and other staff in health facilities sometimes need to hold confidential discussions to identify and analyze errors affecting patients, systemic problems and opportunities for quality improvement in patient health care;

Believe that protections are needed to encourage and enable health care providers and other staff of health facilities to share all available information, provide honest assessment and opinions and participate in discussions to improve patient health care without fear of retaliation;

Believe that sharing information about critical incidents and quality improvement helps to improve the quality of health care for patients;

Are committed to ensuring that measures to facilitate the sharing of information for quality improvement purposes do not interfere with the right of patients and their authorized representatives to access information about their health care or with the obligations of health facilities to disclose such information to patients and their authorized representatives; and

Affirm that the inclusion of patients and their authorized representatives in the process of reviewing a critical incident helps to improve patient care, and therefore quality of care information protection must be implemented in a manner that supports such inclusion.

Purpose

   1.  The purpose of this Act is to enable confidential discussions in which information relating to errors, systemic problems and opportunities for quality improvement in health care delivery can be shared within authorized health facilities, in order to improve the quality of health care delivered to patients.

Interpretation

   2.  (1)  In this Act,

"critical incident" means any unintended event that occurs when a patient receives health care from a health facility that,

  (a)  results in death, or serious disability, injury or harm to the patient, and

  (b)  does not result primarily from the patient's underlying medical condition or from a known risk inherent in providing the health care; ("incident critique")

"disclose" means, with respect to quality of care information, to provide or make the information available to a person who is not a member of the quality of care committee with which the information is associated, and "disclosure" has a corresponding meaning; ("divulguer", "divulgation")

"health care" means any observation, examination, assessment, care, service or procedure that is done for a health-related purpose and that,

  (a)  is carried out or provided to diagnose, treat or maintain an individual's physical or mental condition,

  (b)  is carried out or provided to prevent disease or injury or to promote health, or

   (c)  is carried out or provided as part of palliative care,

and includes,

  (d)  the compounding, dispensing or selling of a drug, a device, equipment or any other item to an individual, or for the use of an individual, pursuant to a prescription, and

  (e)  a prescribed type of service; ("soins de santé")

"health facility" means,

  (a)  a hospital within the meaning of the Public Hospitals Act,

  (b)  a private hospital within the meaning of the Private Hospitals Act,

   (c)  a psychiatric facility within the meaning of the Mental Health Act,

  (d)  an independent health facility within the meaning of the Independent Health Facilities Act, or

  (e)  a prescribed entity that provides health care; ("établissement de santé")

"information" includes personal health information as defined in the Personal Health Information Protection Act, 2004; ("renseignements")

"Minister" means the Minister of Health and Long-Term Care; ("ministre")

"patient" means a recipient of health care; ("patient")

"patient record" means a record that is maintained for the purpose of providing health care to a patient; ("dossier du patient")

"prescribed" means prescribed by the regulations; ("prescrit")

"proceeding" includes a proceeding that is within the jurisdiction of the Legislature and that is held in, before or under the rules of a court, a tribunal, a commission, a justice of the peace, a coroner, a committee of a College within the meaning of the Regulated Health Professions Act, 1991, a committee of the Board of Regents continued under the Drugless Practitioners Act, a committee of the Ontario College of Social Workers and Social Service Workers under the Social Work and Social Service Work Act, 1998, an arbitrator or a mediator, but does not include any activities carried on by a quality of care committee; ("instance")

"quality of care committee" means a body of one or more individuals that performs quality of care functions and,

  (a)  that is established, appointed or approved,

           (i)  by a health facility,

          (ii)  by a quality oversight entity, or

         (iii)  by any combination of health facilities or quality oversight entities, and

  (b)  that meets the prescribed criteria, if any; ("comité de la qualité des soins")

"quality of care functions", in respect of a quality of care committee, means activities carried on for the purpose of studying, assessing or evaluating the provision of health care with a view to improving or maintaining the quality of the health care and include conducting reviews of critical incidents; ("fonctions liées à la qualité des soins")

"quality oversight entity" means a prescribed entity that carries on activities for the purpose of improving or maintaining the quality of care provided by a health facility, a health care provider or a class of health facility or health care provider; ("entité de surveillance de la qualité")

"regulations" mean the regulations made under this Act; ("règlements")

"use", with respect to quality of care information, does not include to disclose the information and "use", as a noun, does not include disclosure of the information; ("utiliser", "utilisation")

"witness" means a person, whether or not a party to a proceeding, who, in the course of the proceeding,

  (a)  is examined or cross-examined for discovery, either orally or in writing,

  (b)  makes an affidavit, or

   (c)  is competent or compellable to be examined or cross-examined or to produce a document, whether under oath or not. ("témoin")

Quality of care information

   (2)  Subject to subsection (3), in this Act,

"quality of care information" means information that,

  (a)  is collected or prepared by or for a quality of care committee for the sole or primary purpose of assisting the committee in carrying out its quality of care functions,

  (b)  relates to the discussions and deliberations of a quality of care committee in carrying out its quality of care functions, or

   (c)  relates solely or primarily to any activity that a quality of care committee carries on as part of its quality of care functions, including information contained in records that a quality of care committee creates or maintains related to its quality of care functions.

What is not included

   (3)  "Quality of care information" does not include any of the following:

    1.  Information contained in a patient record.

    2.  Information contained in a record that is required by law to be created or to be maintained.

    3.  Information relating to a patient in respect of a critical incident that describes,

            i.  facts of what occurred with respect to the incident,

           ii.  what the quality of care committee or health facility has identified, if anything, as the cause or causes of the incident,

          iii.  the consequences of the critical incident for the patient, as they become known,

          iv.  the actions taken and recommended to be taken to address the consequences of the critical incident for the patient, including any health care or treatment that is advisable, or

           v.  the systemic steps, if any, that a health facility is taking or has taken in order to avoid or reduce the risk of further similar incidents.

    4.  Information that consists of facts contained in a record of an incident involving the provision of health care to a patient.

    5.  Information that a regulation specifies is not quality of care information and that a quality of care committee collects or prepares after the day on which that regulation comes into force.

Application of Freedom of Information and Protection of Privacy Act

   3.  The Freedom of Information and Protection of Privacy Act does not apply to quality of care information.

Interviews and disclosure not affected

   4.  (1)  Nothing in this Act interferes with a requirement under applicable law for a health facility or health care provider to,

  (a)  offer to interview a patient or the authorized representative of the patient or the patient's estate in any review of an incident or circumstances involving the provision of health care to the patient;

  (b)  include a person responsible for patient relations or providing patient perspectives to the facility on a committee or other similar body conducting any review of a critical incident; or

   (c)  disclose information specified under the applicable law that is related to a critical incident to a patient or the authorized representative of the patient or the patient's estate.

Authorized representative

   (2)  For the purposes of subsection (1), the authorized representative of a patient includes a person who was lawfully authorized to make treatment decisions on behalf of the patient immediately prior to the patient's death, or who would have been so authorized if the patient had been incapable.

Conflict

   5.  In the event of a conflict between a provision of this Act or its regulations and a provision of any other Act or its regulations, this Act and its regulations prevail unless this Act or its regulations specifically provide otherwise.

Restrictions on use of committee

   6.  Where a regulation has been made restricting or prohibiting the use of a quality of care committee for the purpose of reviewing critical incidents, every quality of care committee and health facility shall comply with that regulation.

Quality of care information continues

   7.  Quality of care information collected by or for a quality of care committee while it is constituted and operating in accordance with this Act shall continue to be treated as quality of care information after,

  (a)  the quality of care committee by or for which the information was collected is no longer in operation; or

  (b)  a health facility or entity that established, appointed or approved the quality of care committee is no longer eligible to establish, appoint or approve a quality of care committee.

Disclosure to quality of care committee

   8.  (1)  Despite this Act and the Personal Health Information Protection Act, 2004, a person may disclose any information to a quality of care committee for the purposes of carrying out quality of care functions.

Disclosure among committees

   (2)  Any quality of care committee may disclose any information, including quality of care information, to any other quality of care committee for the purpose of carrying out quality of care functions, and any person may disclose information that has been disclosed to any quality of care committee to any other quality of care committee.

Restriction, personal health information

   (3)  A disclosure permitted under this section shall not contain more personal health information, as defined in the Personal Health Information Protection Act, 2004, than is reasonably necessary for the purpose of the disclosure.

Restriction on disclosure

   9.  (1)  Despite the Personal Health Information Protection Act, 2004, no person shall disclose quality of care information except as permitted by this Act.

Definition

   (2)  In this section,

"management", with respect to a health facility, includes members of the senior management staff, the board of directors, governors or trustees and members of the commission or other governing body or authority of the facility.

Exception, quality of care committee

   (3)  Despite subsection (1) and the Personal Health Information Protection Act, 2004, a quality of care committee may disclose quality of care information to,

  (a)  the management of a health facility that established, appointed or approved the committee if the committee considers it appropriate to do so for the purpose of improving or maintaining the quality of health care provided in or by the facility; or

  (b)  the management of a health facility or health care provider, where a quality oversight entity carries on activities for the purpose of improving or maintaining the quality of health care provided by the facility, the provider or a class including the facility or the provider, if the committee considers it appropriate to do so for the purpose of improving or maintaining the quality of health care provided in or by the facility, provider or class.

Exception, any person

   (4)  Despite subsection (1) and the Personal Health Information Protection Act, 2004, a person may disclose quality of care information if the disclosure is necessary for the purposes of eliminating or reducing a significant risk of serious bodily harm to a person or group of persons.

Further disclosure of information

   (5)  A member of the management of a health facility or health care provider described in subsection (3) to whom quality of care information is disclosed under that subsection may disclose the information to an agent or employee of the facility or provider if the disclosure is necessary for the purposes of improving or maintaining the quality of health care provided in or by the facility or provider.

Use of information

   (6)  A person to whom information is disclosed under subsection (3), (4) or (5) shall not use the information except for the purposes for which the information was disclosed to the person.

Restriction on further disclosure

   (7)  A person to whom information is disclosed under subsection (3), (4) or (5) shall not disclose the information except if subsection (4) or (5) permits the disclosure.

Restriction, personal health information

   (8)  A disclosure permitted under this section shall not contain more personal health information, as defined in the Personal Health Information Protection Act, 2004, than is reasonably necessary for the purpose of the disclosure.

Non-disclosure in proceeding

   10.  (1)  No person shall ask a witness and no court or other body holding a proceeding shall permit or require a witness in the proceeding to disclose quality of care information.

Non-admissibility of evidence

   (2)  Quality of care information is not admissible in evidence in a proceeding.

Non-retaliation

   11.  No one shall dismiss, suspend, demote, discipline, harass or otherwise disadvantage a person by reason that the person has disclosed information to a quality of care committee under section 8.

Offence

   12.  (1)  Every person who contravenes section 9 or 11 is guilty of an offence.

Penalty

   (2)  A person who is guilty of an offence under subsection (1) is liable, on conviction,

  (a)  to a fine of not more than $50,000, if the person is an individual; or

  (b)  to a fine of not more than $250,000, if the person is a corporation.

Officers, etc.

   (3)  If a corporation commits an offence under this Act, every officer, member, employee or other agent of the corporation who authorized the offence, or who had the authority to prevent the offence from being committed but knowingly refrained from doing so, is a party to and guilty of the offence and is liable, on conviction, to the penalty for the offence, whether or not the corporation has been prosecuted or convicted.

Immunity

   13.  (1)  No action or other proceeding may be instituted against a person who in good faith discloses information to a quality of care committee at the request of the committee or for the purposes of assisting the committee in carrying out quality of care functions.

Same, committee member

   (2)  No action or other proceeding, including a prosecution for an offence under section 12, may be instituted in respect of,

  (a)  a member of a quality of care committee who, in good faith, discloses quality of care information for a purpose described in subsection 9 (3); or

  (b)  a person who, in good faith, discloses information for a purpose described in subsection 9 (4), if the disclosure is reasonable in the circumstances.

Same, failure to disclose

   (3)  No action or other proceeding may be instituted against a member of a committee in respect of the failure of the committee to make a disclosure described in subsection 9 (3) or (4).

Review

   14.  Within five years of the coming into force of this section, and at five-year intervals thereafter, the Minister shall conduct a review of this Act.

Regulations

   15.  (1)  Subject to section 16, the Lieutenant Governor in Council may make regulations,

  (a)  defining any term used in this Act that is not defined in this Act;

  (b)  subject to subsection (2), governing anything that this Act refers to as being prescribed, provided for or specified in the regulations;

   (c)  for carrying out the purposes and provisions of this Act.

Minister's regulations

   (2)  The Minister may make regulations,

  (a)  prescribing anything that the definition of "health care", "health facility" or "quality of care committee" in subsection 2 (1) mentions as being prescribed;

  (b)  restricting or prohibiting the use of quality of care committees for the purpose of reviewing critical incidents.

Public consultation before making regulations

   16.  (1)  The Lieutenant Governor in Council shall not make any regulation under subsection 15 (1) unless,

  (a)  the Minister has published a notice of the proposed regulation on a website of the Government of Ontario and in any other format the Minister considers advisable;

  (b)  the notice complies with the requirements of this section;

   (c)  the time periods specified in the notice, during which members of the public may exercise a right described in clause (2) (b) or (c), have expired; and

  (d)  the Minister has considered whatever comments and submissions that members of the public have made on the proposed regulation in accordance with clause (2) (b) or (c) and has reported to the Lieutenant Governor in Council on what, if any, changes to the proposed regulation the Minister considers appropriate.

Contents of notice

   (2)  The notice mentioned in clause (1) (a) shall contain,

  (a)  a description of the proposed regulation and the text of it;

  (b)  a statement of the time period during which members of the public may submit written comments on the proposed regulation to the Minister and the manner in which and the address to which the comments must be submitted;

   (c)  a description of whatever other rights, in addition to the right described in clause (b), that members of the public have to make submissions on the proposed regulation and the manner in which and the time period during which those rights must be exercised;

  (d)  a statement of where and when members of the public may review written information about the proposed regulation; and

  (e)  all other information that the Minister considers appropriate.

Time period for comments

   (3)  The time period mentioned in clauses (2) (b) and (c) shall be at least 30 days after the Minister gives the notice mentioned in clause (2) (a) unless the Minister shortens the time period in accordance with subsection (4).

Shorter time period for comments

   (4)  The Minister may shorten the time period if, in the Minister's opinion,

  (a)  the urgency of the situation requires it;

  (b)  the proposed regulation clarifies the intent or operation of this Act or the regulations; or

   (c)  the proposed regulation is of a minor or technical nature.

Discretion to make regulations

   (5)  Upon receiving the Minister's report mentioned in clause (1) (d), the Lieutenant Governor in Council, without further notice under subsection (1), may make the proposed regulation with the changes that the Lieutenant Governor in Council considers appropriate, whether or not those changes are mentioned in the Minister's report.

No public consultation

   (6)  The Minister may decide that subsections (1) to (5) should not apply to the power of the Lieutenant Governor in Council to make a regulation under this section if, in the Minister's opinion,

  (a)  the urgency of the situation requires it;

  (b)  the proposed regulation clarifies the intent or operation of this Act or the regulations; or

   (c)  the proposed regulation is of a minor or technical nature.

Same

   (7)  If the Minister decides that subsections (1) to (5) should not apply to the power of the Lieutenant Governor in Council to make a regulation under this section,

  (a)  those subsections do not apply to the power of the Lieutenant Governor in Council to make the regulation; and

  (b)  the Minister shall give notice of the decision to the public as soon as is reasonably possible after making the decision.

Contents of notice

   (8)  The notice mentioned in clause (7) (b) shall include a statement of the Minister's reasons for making the decision and all other information that the Minister considers appropriate.

Publication of notice

   (9)  The Minister shall publish the notice mentioned in clause (7) (b) on a website of the Government of Ontario and give the notice by all other means that the Minister considers appropriate.

Temporary regulation

   (10)  If the Minister decides that subsections (1) to (5) should not apply to the power of the Lieutenant Governor in Council to make a regulation under this section because the Minister is of the opinion that the urgency of the situation requires it, the regulation shall,

  (a)  be identified as a temporary regulation in the text of the regulation; and

  (b)  unless it is revoked before its expiry, expire at a time specified in the regulation, which shall not be after the second anniversary of the day on which the regulation comes into force.

No review

   (11)  Subject to subsection (12), a court shall not review any action, decision, failure to take action or failure to make a decision by the Lieutenant Governor in Council or the Minister under subsections (1) to (10).

Exception

   (12)  Any person resident in Ontario may make an application for judicial review under the Judicial Review Procedure Act on the grounds that the Minister has not taken a step required by subsections (1) to (10).

Time for application

   (13)  No person shall make an application under subsection (12) with respect to a regulation later than 21 days after the regulation is filed.

Repeal

   17.  (1)  The Quality of Care Information Protection Act, 2004 is repealed.

Transition

   (2)  Despite subsection (1), the Quality of Care Information Protection Act, 2004, as it existed at the relevant time before its repeal, continues to apply to quality of care information created before its repeal.

Commencement

   18.  The Act set out in this Schedule comes into force on a day to be named by proclamation of the Lieutenant Governor.

Short title

   19.  The short title of the Act set out in this Schedule is the Quality of Care Information Protection Act, 2016.

 

EXPLANATORY NOTE

This Explanatory Note was written as a reader's aid to Bill 119 and does not form part of the law.  Bill 119 has been enacted as Chapter 6 of the Statutes of Ontario, 2016.

Schedule 1
Amendments to the Personal Health Information Protection act, 2004 and to certain related statutes

Numerous amendments are made to the Personal Health Information Protection Act, 2004 to provide for the development and maintenance of the electronic health record and for the collection, use and disclosure of personal health information by means of the electronic health record.

The definition of "use" in section 2 of the Act is amended to clarify that the viewing of personal health information, including the viewing of the information by means of the electronic health record, constitutes a use of personal health information under the Act.

A new section 11.1 is added to require that a health information custodian take reasonable steps to ensure that personal health information is not collected without authority.

The notice requirements in subsections 12 (2) and (3) of the Act which currently require notice to be given to an individual wherever personal health information about the individual in the custody or control of a health information custodian is lost, stolen or accessed by an unauthorized person, are amended to apply to any unauthorized use or disclosure, instead of just access by unauthorized persons.  Subsection 12 (2) of the Act is also amended to ensure that notice is given to the Commissioner and that the notice to the individual include a statement that the individual has the right to make a complaint to the Commissioner under Part VI.

Section 17 of the Act currently allows health information custodians to permit agents to collect, use or disclose personal health information on behalf of the custodian.  The section is amended to clarify that such a permission may be subject to conditions or restrictions imposed by the custodian or to prescribed requirements.  Amendments are also made to clarify the respective responsibilities of the custodian and its agent where personal health information is collected, used or disclosed by the agent.

New section 17.1 will ensure that a health information custodian give notice to the College of a regulated health profession under the Regulated Health Professions Act, 1991 or to the Ontario College of Social Workers and Social Service Workers if a member of the College, who is employed by the custodian, who holds privileges with the custodian or who is affiliated with it, has committed or is suspected of having committed an unauthorized collection, use, disclosure, retention or disposal of personal health information and if, as a result of such unauthorized action, the custodian takes disciplinary action with respect to the member's employment, privileges or affiliation. Notice must also be given to such a College by a health information custodian who is a medical officer of health of a board of health if similar circumstances arise involving a member of the College who is employed to provide health care for the board of health and is an agent of the health information custodian.

Section 34 of the Act is amended to permit prescribed persons who are not health information custodians to collect and use health numbers for purposes related to the electronic health record.

Section 51 of the Act is amended to make Part V of the Act apply to the prescribed organization as if it were a health information custodian with respect to the specified records and as if the organization has custody or control of the records.  Section 51 is also amended to apply Part V to certain records in the custody or control of a health information custodian.

The Schedule adds a new Part V.1, entitled "Electronic Health Record", to the Act.

Various terms are defined for the purposes of Part V.1 and interpretation rules are added to describe when a health information custodian is considered to be collecting, using or disclosing personal health information by means of the electronic health record.

The Lieutenant Governor in Council is given the power to prescribe one or more organizations to act as the prescribed organization under the Act.

The prescribed organization is required to exercise enumerated functions with respect to the electronic health record, and must comply with specified requirements in developing and maintaining the electronic health record.  The Minister is authorized to make directives to the prescribed organization with respect to the carrying out of these responsibilities and functions.  The Minister would be required to take the recommendations of the advisory committee and the Information and Privacy Commissioner into account before so directing the prescribed organization.

Part V.1 prohibits a health information custodian from collecting personal health information by means of the electronic health record except for the purposes of providing or assisting in the provision of health care to an individual, or eliminating or reducing a significant risk of serious bodily harm to a person or group of persons, where the health information custodian believes on reasonable grounds that the collection is necessary for this purpose. Part V.1 permits health information custodians to collect, use and disclose prescribed data elements for the purpose of uniquely identifying individuals in order to collect their personal health information that is accessible by means of the electronic health record.

An individual may provide to the prescribed organization a directive that withholds or withdraws the individual's consent to the collection, use and disclosure of his or her personal health information by means of the electronic health record for the purpose of providing or assisting in the provision of health care to the individual.  The individual is permitted to amend and modify a directive previously made. The prescribed organization would be required to comply with the directive.

A health information custodian is authorized to disclose personal health information despite the contents of a consent directive in specified circumstances, including: to another health information custodian if the custodian that is seeking to collect the information obtains the express consent of the individual to whom the information relates; to another custodian if the custodian that is seeking to collect the information believes on reasonable grounds that the collection is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to the individual to whom the information relates, and it is not reasonably possible for the custodian to obtain the individual's consent in a timely manner; and to another custodian if the custodian that is seeking to collect the information believes on reasonable grounds that the collection is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to a person other than the individual to whom the information relates or to a group of persons.

The prescribed organization is required to audit, log and monitor access to personal health information that is the subject of a consent directive, and provide notice to health information custodians where consent directives are overridden as described above.  A health information custodian so notified would be required to notify the individual who made the consent directive and the Information and Privacy Commissioner.

Despite a consent directive, the prescribed organization is permitted to utilize personal health information to provide alerts to health information custodians about potentially harmful medication interactions, as long as the information that is subject to the directive is not provided.

The Minister may collect personal health information by means of the electronic health record for funding, planning and delivering health services funded by the Government of Ontario, and for detecting, monitoring or preventing fraud or inappropriate receipt of health-related payments, goods or services funded by the Government of Ontario.  The Minister may use this information to conduct audits where there are reasonable grounds to believe there has been an inappropriate receipt of a payment, service or good funded by the Government of Ontario, and may disclose this information where required by law, for the purpose of a legal proceeding or to a law enforcement agency for investigation purposes. The Lieutenant Governor in Council must prescribe a unit of the Ministry to collect and use the information for these purposes. Part V.1 would require the prescribed unit to take certain steps to de-identify such personal health information.  The prescribed unit would be required to put in place practices and procedures to protect the privacy of the individuals whose personal health information the Ministry collects for such purposes.  These practices and procedures would require the approval of the Information and Privacy Commissioner every three years.

When the required conditions are met, the Minister may direct the disclosure of personal health information that is accessible by means of the electronic health record to specified persons as if the Minister had custody or control of the information for the purposes of certain provisions of the Act.  In directing the prescribed organization to make such disclosures, the Minister is required to take into account any recommendations of the advisory committee.

The Minister is required to establish an advisory committee for the purpose of making recommendations to the Minister concerning specified matters related to the electronic health record.  The Minister may determine the terms of reference of the advisory committee, and appointments to the committee.  The Ministry shall provide administrative support for the committee.

Part V.1 protects a health information custodian from liability with respect to personal health information that the custodian provides in good faith to the prescribed organization.

Regulation-making powers of the Lieutenant Governor in Council are set out at the end of Part V.1.

The Act is amended to increase fines for persons guilty of offences under the Act, to provide that there is no limitation period for prosecution for offences under the Act and to permit the court to take precautions to avoid the disclosure of personal health information in the course of an investigation or a prosecution under the Act.  The Act is also amended to require the consent of the Attorney General for the commencement of any prosecution under the Act and to allow the Crown to elect to have a provincial judge preside over a proceeding under the Act.

The Drug Interchangeability and Dispensing Fee Act is amended to remove the requirement that certain instructions on prescriptions be handwritten.

The Narcotics Safety and Awareness Act, 2010 is amended to allow the Minister or executive officer to disclose personal information about monitored drugs to certain individuals in specified circumstances.   

The Regulated Health Professions Act, 1991 is amended to permit the Minister to make regulations requiring the College of a regulated health profession to collect from its members information specified in the regulations that is necessary for the purpose of developing or maintaining the electronic health record and requiring the College to provide such information to the prescribed organization.  A member of the College would be required to comply with the College's request for information.

schedule 2
Quality of Care Information Protection Act, 2016

The Quality of Care Information Protection Act, 2004 is repealed and replaced. The purpose of the Act is to enable confidential discussions in which information relating to errors, systemic problems and opportunities for quality improvement in health care delivery can be shared within authorized health facilities, in order to improve the quality of health care delivered to patients.

Among the matters provided for in the Act:

    1.   "Quality of care information" is defined, and matters that the term does not include are provided for including specified information relating to critical incidents.

    2.   It is provided that nothing in the Act interferes with a requirement under applicable law for a health facility or health care provider to conduct interviews and disclose information with regard to critical incidents.

    3.   It is provided that despite the Personal Health Information Protection Act, 2004, a person may disclose any information to a quality of care committee for the purposes of carrying out quality of care functions. However, no more personal health information may be disclosed than is reasonably necessary.

    4.   Rules are set out concerning the disclosure and use of quality of care information.

    5.   Offences and regulation-making powers are provided for.

 

[41] Bill 119 As Amended by Standing Committee (PDF)

Bill 119 2016

An Act to amend the Personal Health Information Protection Act, 2004, to make certain related amendments and to repeal and replace the Quality of Care Information Protection Act, 2004

Her Majesty, by and with the advice and consent of the Legislative Assembly of the Province of Ontario, enacts as follows:

Contents of Act

   1.  This Act consists of this section, sections 2 and 3 and the Schedules to this Act. 

Commencement

   2.  (1)  Subject to subsections (2) and (3), this Act comes into force on the day it receives Royal Assent.

Same

   (2)  The Schedules to this Act come into force as provided in each Schedule. 

Same

   (3)  If a Schedule to this Act provides that any provisions are to come into force on a day to be named by proclamation of the Lieutenant Governor, a proclamation may apply to one or more of those provisions, and proclamations may be issued at different times with respect to any of those provisions.

Short title

   3.  The short title of this Act is the Health Information Protection Act, 2016.

 

Schedule 1
Amendments to the Personal Health Information Protection act, 2004 and to certain related statutes

Personal Health Information Protection Act, 2004

   1.  (1)  Section 2 of the Personal Health Information Protection Act, 2004 is amended by adding the following definitions:

"Ministry" means the Ministry of Health and Long-Term Care; ("ministère")

"prescribed organization" means the organization prescribed for the purposes of Part V.1 and, if more than one organization is prescribed, means every applicable prescribed organization; ("organisation prescrite")

   (2)  The definition of "use" in section 2 of the Act is amended by striking out "means to handle or deal with the information" and substituting "means to view, handle or otherwise deal with the information".

   (3)  The Act is amended by adding the following section:

Steps to ensure collection

   11.1  A health information custodian shall take steps that are reasonable in the circumstances to ensure that personal health information is not collected without authority.

   (4)  Subsections 12 (2) and (3) of the Act are repealed and the following substituted:

Notice of theft, loss, etc. to individual

   (2)  Subject to subsection (4) and to the exceptions and additional requirements, if any, that are prescribed, if personal health information about an individual that is in the custody or control of a health information custodian is stolen or lost or if it is used or disclosed without authority, the health information custodian shall,

  (a)  notify the individual at the first reasonable opportunity of the theft or loss or of the unauthorized use or disclosure; and

  (b)  include in the notice a statement that the individual is entitled to make a complaint to the Commissioner under Part VI.

Notice to Commissioner

   (3)  If the circumstances surrounding a theft, loss or unauthorized use or disclosure referred to in subsection (2) meet the prescribed requirements, the health information custodian shall notify the Commissioner of the theft or loss or of the unauthorized use or disclosure.

Exception

   (4)  If the health information custodian is a researcher who has received the personal health information from another health information custodian under subsection 44 (1), the researcher shall not notify the individual if the information is stolen or lost or if it is used or disclosed without authority, unless the health information custodian that disclosed the personal health information under subsection 44 (1),

  (a)  first obtains the individual's consent to having the researcher contact the individual; and

  (b)  informs the researcher that the individual has given the consent.

   (5)  Clause 17 (1) (b) of the Act is repealed and the following substituted:

  (b)  the collection, use, disclosure, retention or disposal of the information, as the case may be, is necessary in the course of the agent's duties and is not contrary to this Act or another law; and

   (6)  Section 17 of the Act is amended by adding the following subsection:

Same

   (1.1)  A permission granted to an agent under subsection (1) may be subject to such conditions or restrictions as the health information custodian may impose.

   (7)  Subsections 17 (2) and (3) of the Act are repealed and the following substituted:

Restriction, collection, use, etc. by agents

   (2)  An agent of a health information custodian may collect, use, disclose, retain or dispose of personal health information only if,

  (a)  the collection, use, disclosure, retention or disposal of the information, as the case may be,

           (i)  is permitted by the custodian in accordance with subsection (1),

          (ii)  is necessary for the purpose of carrying out his or her duties as agent of the custodian, and

         (iii)  complies with any conditions or restrictions that the custodian has imposed under subsection (1.1); and

  (b)  the prescribed requirements, if any, are met.

Restriction, collection, use, etc. by agents

   (2)  Subject to any exception that may be prescribed, an agent of a health information custodian may collect, use, disclose, retain or dispose of personal health information only if,

  (a)  the collection, use, disclosure, retention or disposal of the information, as the case may be,

           (i)  is permitted by the custodian in accordance with subsection (1),

          (ii)  is necessary for the purpose of carrying out his or her duties as agent of the custodian,

         (iii)  is not contrary to this Act or another law, and

         (iv)  complies with any conditions or restrictions that the custodian has imposed under subsection (1.1); and

  (b)  the prescribed requirements, if any, are met.

Responsibilities of health information custodian

   (3)  A health information custodian shall,

  (a)  take steps that are reasonable in the circumstances to ensure that no agent of the custodian collects, uses, discloses, retains or disposes of personal health information unless it is in accordance with subsection (2); and

  (b)  remain responsible for any personal health information that is collected, used, disclosed, retained or disposed of by the custodian's agents, regardless of whether or not the collection, use, disclosure, retention or disposal was carried out in accordance with subsection (2).

Responsibilities of the agent

   (4)  An agent of a health information custodian shall,

  (a)  comply with the conditions or restrictions imposed by the health information custodian on the agent's collection, use, disclosure, retention or disposal of personal health information under subsection (1.1); and

  (b)  notify the custodian at the first reasonable opportunity if personal health information that the agent collected, used, disclosed, retained or disposed of on behalf of the custodian is stolen or lost or if it is used or disclosed without authority.

   (8)  The Act is amended by adding the following section:

Notice to governing College

Definition

   17.1  (1)  In this section,

"College" means,

  (a)  in the case of a member of health profession regulated under the Regulated Health Professions Act, 1991, a College of the health profession named in Schedule 1 to that Act, and

  (b)  in the case of a member of the Ontario College of Social Workers and Social Service Workers, that College.

Termination, suspension, etc. of employed members

   (2)  Subject to any exceptions and additional requirements, if any, that are prescribed, if a health information custodian employs a health care practitioner who is a member of a College, the health information custodian shall give written notice of any of the following events to the College within 30 days of the event occurring:

    1.  The employee is terminated, suspended or subject to disciplinary action as a result of the unauthorized collection, use, disclosure, retention or disposal of personal health information by the employee.

    2.  The employee resigns and the health information custodian has reasonable grounds to believe that the resignation is related to an investigation or other action by the custodian with respect to an alleged unauthorized collection, use, disclosure, retention or disposal of personal health information by the employee.

Same, custodian's agent

   (2.1)  Subject to any exceptions and additional requirements, if any, that are prescribed, a health information custodian shall give written notice of an event described in subsection (2.2) to a College if,

  (a)  the health information custodian is a medical officer of health of a board of health within the meaning of the Health Protection and Promotion Act; and

  (b)  a health care practitioner, who is a member of the College, is employed to provide health care for the board of health and is an agent of the custodian.

Same

   (2.2)  The health information custodian shall give written notice of any of the following events to a College within 30 days of the event occurring:

    1.  The agent's employment is terminated or suspended, or the agent is subject to disciplinary action with respect to his or her employment, as a result of his or her unauthorized collection, use, disclosure, retention or disposal of personal health information.

    2.  The agent resigns from his or her employment and the health information custodian has reasonable grounds to believe that the resignation is related to an investigation or other action by the custodian with respect to an alleged unauthorized collection, use, disclosure, retention or disposal of personal health information by the agent.

Member's privileges revoked, etc.

   (3)  Subject to any exceptions and additional requirements, if any, that are prescribed, if a health information custodian extends privileges to, or is otherwise affiliated with, a health care practitioner who is a member of a College, the custodian shall give written notice of any of the following events to the College within 30 days of the event occurring:

    1.  The member's privileges are revoked, suspended or restricted, or his or her affiliation is revoked, suspended or restricted, as a result of the unauthorized collection, use, disclosure, retention or disposal of personal health information by the member.

    2.  The member relinquishes or voluntarily restricts his or her privileges or his or her affiliation and the health information custodian has reasonable grounds to believe that the relinquishment or restriction is related to an investigation or other action by the custodian with respect to an alleged unauthorized collection, use, disclosure, retention or disposal of personal health information by the member.

Contents of notice

   (4)  A notice made under this section shall meet the prescribed requirements, if any.

   (9)  Subsection 34 (2) of the Act is amended by striking out "or" at the end of clause (c), by adding "or" at the end of clause (d) and by adding the following clause:

  (e)  if the person is prescribed and is collecting or using the health number, as the case may be, for purposes related to the electronic health record developed and maintained by the prescribed organization.

   (10)  Section 51 of the Act is amended by adding the following subsections:

Application to prescribed organization

   (5)  Subject to any exceptions and additional requirements, if any, that are prescribed, this Part applies to the prescribed organization as if it were a health information custodian with respect to the following records and as if the prescribed organization has custody or control of the records:

    1.  A record of personal health information that is accessible to health information custodians by means of the electronic health record developed and maintained by the prescribed organization.

    2.  The electronic records kept by the prescribed organization under paragraphs 4, 5 and 6 of section 55.3.

Application to record of a custodian

   (6)  Subject to any exceptions and additional requirements, if any, that are prescribed, this Part applies to a record in the custody or control of a health information custodian respecting all instances where all or part of the personal health information of the individual that is accessible by means of the electronic health record developed and maintained by the prescribed organization is viewed, handled or otherwise dealt with by the custodian.

   (11)  The Act is amended by adding the following Part:

Part v.1
Electronic Health Record

Interpretation

   55.1  (1)  In this Part,

"advisory committee" means the advisory committee established by the Minister under section 55.11; ("comité consultatif")

"consent directive" means a directive under section 55.6 and includes a directive to modify or withdraw a directive that has already been made; ("directive en matière de consentement")

"de-identify" and related expressions have the same meaning as in subsection 47 (1); ("anonymiser")

"electronic health record" means the electronic systems that are developed and maintained by the prescribed organization for the purpose of enabling health information custodians to collect, use and disclose personal health information by means of the systems in accor­dance with this Part and the regulations made under this Part; ("dossier de santé électronique")

"identifying information" has the same meaning as in subsection 4 (2). ("renseignements identificatoires")

What constitutes collection, use, disclosure re: electronic health record

   (2)  Despite anything in section 2, for the purposes of this Part, a health information custodian is considered to be collecting, using or disclosing personal health information in the following circumstances:

    1.  When a health information custodian views, handles or otherwise deals with all or part of an individual's personal health information by means of the electronic health record and that information was provided to the prescribed organization by another health information custodian,

            i.  the health information custodian is considered to be collecting the personal health information if it is viewing, handling or otherwise dealing with the information for the first time, and

           ii.  the health information custodian is considered to be using the personal health information each time it subsequently views, handles or otherwise deals with the information.

    2.  Whenever a health information custodian views, handles or otherwise deals with all or part of an individual's personal health information by means of the electronic health record and that information was provided to the prescribed organization by the custodian, the custodian is considered to be using the personal health information.

    3.  A health information custodian who provides personal health information to the prescribed organization is considered to be disclosing the information only when another health information custodian collects the information by means of the electronic health record.

Same, where information provided to prescribed organization

   (3)  Despite anything in section 2, when a health information custodian provides personal health information to the prescribed organization,

  (a)  the custodian is considered not to be disclosing the information to the prescribed organization; and

  (b)  the prescribed organization is considered not to be collecting the information from the custodian.

   (12)  The Act is amended by adding the following section:

Electronic health record

   55.2  (1)  The prescribed organization has the power and the duty to develop and maintain the electronic health record in accordance with this Part and the regulations made under this Part.

Functions of prescribed organization

   (2)  The prescribed organization shall perform the following functions:

    1.  Manage and integrate personal health information it receives from health information custodians.

    2.  Ensure the proper functioning of the electronic health record by servicing the electronic systems that support the electronic health record.

    3.  Ensure the accuracy and quality of the personal health information accessible by means of the electronic health record personal health information that is accessible by means of the electronic health record by conducting data quality assurance activities on the personal health information it receives from health information custodians.

    4.  Conducting analysis Conduct analyses of the personal health information that is accessible by means of the electronic health record in order to provide alerts and reminders to health information custodians for their use in the provision of health care to individuals.

Other powers and duties

   (3)  In addition to carrying out the powers, duties and functions described in this Part and in Part V, the prescribed organization shall carry out any prescribed powers, duties or functions.

   (13)  The Act is amended by adding the following section:

Requirements for electronic health record

   55.3  The prescribed organization shall comply with the following requirements in developing and maintaining the electronic health record:

    1.  It shall take reasonable steps to limit the personal health information it receives to that which is reasonably necessary for developing and maintaining the electronic health record.

    2.  It shall not permit its employees or any other person acting on its behalf to view, handle or otherwise deal with the personal health information received from health information custodians, unless the employee or person acting on behalf of the prescribed organization agrees to comply with the restrictions that apply to the prescribed organization.

    3.  It shall make available to the public and to each health information custodian that provides personal health information to it,

            i.  a plain language description of the electronic health record, including a general description of the administrative, technical and physical safeguards in place to,

                  A.  protect against theft, loss and unauthorized collection, use or disclosure of the personal health information that is accessible by means of the electronic health record,

                  B.  protect the personal health information that is accessible by means of the electronic health record against unauthorized copying, modification or disposal, and

                  C.  protect the integrity, security and confidentiality of the personal health information that is accessible by means of the electronic health record, and

           ii.  any directives, guidelines and policies of the prescribed organization that apply to the personal health information that is accessible by means of the electronic health record, to the extent that these do not reveal a trade secret or confidential scientific, technical, commercial or labour relations information.

    4.  It shall,

            i.  keep an electronic record of all instances where all or part of the personal health information that is accessible by means of the electronic health record is viewed, handled or otherwise dealt with, and ensure that the record identifies the individual to whom the information relates, the type of information that is viewed, handled or otherwise dealt with, all persons who have viewed, handled or otherwise dealt with the information, and the date, time and location of the viewing, handling, or dealing with, and

           ii.  in the event that a health information custodian has requested that the prescribed organization transmit to the custodian personal health information that is accessible by means of the electronic health record, keep an electronic record of all instances where personal health information is transmitted to the custodian by means of the electronic health record, and ensure that the record identifies the individual to whom the information relates, the type of information that is transmitted, the custodian requesting the information, the date and time that the information was transmitted, and the location to which the information was transmitted.

    5.  It shall keep an electronic record of all instances where a consent directive is made, withdrawn or modified, and shall ensure that the record identifies the individual who made, withdrew or modified the consent directive, the instructions that the individual provided regarding the consent directive, the health information custodian, agent or other person to whom the directive is made, withdrawn or modified, and the date and time that the consent directive was made, withdrawn or modified.

    6.  It shall keep an electronic record of all instances where all or part of the personal health information that is accessible by means of the electronic health record is disclosed under section 55.7 and shall ensure that the record identifies the health information custodian that disclosed the information, the health information custodian that collected the information, any agent of the health information custodian who collected the information, the individual to whom the information relates, the type of information that was disclosed, the date and time of the disclosure and the purpose of the disclosure.

    7.  It shall audit and monitor the electronic records that it is required to keep under paragraphs 4, 5 and 6.

    8.  It shall, upon the request of the Commissioner provide to the Commissioner, for the purposes of Part VI, the electronic records kept under paragraphs 4, 5 and 6.

    9.  It shall, upon request of a health information custodian that requires the records to audit and monitor its compliance with this Act, provide to the custodian or an agent acting on the custodian's behalf, the records kept under paragraphs 4, 5 and 6.

  10.  It shall perform, for each system that retrieves, processes or integrates personal health information that is accessible by means of the electronic health record, an assessment with respect to,

            i.  threats, vulnerabilities and risks to the security and integrity of the personal health information, and

           ii.          how each of those systems may affect the privacy of the individuals to whom the information relates.

  11.  It shall notify, at the first reasonable opportunity, each health information custodian that provided personal health information to the prescribed organization if the personal health information that the health information custodian provided is stolen or lost or if it is collected, used or disclosed without authority.

  12.  It shall,

            i.  make available to each health information custodian that provided personal health information to the prescribed organization a written copy of the results of the assessments carried out under paragraph 10 that relates to the personal health information the custodian provided, and

           ii.  make available to the public a summary of the results of the assessments carried out under paragraph 10.

  13.  It shall ensure that any third party it retains to assist in providing services for the purpose of developing or maintaining the electronic health record agrees to comply with the restrictions and conditions that are necessary to enable the prescribed organization to comply with all these requirements.

  14.  On and after the first anniversary of the day this section comes into force, It it shall have in place and comply with practices and procedures,

            i.  that are for the purpose of protecting the privacy of the individuals whose personal health information it receives and for maintaining the confidentiality of the information, and

           ii.  that are approved by the Commissioner.

  15.  It shall notify the Commissioner, in writing, immediately after becoming aware that personal health information that is accessible by means of the electronic health record,

            i.  has been viewed, handled or otherwise dealt with by the prescribed organization or a third party retained by the prescribed organization, other than in accordance with this Act or its regulations, or

           ii.  has been made available or released by the prescribed organization or a third party retained by the prescribed organization, other than in accordance with this Act or its regulations.

  16.  It shall submit to the Commissioner, at least annually, a report in the form and manner specified by the Commissioner, and based on or containing any information, other than personal health information, that is kept in the electronic record required under paragraph 6 that the Commissioner may specify, respecting every instance in which personal health information was disclosed under section 55.7 since the time of the last report.

  17.  It shall comply with the practices and procedures prescribed in the regulations when managing consent directives.

  18.  It shall have in place and comply with practices and procedures that have been approved by the Minister for responding to or facilitating a response to a request made by an individual under Part V in respect of the individual's record of personal health information that is accessible by means of the electronic health record.

  19.  It shall comply with such other requirements as may be prescribed in the regulations.

   (14)  The Act is amended by adding the following section:

Minister's directives

   55.4  (1)  The Minister may make directives to the prescribed organization with respect to the carrying out of its powers, duties and functions under this Part, and the prescribed organization shall comply with the directives of the Minister.

Consultation

   (2)  Before making a directive under subsection (1), the Minister shall,

  (a)  submit a draft of the directive to the Commissioner and the advisory committee for the purpose of reviewing and making recommendations on the draft directive; and

  (b)  consider the recommendations, if any, made by the Commissioner and the advisory committee and amend the directive if the Minister considers it appropriate to do so.

Timing

   (3)  The Minister shall allow the Commissioner and the advisory committee a period of at least 30 days for the purposes of review and recommendation under subsection (2), unless the Minister believes that there are urgent circumstances involving a significant risk to privacy or the confidentiality of personal health information, in which case the Minister may abridge the review period for both the Commissioner and the advisory committee to not less than five business days.

   (15)  The Act is amended by adding the following section:

Collection, use, disclosure by custodians

Restrictions on collection

   55.5  (1)  A health information custodian shall not collect personal health information by means of the electronic health record except for the purpose of,

  (a)  providing or assisting in the provision of health care to the individual to whom the information relates; or

  (b)  eliminating or reducing a significant risk of serious bodily harm to a person or group of persons, where the health information custodian believes on reasonable grounds that the collection is necessary for this purpose.

Unique identification

   (2)  A health information custodian may collect, use and disclose prescribed data elements for the purpose of uniquely identifying an individual in order to collect personal health information under subsection (1).

Where consent directive exists

   (3)  Despite subsection (1), where personal health information that is accessible by means of the electronic health record is subject to a consent directive made by an individual under subsection 55.6 (1), a health information custodian may only collect the personal health information in the circumstances permitted under subsection 55.7 (1), (2) or (3).

Use or disclosure

   (4)  A health information custodian that collects personal health information under clause (1) (a) may use or disclose the information for any purpose for which this Act permits or requires a custodian to use or disclose of personal health information to use or disclose personal health information.

Same

   (5)  Despite any other provision in this Act or the regulations, a health information custodian that collects personal health information under clause (1) (b) may only use or disclose the information for the purpose for which the information was collected.

Section 12 obligations

   (6)  If a health information custodian requests that the prescribed organization transmit personal health information to the custodian by means of the electronic health record, the custodian shall comply with the obligations referred to in section 12 with respect to that information, regardless of whether the custodian has viewed, handled or otherwise dealt with the information.

Section 12 obligations

   (6)  If a health information custodian requests that the prescribed organization transmit personal health information to the custodian by means of the electronic health record and the prescribed organization transmits the information as requested, the custodian shall comply with the obligations referred to in subsection 12 (1) with respect to the transmitted information, regardless of whether the custodian has viewed, handled or otherwise dealt with the information.

Same, notice of unauthorized collection

   (7)  Subject to the exceptions and additional requirements, if any, that are prescribed, and in addition to any notice that is required to be given in the case of an unauthorized use or disclosure under subsections 12 (2) and (3), if personal health information about an individual is collected without authority by means of the electronic health record, the health information custodian who is responsible for the unauthorized collection shall,

  (a)  notify the individual at the first reasonable opportunity of the unauthorized collection, and include in the notice a statement that the individual is entitled to make a complaint to the Commissioner under Part VI; and

  (b)  notify the Commissioner.

  (b)  if the circumstances surrounding the unauthorized collection meet the prescribed requirements, notify the Commissioner of the unauthorized collection.

   (16)  The Act is amended by adding the following section:

Consent directives

   55.6  (1)  Subject to the limitations prescribed in the regulations, if any, an individual may at any time make a directive that withholds or withdraws, in whole or in part, the individual's consent to the collection, use and disclosure of his or her personal health information by means of the electronic health record by a health information custodian for the purposes of providing or assisting in the provision of health care to the individual.

Compliance

   (2)  Where the prescribed organization receives a directive made under subsection (1), it shall, in accordance with the requirements prescribed in the regulations, if any, implement the directive.

Withdrawal or modifications

   (3)  Subject to the limitations prescribed in the regulations, if any, an individual who has made a directive under subsection (1) may withdraw or modify the directive.

How to make directive

   (4)  An individual may make a directive under subsection (1) or withdraw or modify a directive under subsection (3) by submitting the directive to the prescribed organization.

Must contain sufficient detail

   (5)  The directive must contain sufficient detail to enable the prescribed organization to implement the directive.

Assistance

   (6)  If the directive does not contain sufficient detail to enable the prescribed organization to implement the directive with reasonable efforts, the prescribed organization shall offer assistance to the person in reformulating the directive to comply with subsection (5).

Information re directives

   (7)  If a health information custodian seeks to collect personal health information that is subject to a consent directive, the prescribed organization shall notify the custodian that an individual has made a directive under subsection (1) and shall ensure that no personal health information that is subject to the directive is provided.

   (17)  The Act is amended by adding the following section:

Consent overrides

   55.7  (1)  Despite the contents of a consent directive, a health information custodian may disclose personal health information that is subject to the directive by means of the electronic health record if the custodian that is seeking to collect the information obtains the express consent of the individual to whom the information relates.

Same, protection of individual

   (2)  Despite the contents of a consent directive, a health information custodian may disclose personal health information that is subject to the directive by means of the electronic health record if,

  (a)  the custodian that is seeking to collect the personal health information believes, on reasonable grounds, that the collection is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to the individual to whom the information relates; and

  (b)  it is not reasonably possible for the health information custodian that is seeking to collect the personal health information to obtain the individual's consent in a timely manner.

Same, protection of others

   (3)  Despite the contents of a consent directive, a health information custodian may disclose personal health information that is subject to the directive by means of the electronic health record, if the health information custodian that is seeking to collect the personal health information believes on reasonable grounds that the collection is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to a person other than the individual to whom the information relates or to a group of persons.

Use or disclosure

   (4)  Despite any other provision in this Act or its regulations, a health information custodian that collects personal health information under subsection (1), (2) or (3) may only use or disclose the information for the purpose for which the information was collected.

Audit, etc.

   (5)  The prescribed organization shall audit and monitor every instance where personal health information is collected in the circumstances described in subsection (1), (2) or (3).

Notice re consent overrides

   (6)  Where personal health information has been collected in the circumstances described in subsection (1), (2) or (3), the prescribed organization shall immediately provide written notice, in accordance with the requirements in the regulations, to the health information custodian that collected the personal health information.

Same

   (7)  Upon receiving notice under subsection (6), the custodian that collected the personal health information in the circumstances described in subsection (1), (2) or (3) shall, at the first reasonable opportunity,

  (a)  notify the individual to whom the information relates, in accordance with the requirements in the regulations; and

  (b)  if the personal health information has been collected in the circumstances described in subsection (3), give written notice to the Commissioner, in accordance with the regulations, in a manner that does not provide identifying information about the individual to whom the information relates or the person or group of persons at significant risk of serious bodily harm.

No identifying information

   (8)  Where personal health information has been collected in the circumstances described in subsection (3), in notifying the individual to whom the information relates, the custodian shall not provide identifying information about the person or group of persons at significant risk of serious bodily harm.

   (18)  The Act is amended by adding the following section:

Medication interaction checks

   55.8  Despite the contents of a consent directive, personal health information may be utilized by a system that is maintained by the prescribed organization and that retrieves, processes or integrates personal health information that is accessible by means of the electronic health record to provide alerts to health information custodians about potentially harmful medication interactions, as long as the alerts do not reveal personal health information that is subject to the consent directive.

   (19)  The Act is amended by adding the following section:

Collection of information by Ministry

   55.9  (1)  Despite section 55.5, and subject to subsection (2), the Minister may collect personal health information by means of the electronic health record for the purposes of,

  (a)  funding, planning or delivering health services that the Government of Ontario funds in whole or in part, directly or indirectly, or allocating resources to any of them; or

  (b)  detecting, monitoring or preventing fraud or inappropriate receipt of a payment, service or good, including any subsidy or other benefit funded in whole or in part, directly or indirectly, by the Government of Ontario, where such payment, service or good is health-related or is prescribed in the regulations.

Practices and procedures

   (2)  The Minister may only collect personal health information under subsection (1), if,

  (a)  the Lieutenant Governor in Council has prescribed not more than one unit of the Ministry to collect personal health information under subsection (1) on the Minister's behalf; and

  (b)  the prescribed unit of the Ministry has put in place practices and procedures,

           (i)  to protect the privacy of the individuals whose personal health information the Minister collects, and to maintain the confidentiality of the information, and

          (ii)  that are approved by the Commissioner.

De-identification

   (3)  Where personal health information has been collected by the Minister under subsection (1), the prescribed unit shall, subject to the additional requirements, if any, that are prescribed, and in accordance with the practices and procedures approved by the Commissioner under subclause (2) (b) (ii),

  (a)  create a record containing the minimal amount of personal health information necessary for the purpose of de-identifying the information and linking it to other information in the custody or control of the Minister; and

  (b)  de-identify the personal health information.

Link

   (4)  The prescribed unit of the Ministry may link the personal health information that has been de-identified under subsection (3) to other de-identified personal health information under the custody and control of the Minister.

Use in auditing, etc.

   (5)  The Minister may use personal health information collected under subsection (1) to conduct audits where there are reasonable grounds to believe there has been inappropriate receipt of a payment, service or good, including any subsidy or other benefit funded in whole or in part, directly or indirectly, by the Government of Ontario and where such payment, service or good is health-related or is prescribed in the regulations, if,

  (a)  the Lieutenant Governor in Council has prescribed not more than one unit of the Ministry to use the personal health information for the purpose set out in this subsection on the Minister's behalf; and

  (b)  the prescribed unit of the Ministry has put in place practices and procedures,

           (i)  to protect the privacy of the individuals whose personal health information the Minister collects, and to maintain the confidentiality of the information, and

          (ii)  that are approved by the Commissioner.

Disclosure

   (6)  The Minister may disclose personal health information used in an audit mentioned in subsection (5) if,

  (a)  the disclosure is required by law;

  (b)  the disclosure is for the purpose of a proceeding or contemplated proceeding in which the Minister or an agent or former agent of the Minister is, or is expected to be, a party or witness and the information relates to or is a matter in issue in the proceeding or contemplated proceeding; or

   (c)  the Minister has reasonable grounds to believe the audit reveals a contravention of the laws of Ontario or Canada and the disclosure is to a law enforcement agency in Canada to aid in an ongoing investigation by the agency or to enable the agency to determine whether to conduct an investigation, with a view to a law enforcement proceeding or from which a law enforcement proceeding is likely to result. 

No other uses and disclosures permitted

   (7)  Despite any other provision in this Act or the regulations, the Minister shall not use or disclose the personal health information collected under subsection (1) except as authorized by this section.

Direction to prescribed organization

   (8)  The Minister may issue a direction requiring the prescribed organization to provide the Minister with the information that the Minister is authorized to collect under subsection (1), and the prescribed organization must comply with the direction.

Terms and conditions

   (9)  A direction made under subsection (8) may specify the form, manner and timeframe in which the information that is the subject of the direction is to be provided to the Minister.

Disclosure

   (10)  If the Minister collects personal health information by means of the electronic health record under subsection (1), the disclosure of the personal health information to the Minister by the health information custodian who provided it to the prescribed organization is deemed to be permitted under this Act.

   (20)  The Act is amended by adding the following section:

Provision of information for purposes other than health care

   55.10  (1)  Despite any other provision in this Act or the regulations, the Minister may direct the disclosure of personal health information that is accessible by means of the electronic health record to a person, as if the Minister had custody or control of the information, if,

  (a)  a person has requested that the Minister disclose the personal health information in accordance with clause 39 (1) (c), subsection 39 (2), section 44 or 45 of this Act;

  (b)  the personal health information requested by the person was provided to the prescribed organization under this Part by more than one health information custodian;

   (c)  the Minister has,

           (i)  submitted the request to the advisory committee,

          (ii)  provided the advisory committee with 30 days to review the request and make recommendations to the Minister, and

         (iii)  considered the recommendations, if any, made by the advisory committee; and

  (d)  the Minister has determined that the disclosure of the personal health information would be in accordance with clause 39 (1) (c), subsection 39 (2) or section 44 or 45.

Shorter time period

   (2)  The Minister may shorten the time period in subclause (1) (c) (ii) if,

  (a)  in the Minister's opinion, the urgency of the situation requires it; and

  (b)  the request is for the disclosure of personal health information in accordance with subsection 39 (2).

Must comply

   (3)  The prescribed organization must comply with a direction under this section.

Terms and conditions

   (4)  A direction under this section may specify the form, manner and timeframe in which the information that is the subject of the direction is to be disclosed.

Disclosure only if necessary

   (5)  The Minister shall not direct the disclosure of personal health information under this section if other information will serve the purpose of the disclosure.

Only necessary disclosure

   (6)  The Minister shall not direct the disclosure of more personal health information than is reasonably necessary to meet the purpose of the disclosure.

   (21)  The Act is amended by adding the following section:

Advisory committee

   55.11  (1)  The Minister shall establish an advisory committee for the purpose of making recommendations to the Minister concerning,

  (a)  practices and procedures that the prescribed orga­nization must have in place for the purpose of protecting the privacy of the individuals whose personal health information it receives and for maintaining confidentiality with respect to the information;

  (a)  practices and procedures that the prescribed organization must have in place to protect the privacy of the individuals whose personal health information it receives and to maintain the confidentiality of the information;

  (b)  practices and procedures that the prescribed orga­nization must have in place for responding or facilitating a response to a request made by an individual under Part V for a record of personal health information relating to the individual that is accessible by means of the electronic health record;

   (c)  the administrative, technical and physical safeguards the prescribed organization should have in place to protect the privacy of the individuals whose personal health information it receives and to maintain confidentiality with respect to the information maintain the confidentiality of the information;

  (d)  the role of the prescribed organization in assisting a health information custodian to fulfil its obligations to give notice under subsection 12 (2) and 55.5 (6) and (7) give notice to individuals under subsections 12 (2) and 55.5 (7) in the event that personal health information that is accessible by means of the electronic health record is stolen or lost or is collected, used or disclosed without authority;

  (e)  the provision of notice in the event that personal health information that is accessible by means of the electronic health record is stolen or lost or is collected, used or disclosed without authority;

   (f)  anything that is referred to in this Part or in the regulations as capable of being the subject of a recommendation of the advisory committee; and

  (g)  any other matter referred to the advisory committee by the Minister.

Terms of reference

   (2)  Subject to the other provisions of this Part, the Minister shall determine the terms of reference of the advisory committee, including terms of reference with respect to conflicts of interest, the membership of the committee and the organization and governance of the committee.

Appointments

   (3)  The Minister shall appoint the members of the advisory committee in accordance with the requirements, if any, prescribed in the regulations.

Support by Ministry

   (4)  The Ministry,

  (a)  shall provide administrative support for the advisory committee;

  (b)  shall have custody and control of the records of the advisory committee for the purposes of the Freedom of Information and Protection of Privacy Act; and

   (c)  is responsible for compliance with the Archives and Recordkeeping Act, 2006, in connection with records created by or supplied to the advisory committee.

   (22)  The Act is amended by adding the following section:

Practices and procedures review

   55.12  (1)  The Commissioner shall review the practices and procedures of the prescribed organization referred to in paragraph 14 of section 55.3 and those of a prescribed unit of the Ministry referred to in clauses 55.9 (2) (b) and (5) (b) every three years after they are first approved to determine if the practices and procedures continue to meet the requirements of subparagraph 14 i of section 55.3 or of subclause 55.9 (2) (b) (i) or (5) (b) (i), as the case may be, and, after the review, the Commissioner may renew the approval.

Notice by Commissioner

   (2)  The Commissioner shall advise the prescribed organization or prescribed unit, as the case may be, of the results of its review under subsection (1).

Notice by Commissioner

   (2)  The Commissioner shall advise health information custodians of the results of a review conducted under subsection (1).

   (22.1)  The Act is amended by adding the following section:

Protection from liability for health information custodian

   55.12.1  A health information custodian who, acting in good faith, provides personal health information to the prescribed organization by means of the electronic health record is not liable for damages resulting from,

  (a)  any unauthorized viewing or handling of the provided information, or any unauthorized dealing with the provided information, by the prescribed organization, its employees or any other person acting on its behalf; or

  (b)  any unauthorized collection of the provided information by another health information custodian.

   (23)  The Act is amended by adding the following section:

Regulations

   55.13  (1)  The Lieutenant Governor in Council may make regulations for carrying out the purposes and provisions of this Part.

Same

   (2)  Without limiting the generality of subsection (1), the Lieutenant Governor in Council may make regulations,

  (a)  prescribing an organization as the prescribed organization for the purposes of this Part and respecting the purposes for which the organization is prescribed, subject to subsection (3); 

  (b)  prescribing additional powers, duties and functions of the prescribed organization;

   (c)  prescribing additional requirements with which the prescribed organization must comply in developing or maintaining the electronic health record;

  (d)  specifying data elements collected, used or disclosed by a health information custodian under subsection 55.5 (2) that may not be made subject to a consent directive provided by an individual under subsection 55.6 (1);

  (e)  governing the notices that are required under section 55.7 and requiring notices under other circumstances and governing such notices;

   (f)  prescribing the level of specificity at which personal health information may be made subject to a consent directive, including whose collection, use and disclosure of the information may be restricted;

  (g)  prescribing the units of the Ministry that will be permitted to collect, use and disclose personal health information by means of the electronic health record on behalf of the Minister for the purposes described in section 55.9;

  (h)  requiring classes of health information custodians or specific health information custodians to provide personal health information to the prescribed organization under this Part and specifying what personal health information they are required to provide;

    (i)  respecting the provision of services related to the electronic health record by the prescribed organization directly to individuals;

    (j)  providing for anything that under this Part may or must be provided for or prescribed by the regulations.

Same, two or more organizations prescribed

   (3)  A regulation made under clause (2) (a) may prescribe more than one organization to act as the prescribed organization for the purposes of this Part and may provide for the respective powers, duties and functions of each organization under this Part.

Review

   (4)  The Minister shall review every regulation made under the authority of clause (2) (f) at least once in every three-year period.

Public consultation

   (5)  Section 74 applies, with necessary modification, to the making of a regulation under this section.

   (24)  Subsection 60 (1) of the Act is amended by adding "and" at the end of clause (a), by striking out "and" at the end of clause (b) and by striking out clause (c).

   (25)  Clauses 72 (2) (a) and (b) of the Act are repealed and the following substituted:

  (a)  if the person is a natural person, to a fine of not more than $100,000; and

  (b)  if the person is not a natural person, to a fine of not more than $500,000.

   (26)  Subsection 72 (5) of the Act is repealed and the following substituted:

Consent of Attorney General

   (5)  A prosecution shall not be commenced under subsection (1) without the consent of the Attorney General.

Presiding judge

   (6)  The Crown may, by notice to the clerk of the Ontario Court of Justice, require that a provincial judge preside over a proceeding in respect of an offence under subsection (1).

Protection of information

   (7)  In a prosecution for an offence under subsection (1) or where documents or materials are filed with a court under sections 158 to 160 of the Provincial Offences Act in relation to an investigation into an offence under this Act, the court may, at any time, take precautions to avoid the disclosure by the court or any person of any personal health information about an individual, including, where appropriate,

  (a)  removing the identifying information of any person whose personal health information is referred to in any documents or materials;

  (b)  receiving representations without notice;

   (c)  conducting hearings or parts of hearings in private; or

  (d)  sealing all or part of the court files.

No limitation

   (8)  Section 76 of the Provincial Offences Act does not apply to a prosecution under this Act.

   (27)  Subsection 73 (1) of the Act is amended by adding the following clause:

(n.1) requiring health information custodians to provide information to the Commissioner and specifying the type of information to be provided and the time at which and manner in which it is to be provided;

Drug Interchangeability and Dispensing Fee Act

   2.  Clause 4 (6) (a) of the Drug Interchangeability and Dispensing Fee Act is amended by striking out "handwritten" and substituting "written".

Narcotics Safety and Awareness Act, 2010

   3.  Subsections 5 (5) and (6) of the Narcotics Safety and Awareness Act, 2010 are repealed and the following substituted:

Disclosure to prescriber, dispenser etc.

   (5)  The Minister or the executive officer may disclose personal information about any monitored drugs that have or have not been prescribed or dispensed to a person to,

  (a)  a prescriber, if the prescriber is determining whether to prescribe a monitored drug to the person or has prescribed a monitored drug to the person;

  (b)  a dispenser, if the dispenser is determining whether to dispense a monitored drug to the person or has dispensed a monitored drug to the person; or

   (c)  an operator of a pharmacy, if a dispenser employed or retained by the pharmacy has dispensed a monitored drug to the person through the pharmacy.

Disclosure to health care practitioner

   (6)  The Minister or the executive officer may disclose personal information about any monitored drugs that have or have not been prescribed or dispensed to a person, to a health care practitioner who is providing health care to the person or assisting in providing health care to the person.

Definition, health care practitioner

   (7)  In subsection (6),

"health care practitioner" means a health care practitioner as defined in clause (a) of the definition of health care practitioner in section 2 of the Personal Health Information Protection Act, 2004.

Regulated Health Professions Act, 1991

   4.  The Regulated Health Professions Act, 1991 is amended by adding the following section:

Electronic health record

   36.2  (1)  The Minister may make regulations,

  (a)  requiring one or more Colleges to collect from their members information relating to their members that is specified in those regulations and that is, in the Minister's opinion, necessary for the purpose of developing or maintaining the electronic health record under Part V.1 of the Personal Health Information Protection Act, 2004, including ensuring that members are accurately identified for purposes of the electronic health record;

  (b)  requiring the College or Colleges to provide the information to the prescribed organization in the form, manner and timeframe specified by the prescribed organization;

   (c)  respecting the notice mentioned in subsection (4).

Members to provide information

   (2)  Where the Minister has made a regulation under subsection (1), and a College has requested information from a member in compliance with the regulation, the member shall comply with the College's request.

Use and disclosure by prescribed organization

   (3)  Despite a regulation made under subsection (1), the prescribed organization,

  (a)  may only collect, use or disclose information under this section for the purpose provided for in subsection (1);

  (b)  shall not use or disclose personal information collected under this section if other information will serve the purpose; and

   (c)  shall not use or disclose more personal information collected under this section than is necessary for the purpose.

Notice required by s. 39 (2) of FIPPA

   (4)  Where the Minister has made a regulation under subsection (1), and a College is required to collect personal information from its members, the notice required by subsection 39 (2) of the Freedom of Information and Protection of Privacy Act is given by,

  (a)  a public notice posted on the prescribed organization's website; or

  (b)  any other public method that may be prescribed in regulations made by the Minister under subsection (1).

Same

   (5)  If the prescribed organization publishes a notice referred to under subsection (4), the prescribed organization shall advise the College of the notice and the College shall also publish a notice about the collection on the College's website within 20 days.

Definitions

   (6)  In this section,

"information" includes personal information, but does not include personal health information; ("renseignements")

"personal health information" has the same meaning as in section 4 of the Personal Health Information Protection Act, 2004; ("renseignements personnels sur la santé")

"prescribed organization" has the same meaning as in section 2 of the Personal Health Information Protection Act, 2004. ("organisation prescrite")

Commencement

   5.  This Schedule comes into force on a day to be named by proclamation of the Lieutenant Governor.

 

schedule 2
Quality of Care Information Protection Act, 2016

 

 

CONTENTS

Preamble

 

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

11.

12.

13.

14.

15.

16.

17.

18.

19.

Purpose

Interpretation

Application of Freedom of Information and Protection of Privacy Act

Interviews and disclosure not affected

Conflict

Restrictions on use of committee

Quality of care information continues

Disclosure to quality of care committee

Restriction on disclosure

Non-disclosure in proceeding

Non-retaliation

Offence

Immunity

Review

Regulations

Public consultation before making regulations

Repeal

Commencement

Short title

 

 

______________

 

 

Preamble

The people of Ontario and their Government:

Believe in patient-centred health care;

Remain committed to improving the quality of health care provided by health facilities and maintaining the safety of patients;

Believe that quality health care and patient safety is best achieved in a manner that supports openness and transparency to patients and their authorized representatives regarding patient health care;

Recognize that health care providers and other staff in health facilities sometimes need to hold confidential discussions to identify and analyze errors affecting patients, systemic problems and opportunities for quality improvement in patient health care;

Believe that protections are needed to encourage and enable health care providers and other staff of health facilities to share all available information, provide honest assessment and opinions and participate in discussions to improve patient health care without fear of retaliation;

Believe that sharing information about critical incidents and quality improvement helps to improve the quality of health care for patients;

Are committed to ensuring that measures to facilitate the sharing of information for quality improvement purposes do not interfere with the right of patients and their authorized representatives to access information about their health care or with the obligations of health facilities to disclose such information to patients and their authorized representatives; and

Affirm that the inclusion of patients and their authorized representatives in the process of reviewing a critical incident helps to improve patient care, and therefore quality of care information protection must be implemented in a manner that supports such inclusion.

Purpose

   1.  The purpose of this Act is to enable confidential discussions in which information relating to errors, systemic problems and opportunities for quality improvement in health care delivery can be shared within authorized health facilities, in order to improve the quality of health care delivered to patients.

Interpretation

   2.  (1)  In this Act,

"critical incident" means any unintended event that occurs when a patient receives health care from a health facility that,

  (a)  results in death, or serious disability, injury or harm to the patient, and

  (b)  does not result primarily from the patient's underlying medical condition or from a known risk inherent in providing the health care; ("incident critique")

"disclose" means, with respect to quality of care information, to provide or make the information available to a person who is not a member of the quality of care committee with which the information is associated, and "disclosure" has a corresponding meaning; ("divulguer", "divulgation")

"health care" means any observation, examination, assessment, care, service or procedure that is done for a health-related purpose and that,

  (a)  is carried out or provided to diagnose, treat or maintain an individual's physical or mental condition,

  (b)  is carried out or provided to prevent disease or injury or to promote health, or

   (c)  is carried out or provided as part of palliative care,

and includes,

  (d)  the compounding, dispensing or selling of a drug, a device, equipment or any other item to an individual, or for the use of an individual, pursuant to a prescription, and

  (e)  a prescribed type of service; ("soins de santé")

"health facility" means,

  (a)  a hospital within the meaning of the Public Hospitals Act,

  (b)  a private hospital within the meaning of the Private Hospitals Act,

   (c)  a psychiatric facility within the meaning of the Mental Health Act,

  (d)  an independent health facility within the meaning of the Independent Health Facilities Act, or

  (e)  a prescribed entity that provides health care; ("établissement de santé")

"information" includes personal health information as defined in the Personal Health Information Protection Act, 2004; ("renseignements")

"Minister" means the Minister of Health and Long-Term Care; ("ministre")

"patient" means a recipient of health care; ("patient")

"patient record" means a record that is maintained for the purpose of providing health care to a patient; ("dossier du patient")

"prescribed" means prescribed by the regulations; ("prescrit")

"proceeding" includes a proceeding that is within the jurisdiction of the Legislature and that is held in, before or under the rules of a court, a tribunal, a commission, a justice of the peace, a coroner, a committee of a College within the meaning of the Regulated Health Professions Act, 1991, a committee of the Board of Regents continued under the Drugless Practitioners Act, a committee of the Ontario College of Social Workers and Social Service Workers under the Social Work and Social Service Work Act, 1998, an arbitrator or a mediator, but does not include any activities carried on by a quality of care committee; ("instance")

"quality of care committee" means a body of one or more individuals that performs quality of care functions and,

  (a)  that is established, appointed or approved,

           (i)  by a health facility,

          (ii)  by a quality oversight entity, or

         (iii)  by any combination of health facilities or quality oversight entities, and

  (b)  that meets the prescribed criteria, if any; ("comité de la qualité des soins")

"quality of care functions", in respect of a quality of care committee, means activities carried on for the purpose of studying, assessing or evaluating the provision of health care with a view to improving or maintaining the quality of the health care and include conducting reviews of critical incidents; ("fonctions liées à la qualité des soins")

"quality oversight entity" means a prescribed entity that carries on activities for the purpose of improving or maintaining the quality of care provided by a health facility, a health care provider or a class of health facility or health care provider; ("entité de surveillance de la qualité")

"regulations" mean the regulations made under this Act; ("règlements")

"use", with respect to quality of care information, does not include to disclose the information and "use", as a noun, does not include disclosure of the information; ("utiliser", "utilisation")

"witness" means a person, whether or not a party to a proceeding, who, in the course of the proceeding,

  (a)  is examined or cross-examined for discovery, either orally or in writing,

  (b)  makes an affidavit, or

   (c)  is competent or compellable to be examined or cross-examined or to produce a document, whether under oath or not. ("témoin")

Quality of care information

   (2)  Subject to subsection (3), in this Act,

"quality of care information" means information that,

  (a)  is collected or prepared by or for a quality of care committee for the sole or primary purpose of assisting the committee in carrying out its quality of care functions,

  (b)  relates to the discussions and deliberations of a quality of care committee in carrying out its quality of care functions, or

   (c)  relates solely or primarily to any activity that a quality of care committee carries on as part of its quality of care functions, including information contained in records that a quality of care committee creates or maintains related to its quality of care functions.

What is not included

   (3)  "Quality of care information" does not include any of the following:

    1.  Information contained in a patient record.

    2.  Information contained in a record that is required by law to be created or to be maintained.

    3.  Information relating to a patient in respect of a critical incident that describes,

            i.  facts of what occurred with respect to the incident,

           ii.  what the quality of care committee or health facility has identified, if anything, as the cause or causes of the incident,

          iii.  the consequences of the critical incident for the patient, as they become known,

          iv.  the actions taken and recommended to be taken to address the consequences of the critical incident for the patient, including any health care or treatment that is advisable, or

           v.  the systemic steps, if any, that a health facility is taking or has taken in order to avoid or reduce the risk of further similar incidents.

  3.1  Information that consists of facts contained in a record of an incident involving the provision of health care to a patient.

    4.  Information that a regulation specifies is not quality of care information and that a quality of care committee collects or prepares after the day on which that regulation comes into force.

Application of Freedom of Information and Protection of Privacy Act

   3.  The Freedom of Information and Protection of Privacy Act does not apply to quality of care information.

Interviews and disclosure not affected

   4.  (1)  Nothing in this Act interferes with a requirement under applicable law for a health facility or health care provider to,

  (a)  interview a patient or the authorized representative of the patient or the patient's estate in any review of an incident or circumstances involving the provision of health care to the patient;

  (b)  include a staff member responsible for patient relations on a committee or other similar body conducting any review of a critical incident; or

  (a)  offer to interview a patient or the authorized representative of the patient or the patient's estate in any review of an incident or circumstances involving the provision of health care to the patient;

  (b)  include a person responsible for patient relations or providing patient perspectives to the facility on a committee or other similar body conducting any review of a critical incident; or

   (c)  disclose information specified under the applicable law that is related to a critical incident to a patient or the authorized representative of the patient or the patient's estate.

Authorized representative

   (2)  For the purposes of subsection (1), the authorized representative of a patient includes a person who was lawfully authorized to make treatment decisions on behalf of the patient immediately prior to the patient's death, or who would have been so authorized if the patient had been incapable.

Conflict

   5.  In the event of a conflict between a provision of this Act or its regulations and a provision of any other Act or its regulations, this Act and its regulations prevail unless this Act or its regulations specifically provide otherwise.

Restrictions on use of committee

   6.  Where a regulation has been made restricting or prohibiting the use of a quality of care committee for the purpose of reviewing critical incidents, every quality of care committee and health facility shall comply with that regulation.

Quality of care information continues

   7.  Quality of care information collected by or for a quality of care committee while it is constituted and operating in accordance with this Act shall continue to be treated as quality of care information after,

  (a)  the quality of care committee by or for which the information was collected is no longer in operation; or

  (b)  a health facility or entity that established, appointed or approved the quality of care committee is no longer eligible to establish, appoint or approve a quality of care committee.

Disclosure to quality of care committee

   8.  (1)  Despite this Act and the Personal Health Information Protection Act, 2004, a person may disclose any information to a quality of care committee for the purposes of carrying out quality of care functions.

Disclosure among committees

   (2)  Any quality of care committee may disclose any information, including quality of care information, to any other quality of care committee for the purpose of carrying out quality of care functions, and any person may disclose information that has been disclosed to any quality of care committee to any other quality of care committee.

Restriction, personal health information

   (3)  A disclosure permitted under this section shall not contain more personal health information, as defined in the Personal Health Information Protection Act, 2004, than is reasonably necessary for the purpose of the disclosure.

Restriction on disclosure

   9.  (1)  Despite the Personal Health Information Protection Act, 2004, no person shall disclose quality of care information except as permitted by this Act.

Definition

   (2)  In this section,

"management", with respect to a health facility, includes members of the senior management staff, the board of directors, governors or trustees and members of the commission or other governing body or authority of the facility.

Exception, quality of care committee

   (3)  Despite subsection (1) and the Personal Health Information Protection Act, 2004, a quality of care committee may disclose quality of care information to,

  (a)  the management of a health facility that established, appointed or approved the committee if the committee considers it appropriate to do so for the purpose of improving or maintaining the quality of health care provided in or by the facility; or

  (b)  the management of a health facility or health care provider, where a quality oversight entity carries on activities for the purpose of improving or maintaining the quality of health care provided by the facility, the provider or a class including the facility or the provider, if the committee considers it appropriate to do so for the purpose of improving or maintaining the quality of health care provided in or by the facility, provider or class.

Exception, any person

   (4)  Despite subsection (1) and the Personal Health Information Protection Act, 2004, a person may disclose quality of care information if the disclosure is necessary for the purposes of eliminating or reducing a significant risk of serious bodily harm to a person or group of persons.

Further disclosure of information

   (5)  A member of the management of a health facility or health care provider described in subsection (3) to whom quality of care information is disclosed under that subsection may disclose the information to an agent or employee of the facility or provider if the disclosure is necessary for the purposes of improving or maintaining the quality of health care provided in or by the facility or provider.

Use of information

   (6)  A person to whom information is disclosed under subsection (3), (4) or (5) shall not use the information except for the purposes for which the information was disclosed to the person.

Restriction on further disclosure

   (7)  A person to whom information is disclosed under subsection (3), (4) or (5) shall not disclose the information except if subsection (4) or (5) permits the disclosure.

Restriction, personal health information

   (8)  A disclosure permitted under this section shall not contain more personal health information, as defined in the Personal Health Information Protection Act, 2004, than is reasonably necessary for the purpose of the disclosure.

Non-disclosure in proceeding

   10.  (1)  No person shall ask a witness and no court or other body holding a proceeding shall permit or require a witness in the proceeding to disclose quality of care information.

Non-admissibility of evidence

   (2)  Quality of care information is not admissible in evidence in a proceeding.

Non-retaliation

   11.  No one shall dismiss, suspend, demote, discipline, harass or otherwise disadvantage a person by reason that the person has disclosed information to a quality of care committee under section 8.

Offence

   12.  (1)  Every person who contravenes section 9 or 11 is guilty of an offence.

Penalty

   (2)  A person who is guilty of an offence under subsection (1) is liable, on conviction,

  (a)  to a fine of not more than $50,000, if the person is an individual; or

  (b)  to a fine of not more than $250,000, if the person is a corporation.

Officers, etc.

   (3)  If a corporation commits an offence under this Act, every officer, member, employee or other agent of the corporation who authorized the offence, or who had the authority to prevent the offence from being committed but knowingly refrained from doing so, is a party to and guilty of the offence and is liable, on conviction, to the penalty for the offence, whether or not the corporation has been prosecuted or convicted.

Immunity

   13.  (1)  No action or other proceeding may be instituted against a person who in good faith discloses information to a quality of care committee at the request of the committee or for the purposes of assisting the committee in carrying out quality of care functions.

Same, committee member

   (2)  No action or other proceeding, including a prosecution for an offence under section 12, may be instituted in respect of,

  (a)  a member of a quality of care committee who, in good faith, discloses quality of care information for a purpose described in subsection 9 (3); or

  (b)  a person who, in good faith, discloses information for a purpose described in subsection 9 (4), if the disclosure is reasonable in the circumstances.

Same, failure to disclose

   (3)  No action or other proceeding may be instituted against a member of a committee in respect of the failure of the committee to make a disclosure described in subsection 9 (3) or (4).

Review

   14.  Within five years of the coming into force of this section, and at five-year intervals thereafter, the Minister shall conduct a review of this Act.

Regulations

   15.  (1)  Subject to section 16, the Lieutenant Governor in Council may make regulations,

  (a)  defining any term used in this Act that is not defined in this Act;

  (b)  subject to subsection (2), governing anything that this Act refers to as being prescribed, provided for or specified in the regulations;

   (c)  for carrying out the purposes and provisions of this Act.

Minister's regulations

   (2)  The Minister may make regulations,

  (a)  prescribing anything that the definition of "health care", "health facility" or "quality of care committee" in subsection 2 (1) mentions as being prescribed;

  (b)  restricting or prohibiting the use of quality of care committees for the purpose of reviewing critical incidents.

Public consultation before making regulations

   16.  (1)  The Lieutenant Governor in Council shall not make any regulation under subsection 15 (1) unless,

  (a)  the Minister has published a notice of the proposed regulation on a website of the Government of Ontario and in any other format the Minister considers advisable;

  (b)  the notice complies with the requirements of this section;

   (c)  the time periods specified in the notice, during which members of the public may exercise a right described in clause (2) (b) or (c), have expired; and

  (d)  the Minister has considered whatever comments and submissions that members of the public have made on the proposed regulation in accordance with clause (2) (b) or (c) and has reported to the Lieutenant Governor in Council on what, if any, changes to the proposed regulation the Minister considers appropriate.

Contents of notice

   (2)  The notice mentioned in clause (1) (a) shall contain,

  (a)  a description of the proposed regulation and the text of it;

  (b)  a statement of the time period during which members of the public may submit written comments on the proposed regulation to the Minister and the manner in which and the address to which the comments must be submitted;

   (c)  a description of whatever other rights, in addition to the right described in clause (b), that members of the public have to make submissions on the proposed regulation and the manner in which and the time period during which those rights must be exercised;

  (d)  a statement of where and when members of the public may review written information about the proposed regulation; and

  (e)  all other information that the Minister considers appropriate.

Time period for comments

   (3)  The time period mentioned in clauses (2) (b) and (c) shall be at least 30 days after the Minister gives the notice mentioned in clause (2) (a) unless the Minister shortens the time period in accordance with subsection (4).

Shorter time period for comments

   (4)  The Minister may shorten the time period if, in the Minister's opinion,

  (a)  the urgency of the situation requires it;

  (b)  the proposed regulation clarifies the intent or operation of this Act or the regulations; or

   (c)  the proposed regulation is of a minor or technical nature.

Discretion to make regulations

   (5)  Upon receiving the Minister's report mentioned in clause (1) (d), the Lieutenant Governor in Council, without further notice under subsection (1), may make the proposed regulation with the changes that the Lieutenant Governor in Council considers appropriate, whether or not those changes are mentioned in the Minister's report.

No public consultation

   (6)  The Minister may decide that subsections (1) to (5) should not apply to the power of the Lieutenant Governor in Council to make a regulation under this section if, in the Minister's opinion,

  (a)  the urgency of the situation requires it;

  (b)  the proposed regulation clarifies the intent or operation of this Act or the regulations; or

   (c)  the proposed regulation is of a minor or technical nature.

Same

   (7)  If the Minister decides that subsections (1) to (5) should not apply to the power of the Lieutenant Governor in Council to make a regulation under this section,

  (a)  those subsections do not apply to the power of the Lieutenant Governor in Council to make the regulation; and

  (b)  the Minister shall give notice of the decision to the public as soon as is reasonably possible after making the decision.

Contents of notice

   (8)  The notice mentioned in clause (7) (b) shall include a statement of the Minister's reasons for making the decision and all other information that the Minister considers appropriate.

Publication of notice

   (9)  The Minister shall publish the notice mentioned in clause (7) (b) on a website of the Government of Ontario and give the notice by all other means that the Minister considers appropriate.

Temporary regulation

   (10)  If the Minister decides that subsections (1) to (5) should not apply to the power of the Lieutenant Governor in Council to make a regulation under this section because the Minister is of the opinion that the urgency of the situation requires it, the regulation shall,

  (a)  be identified as a temporary regulation in the text of the regulation; and

  (b)  unless it is revoked before its expiry, expire at a time specified in the regulation, which shall not be after the second anniversary of the day on which the regulation comes into force.

No review

   (11)  Subject to subsection (12), a court shall not review any action, decision, failure to take action or failure to make a decision by the Lieutenant Governor in Council or the Minister under subsections (1) to (10).

Exception

   (12)  Any person resident in Ontario may make an application for judicial review under the Judicial Review Procedure Act on the grounds that the Minister has not taken a step required by subsections (1) to (10).

Time for application

   (13)  No person shall make an application under subsection (12) with respect to a regulation later than 21 days after the regulation is filed.

Repeal

   17.  (1)  The Quality of Care Information Protection Act, 2004 is repealed.

Transition

   (2)  Despite subsection (1), the Quality of Care Information Protection Act, 2004, as it existed at the relevant time before its repeal, continues to apply to quality of care information created before its repeal.

Commencement

   18.  The Act set out in this Schedule comes into force on a day to be named by proclamation of the Lieutenant Governor.

Short title

   19.  The short title of the Act set out in this Schedule is the Quality of Care Information Protection Act, 2016.

 

This reprint of the Bill is marked to indicate the changes that were made in Committee.

The changes are indicated by underlines for new text and a strikethrough for deleted text.

 

______________

 

 

 

EXPLANATORY NOTE

Schedule 1
Amendments to the Personal Health Information Protection act, 2004 and to certain related statutes

Numerous amendments are made to the Personal Health Information Protection Act, 2004 to provide for the development and maintenance of the electronic health record and for the collection, use and disclosure of personal health information by means of the electronic health record.

The definition of "use" in section 2 of the Act is amended to clarify that the viewing of personal health information, including the viewing of the information by means of the electronic health record, constitutes a use of personal health information under the Act.

A new section 11.1 is added to require that a health information custodian take reasonable steps to ensure that personal health information is not collected without authority.

The notice requirements in subsections 12 (2) and (3) of the Act which currently require notice to be given to an individual wherever personal health information about the individual in the custody or control of a health information custodian is lost, stolen or accessed by an unauthorized person, are amended to apply to any unauthorized use or disclosure, instead of just access by unauthorized persons.  Subsection 12 (2) of the Act is also amended to ensure that notice is given to the Commissioner and that the notice to the individual include a statement that the individual has the right to make a complaint to the Commissioner under Part VI.

Section 17 of the Act currently allows health information custodians to permit agents to collect, use or disclose personal health information on behalf of the custodian.  The section is amended to clarify that such a permission may be subject to conditions or restrictions imposed by the custodian or to prescribed requirements.  Amendments are also made to clarify the respective responsibilities of the custodian and its agent where personal health information is collected, used or disclosed by the agent.

New section 17.1 will ensure that a health information custodian give notice to the College of a regulated health profession under the Regulated Health Professions Act, 1991 or to the Ontario College of Social Workers and Social Service Workers if a member of the College, who is employed by the custodian, who holds privileges with the custodian or who is affiliated with it, has committed or is suspected of having committed an unauthorized collection, use, disclosure, retention or disposal of personal health information and if, as a result of such unauthorized action, the custodian takes disciplinary action with respect to the member's employment, privileges or affiliation. Notice must also be given to such a College by a health information custodian who is a medical officer of health of a board of health if similar circumstances arise involving a member of the College who is employed to provide health care for the board of health and is an agent of the health information custodian.

Section 34 of the Act is amended to permit prescribed persons who are not health information custodians to collect and use health numbers for purposes related to the electronic health record.

Section 51 of the Act is amended to make Part V of the Act apply to the prescribed organization as if it were a health information custodian with respect to the specified records and as if the organization has custody or control of the records.  Section 51 is also amended to apply Part V to certain records in the custody or control of a health information custodian.

The Schedule adds a new Part V.1, entitled "Electronic Health Record", to the Act.

Various terms are defined for the purposes of Part V.1 and interpretation rules are added to describe when a health information custodian is considered to be collecting, using or disclosing personal health information by means of the electronic health record.

The Lieutenant Governor in Council is given the power to prescribe one or more organizations to act as the prescribed organization under the Act.

The prescribed organization is required to exercise enumerated functions with respect to the electronic health record, and must comply with specified requirements in developing and maintaining the electronic health record.  The Minister is authorized to make directives to the prescribed organization with respect to the carrying out of these responsibilities and functions.  The Minister would be required to take the recommendations of the advisory committee and the Information and Privacy Commissioner into account before so directing the prescribed organization.

Part V.1 prohibits a health information custodian from collecting personal health information by means of the electronic health record except for the purposes of providing or assisting in the provision of health care to an individual, or eliminating or reducing a significant risk of serious bodily harm to a person or group of persons, where the health information custodian believes on reasonable grounds that the collection is necessary for this purpose. Part V.1 permits health information custodians to collect, use and disclose prescribed data elements for the purpose of uniquely identifying individuals in order to collect their personal health information that is accessible by means of the electronic health record.

An individual may provide to the prescribed organization a directive that withholds or withdraws the individual's consent to the collection, use and disclosure of his or her personal health information by means of the electronic health record for the purpose of providing or assisting in the provision of health care to the individual.  The individual is permitted to amend and modify a directive previously made. The prescribed organization would be required to comply with the directive.

A health information custodian is authorized to disclose personal health information despite the contents of a consent directive in specified circumstances, including: to another health information custodian if the custodian that is seeking to collect the information obtains the express consent of the individual to whom the information relates; to another custodian if the custodian that is seeking to collect the information believes on reasonable grounds that the collection is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to the individual to whom the information relates, and it is not reasonably possible for the custodian to obtain the individual's consent in a timely manner; and to another custodian if the custodian that is seeking to collect the information believes on reasonable grounds that the collection is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to a person other than the individual to whom the information relates or to a group of persons.

The prescribed organization is required to audit, log and monitor access to personal health information that is the subject of a consent directive, and provide notice to health information custodians where consent directives are overridden as described above.  A health information custodian so notified would be required to notify the individual who made the consent directive and the Information and Privacy Commissioner.

Despite a consent directive, the prescribed organization is permitted to utilize personal health information to provide alerts to health information custodians about potentially harmful medication interactions, as long as the information that is subject to the directive is not provided.

The Minister may collect personal health information by means of the electronic health record for funding, planning and delivering health services funded by the Government of Ontario, and for detecting, monitoring or preventing fraud or inappropriate receipt of health-related payments, goods or services funded by the Government of Ontario.  The Minister may use this information to conduct audits where there are reasonable grounds to believe there has been an inappropriate receipt of a payment, service or good funded by the Government of Ontario, and may disclose this information where required by law, for the purpose of a legal proceeding or to a law enforcement agency for investigation purposes. The Lieutenant Governor in Council must prescribe a unit of the Ministry to collect and use the information for these purposes. Part V.1 would require the prescribed unit to take certain steps to de-identify such personal health information.  The prescribed unit would be required to put in place practices and procedures to protect the privacy of the individuals whose personal health information the Ministry collects for such purposes.  These practices and procedures would require the approval of the Information and Privacy Commissioner every three years.

When the required conditions are met, the Minister may direct the disclosure of personal health information that is accessible by means of the electronic health record to specified persons as if the Minister had custody or control of the information for the purposes of certain provisions of the Act.  In directing the prescribed organization to make such disclosures, the Minister is required to take into account any recommendations of the advisory committee.

The Minister is required to establish an advisory committee for the purpose of making recommendations to the Minister concerning specified matters related to the electronic health record.  The Minister may determine the terms of reference of the advisory committee, and appointments to the committee.  The Ministry shall provide administrative support for the committee.

Part V.1 protects a health information custodian from liability with respect to personal health information that the custodian provides in good faith to the prescribed organization.

Regulation-making powers of the Lieutenant Governor in Council are set out at the end of Part V.1.

The Act is amended to increase fines for persons guilty of offences under the Act, to provide that there is no limitation period for prosecution for offences under the Act and to permit the court to take precautions to avoid the disclosure of personal health information in the course of an investigation or a prosecution under the Act.  The Act is also amended to require the consent of the Attorney General for the commencement of any prosecution under the Act and to allow the Crown to elect to have a provincial judge preside over a proceeding under the Act.

The Drug Interchangeability and Dispensing Fee Act is amended to remove the requirement that certain instructions on prescriptions be handwritten.

The Narcotics Safety and Awareness Act, 2010 is amended to allow the Minister or executive officer to disclose personal information about monitored drugs to certain individuals in specified circumstances.

The Regulated Health Professions Act, 1991 is amended to permit the Minister to make regulations requiring the College of a regulated health profession to collect from its members information specified in the regulations that is necessary for the purpose of developing or maintaining the electronic health record and requiring the College to provide such information to the prescribed organization.  A member of the College would be required to comply with the College's request for information.

schedule 2
Quality of Care Information Protection Act, 2016

The Quality of Care Information Protection Act, 2004 is repealed and replaced. The purpose of the Act is to enable confidential discussions in which information relating to errors, systemic problems and opportunities for quality improvement in health care delivery can be shared within authorized health facilities, in order to improve the quality of health care delivered to patients.

Among the matters provided for in the Act:

    1.   "Quality of care information" is defined, and matters that the term does not include are provided for including specified information relating to critical incidents.

    2.   It is provided that nothing in the Act interferes with a requirement under applicable law for a health facility or health care provider to conduct interviews and disclose information with regard to critical incidents.

    3.   It is provided that despite the Personal Health Information Protection Act, 2004, a person may disclose any information to a quality of care committee for the purposes of carrying out quality of care functions. However, no more personal health information may be disclosed than is reasonably necessary.

    4.   Rules are set out concerning the disclosure and use of quality of care information.

    5.   Offences and regulation-making powers are provided for.

 

[41] Bill 119 Original (PDF)

Bill 119 2015

An Act to amend the Personal Health Information Protection Act, 2004, to make certain related amendments and to repeal and replace the Quality of Care Information Protection Act, 2004

Her Majesty, by and with the advice and consent of the Legislative Assembly of the Province of Ontario, enacts as follows:

Contents of Act

   1.  This Act consists of this section, sections 2 and 3 and the Schedules to this Act. 

Commencement

   2.  (1)  Subject to subsections (2) and (3), this Act comes into force on the day it receives Royal Assent.

Same

   (2)  The Schedules to this Act come into force as provided in each Schedule. 

Same

   (3)  If a Schedule to this Act provides that any provisions are to come into force on a day to be named by proclamation of the Lieutenant Governor, a proclamation may apply to one or more of those provisions, and proclamations may be issued at different times with respect to any of those provisions.

Short title

   3.  The short title of this Act is the Health Information Protection Act, 2015.

 

Schedule 1
Amendments to the Personal Health Information Protection act, 2004 and to certain related statutes

Personal Health Information Protection Act, 2004

   1.  (1)  Section 2 of the Personal Health Information Protection Act, 2004 is amended by adding the following definitions:

"Ministry" means the Ministry of Health and Long-Term Care; ("ministère")

"prescribed organization" means the organization prescribed for the purposes of Part V.1 and, if more than one organization is prescribed, means every applicable prescribed organization; ("organisation prescrite")

   (2)  The definition of "use" in section 2 of the Act is amended by striking out "means to handle or deal with the information" and substituting "means to view, handle or otherwise deal with the information".

   (3)  The Act is amended by adding the following section:

Steps to ensure collection

   11.1  A health information custodian shall take steps that are reasonable in the circumstances to ensure that personal health information is not collected without authority.

   (4)  Subsections 12 (2) and (3) of the Act are repealed and the following substituted:

Notice of theft, loss, etc. to individual

   (2)  Subject to subsection (4) and to the exceptions and additional requirements, if any, that are prescribed, if personal health information about an individual that is in the custody or control of a health information custodian is stolen or lost or if it is used or disclosed without authority, the health information custodian shall,

  (a)  notify the individual at the first reasonable opportunity of the theft or loss or of the unauthorized use or disclosure; and

  (b)  include in the notice a statement that the individual is entitled to make a complaint to the Commissioner under Part VI.

Notice to Commissioner

   (3)  If the circumstances surrounding a theft, loss or unauthorized use or disclosure referred to in subsection (2) meet the prescribed requirements, the health information custodian shall notify the Commissioner of the theft or loss or of the unauthorized use or disclosure.

Exception

   (4)  If the health information custodian is a researcher who has received the personal health information from another health information custodian under subsection 44 (1), the researcher shall not notify the individual if the information is stolen or lost or if it is used or disclosed without authority, unless the health information custodian that disclosed the personal health information under subsection 44 (1),

  (a)  first obtains the individual's consent to having the researcher contact the individual; and

  (b)  informs the researcher that the individual has given the consent.

   (5)  Clause 17 (1) (b) of the Act is repealed and the following substituted:

  (b)  the collection, use, disclosure, retention or disposal of the information, as the case may be, is necessary in the course of the agent's duties and is not contrary to this Act or another law; and

   (6)  Section 17 of the Act is amended by adding the following subsection:

Same

   (1.1)  A permission granted to an agent under subsection (1) may be subject to such conditions or restrictions as the health information custodian may impose.

   (7)  Subsections 17 (2) and (3) of the Act are repealed and the following substituted:

Restriction, collection, use, etc. by agents

   (2)  An agent of a health information custodian may collect, use, disclose, retain or dispose of personal health information only if,

  (a)  the collection, use, disclosure, retention or disposal of the information, as the case may be,

           (i)  is permitted by the custodian in accordance with subsection (1),

          (ii)  is necessary for the purpose of carrying out his or her duties as agent of the custodian, and

         (iii)  complies with any conditions or restrictions that the custodian has imposed under subsection (1.1); and

  (b)  the prescribed requirements, if any, are met.

Responsibilities of health information custodian

   (3)  A health information custodian shall,

  (a)  take steps that are reasonable in the circumstances to ensure that no agent of the custodian collects, uses, discloses, retains or disposes of personal health information unless it is in accordance with subsection (2); and

  (b)  remain responsible for any personal health information that is collected, used, disclosed, retained or disposed of by the custodian's agents, regardless of whether or not the collection, use, disclosure, retention or disposal was carried out in accordance with subsection (2).

Responsibilities of the agent

   (4)  An agent of a health information custodian shall,

  (a)  comply with the conditions or restrictions imposed by the health information custodian on the agent's collection, use, disclosure, retention or disposal of personal health information under subsection (1.1); and

  (b)  notify the custodian at the first reasonable opportunity if personal health information that the agent collected, used, disclosed, retained or disposed of on behalf of the custodian is stolen or lost or if it is used or disclosed without authority.

   (8)  The Act is amended by adding the following section:

Notice to governing College

Definition

   17.1  (1)  In this section,

"College" means,

  (a)  in the case of a member of health profession regulated under the Regulated Health Professions Act, 1991, a College of the health profession named in Schedule 1 to that Act, and

  (b)  in the case of a member of the Ontario College of Social Workers and Social Service Workers, that College.

Termination, suspension, etc. of employed members

   (2)  Subject to any exceptions and additional requirements, if any, that are prescribed, if a health information custodian employs a health care practitioner who is a member of a College, the health information custodian shall give written notice of any of the following events to the College within 30 days of the event occurring:

    1.  The employee is terminated, suspended or subject to disciplinary action as a result of the unauthorized collection, use, disclosure, retention or disposal of personal health information by the employee.

    2.  The employee resigns and the health information custodian has reasonable grounds to believe that the resignation is related to an investigation or other action by the custodian with respect to an alleged unauthorized collection, use, disclosure, retention or disposal of personal health information by the employee.

Member's privileges revoked, etc.

   (3)  Subject to any exceptions and additional requirements, if any, that are prescribed, if a health information custodian extends privileges to, or is otherwise affiliated with, a health care practitioner who is a member of a College, the custodian shall give written notice of any of the following events to the College within 30 days of the event occurring:

    1.  The member's privileges are revoked, suspended or restricted, or his or her affiliation is revoked, suspended or restricted, as a result of the unauthorized collection, use, disclosure, retention or disposal of personal health information by the member.

    2.  The member relinquishes or voluntarily restricts his or her privileges or his or her affiliation and the health information custodian has reasonable grounds to believe that the relinquishment or restriction is related to an investigation or other action by the custodian with respect to an alleged unauthorized collection, use, disclosure, retention or disposal of personal health information by the member.

Contents of notice

   (4)  A notice made under this section shall meet the prescribed requirements, if any.

   (9)  Subsection 34 (2) of the Act is amended by striking out "or" at the end of clause (c), by adding "or" at the end of clause (d) and by adding the following clause:

  (e)  if the person is prescribed and is collecting or using the health number, as the case may be, for purposes related to the electronic health record developed and maintained by the prescribed organization.

   (10)  Section 51 of the Act is amended by adding the following subsections:

Application to prescribed organization

   (5)  Subject to any exceptions and additional requirements, if any, that are prescribed, this Part applies to the prescribed organization as if it were a health information custodian with respect to the following records and as if the prescribed organization has custody or control of the records:

    1.  A record of personal health information that is accessible to health information custodians by means of the electronic health record developed and maintained by the prescribed organization.

    2.  The electronic records kept by the prescribed organization under paragraphs 4, 5 and 6 of section 55.3.

Application to record of a custodian

   (6)  Subject to any exceptions and additional requirements, if any, that are prescribed, this Part applies to a record in the custody or control of a health information custodian respecting all instances where all or part of the personal health information of the individual that is accessible by means of the electronic health record developed and maintained by the prescribed organization is viewed, handled or otherwise dealt with by the custodian.

   (11)  The Act is amended by adding the following Part:

Part v.1
Electronic Health Record

Interpretation

   55.1  (1)  In this Part,

"advisory committee" means the advisory committee established by the Minister under section 55.11; ("comité consultatif")

"consent directive" means a directive under section 55.6 and includes a directive to modify or withdraw a directive that has already been made; ("directive en matière de consentement")

"de-identify" and related expressions have the same meaning as in subsection 47 (1); ("anonymiser")

"electronic health record" means the electronic systems that are developed and maintained by the prescribed organization for the purpose of enabling health information custodians to collect, use and disclose personal health information by means of the systems in accordance with this Part and the regulations made under this Part; ("dossier de santé électronique")

"identifying information" has the same meaning as in subsection 4 (2). ("renseignements identificatoires")

What constitutes collection, use, disclosure re: electronic health record

   (2)  Despite anything in section 2, for the purposes of this Part, a health information custodian is considered to be collecting, using or disclosing personal health information in the following circumstances:

    1.  When a health information custodian views, handles or otherwise deals with all or part of an individual's personal health information by means of the electronic health record and that information was provided to the prescribed organization by another health information custodian,

            i.  the health information custodian is considered to be collecting the personal health information if it is viewing, handling or otherwise dealing with the information for the first time, and

           ii.  the health information custodian is considered to be using the personal health information each time it subsequently views, handles or otherwise deals with the information.

    2.  Whenever a health information custodian views, handles or otherwise deals with all or part of an individual's personal health information by means of the electronic health record and that information was provided to the prescribed organization by the custodian, the custodian is considered to be using the personal health information.

    3.  A health information custodian who provides personal health information to the prescribed organization is considered to be disclosing the information only when another health information custodian collects the information by means of the electronic health record.

Same, where information provided to prescribed organization

   (3)  Despite anything in section 2, when a health information custodian provides personal health information to the prescribed organization,

  (a)  the custodian is considered not to be disclosing the information to the prescribed organization; and

  (b)  the prescribed organization is considered not to be collecting the information from the custodian.

   (12)  The Act is amended by adding the following section:

Electronic health record

   55.2  (1)  The prescribed organization has the power and the duty to develop and maintain the electronic health record in accordance with this Part and the regulations made under this Part.

Functions of prescribed organization

   (2)  The prescribed organization shall perform the following functions:

    1.  Manage and integrate personal health information it receives from health information custodians.

    2.  Ensure the proper functioning of the electronic health record by servicing the electronic systems that support the electronic health record.

    3.  Ensure the accuracy and quality of the personal health information accessible by means of the electronic health record by conducting data quality assurance activities on the personal health information it receives from health information custodians.

    4.  Conducting analysis of the personal health information that is accessible by means of the electronic health record in order to provide alerts and reminders to health information custodians for their use in the provision of health care to individuals.

Other powers and duties

   (3)  In addition to carrying out the powers, duties and functions described in this Part and in Part V, the prescribed organization shall carry out any prescribed powers, duties or functions.

   (13)  The Act is amended by adding the following section:

Requirements for electronic health record

   55.3  The prescribed organization shall comply with the following requirements in developing and maintaining the electronic health record:

    1.  It shall take reasonable steps to limit the personal health information it receives to that which is reasonably necessary for developing and maintaining the electronic health record.

    2.  It shall not permit its employees or any other person acting on its behalf to view, handle or otherwise deal with the personal health information received from health information custodians, unless the employee or person acting on behalf of the prescribed organization agrees to comply with the restrictions that apply to the prescribed organization.

    3.  It shall make available to the public and to each health information custodian that provides personal health information to it,

            i.  a plain language description of the electronic health record, including a general description of the administrative, technical and physical safeguards in place to,

                  A.  protect against theft, loss and unauthorized collection, use or disclosure of the personal health information that is accessible by means of the electronic health record,

                  B.  protect the personal health information that is accessible by means of the electronic health record against unauthorized copying, modification or disposal, and

                  C.  protect the integrity, security and confidentiality of the personal health information that is accessible by means of the electronic health record, and

           ii.  any directives, guidelines and policies of the prescribed organization that apply to the personal health information that is accessible by means of the electronic health record, to the extent that these do not reveal a trade secret or confidential scientific, technical, commercial or labour relations information.

    4.  It shall,

            i.  keep an electronic record of all instances where all or part of the personal health information that is accessible by means of the electronic health record is viewed, handled or otherwise dealt with, and ensure that the record identifies the individual to whom the information relates, the type of information that is viewed, handled or otherwise dealt with, all persons who have viewed, handled or otherwise dealt with the information, and the date, time and location of the viewing, handling, or dealing with, and

           ii.  in the event that a health information custodian has requested that the prescribed organization transmit to the custodian personal health information that is accessible by means of the electronic health record, keep an electronic record of all instances where personal health information is transmitted to the custodian by means of the electronic health record, and ensure that the record identifies the individual to whom the information relates, the type of information that is transmitted, the custodian requesting the information, the date and time that the information was transmitted, and the location to which the information was transmitted.

    5.  It shall keep an electronic record of all instances where a consent directive is made, withdrawn or modified, and shall ensure that the record identifies the individual who made, withdrew or modified the consent directive, the instructions that the individual provided regarding the consent directive, the health information custodian, agent or other person to whom the directive is made, withdrawn or modified, and the date and time that the consent directive was made, withdrawn or modified.

    6.  It shall keep an electronic record of all instances where all or part of the personal health information that is accessible by means of the electronic health record is disclosed under section 55.7 and shall ensure that the record identifies the health information custodian that disclosed the information, the health information custodian that collected the information, any agent of the health information custodian who collected the information, the individual to whom the information relates, the type of information that was disclosed, the date and time of the disclosure and the purpose of the disclosure.

    7.  It shall audit and monitor the electronic records that it is required to keep under paragraphs 4, 5 and 6.

    8.  It shall, upon the request of the Commissioner provide to the Commissioner, for the purposes of Part VI, the electronic records kept under paragraphs 4, 5 and 6.

    9.  It shall, upon request of a health information custodian that requires the records to audit and monitor its compliance with this Act, provide to the custodian or an agent acting on the custodian's behalf, the records kept under paragraphs 4, 5 and 6.

  10.  It shall perform, for each system that retrieves, processes or integrates personal health information that is accessible by means of the electronic health record, an assessment with respect to,

            i.  threats, vulnerabilities and risks to the security and integrity of the personal health information, and

           ii.          how each of those systems may affect the privacy of the individuals to whom the information relates.

  11.  It shall notify, at the first reasonable opportunity, each health information custodian that provided personal health information to the prescribed organization if the personal health information that the health information custodian provided is stolen or lost or if it is collected, used or disclosed without authority.

  12.  It shall,

            i.  make available to each health information custodian that provided personal health information to the prescribed organization a written copy of the results of the assessments carried out under paragraph 10 that relates to the personal health information the custodian provided, and

           ii.  make available to the public a summary of the results of the assessments carried out under paragraph 10.

  13.  It shall ensure that any third party it retains to assist in providing services for the purpose of developing or maintaining the electronic health record agrees to comply with the restrictions and conditions that are necessary to enable the prescribed organization to comply with all these requirements.

  14.  It shall have in place and comply with practices and procedures,

            i.  that are for the purpose of protecting the privacy of the individuals whose personal health information it receives and for maintaining the confidentiality of the information, and

           ii.  that are approved by the Commissioner.

  15.  It shall notify the Commissioner, in writing, immediately after becoming aware that personal health information that is accessible by means of the electronic health record,

            i.  has been viewed, handled or otherwise dealt with by the prescribed organization or a third party retained by the prescribed organization, other than in accordance with this Act or its regulations, or

           ii.  has been made available or released by the prescribed organization or a third party retained by the prescribed organization, other than in accordance with this Act or its regulations.

  16.  It shall submit to the Commissioner, at least annually, a report in the form and manner specified by the Commissioner, and based on or containing any information, other than personal health information, that is kept in the electronic record required under paragraph 6 that the Commissioner may specify, respecting every instance in which personal health information was disclosed under section 55.7 since the time of the last report.

  17.  It shall comply with the practices and procedures prescribed in the regulations when managing consent directives.

  18.  It shall have in place and comply with practices and procedures that have been approved by the Minister for responding to or facilitating a response to a request made by an individual under Part V in respect of the individual's record of personal health information that is accessible by means of the electronic health record.

  19.  It shall comply with such other requirements as may be prescribed in the regulations.

   (14)  The Act is amended by adding the following section:

Minister's directives

   55.4  (1)  The Minister may make directives to the prescribed organization with respect to the carrying out of its powers, duties and functions under this Part, and the prescribed organization shall comply with the directives of the Minister.

Consultation

   (2)  Before making a directive under subsection (1), the Minister shall,

  (a)  submit a draft of the directive to the Commissioner and the advisory committee for the purpose of reviewing and making recommendations on the draft directive; and

  (b)  consider the recommendations, if any, made by the Commissioner and the advisory committee and amend the directive if the Minister considers it appropriate to do so.

Timing

   (3)  The Minister shall allow the Commissioner and the advisory committee a period of at least 30 days for the purposes of review and recommendation under subsection (2), unless the Minister believes that there are urgent circumstances involving a significant risk to privacy or the confidentiality of personal health information, in which case the Minister may abridge the review period for both the Commissioner and the advisory committee to not less than five business days.

   (15)  The Act is amended by adding the following section:

Collection, use, disclosure by custodians

Restrictions on collection

   55.5  (1)  A health information custodian shall not collect personal health information by means of the electronic health record except for the purpose of,

  (a)  providing or assisting in the provision of health care to the individual to whom the information relates; or

  (b)  eliminating or reducing a significant risk of serious bodily harm to a person or group of persons, where the health information custodian believes on reasonable grounds that the collection is necessary for this purpose.

Unique identification

   (2)  A health information custodian may collect, use and disclose prescribed data elements for the purpose of uniquely identifying an individual in order to collect personal health information under subsection (1).

Where consent directive exists

   (3)  Despite subsection (1), where personal health information that is accessible by means of the electronic health record is subject to a consent directive made by an individual under subsection 55.6 (1), a health information custodian may only collect the personal health information in the circumstances permitted under subsection 55.7 (1), (2) or (3).

Use or disclosure

   (4)  A health information custodian that collects personal health information under clause (1) (a) may use or disclose the information for any purpose for which this Act permits or requires a custodian to use or disclose of personal health information.

Same

   (5)  Despite any other provision in this Act or the regulations, a health information custodian that collects personal health information under clause (1) (b) may only use or disclose the information for the purpose for which the information was collected.

Section 12 obligations

   (6)  If a health information custodian requests that the prescribed organization transmit personal health information to the custodian by means of the electronic health record, the custodian shall comply with the obligations referred to in section 12 with respect to that information, regardless of whether the custodian has viewed, handled or otherwise dealt with the information.

Same, notice of unauthorized collection

   (7)  Subject to the exceptions and additional requirements, if any, that are prescribed, and in addition to any notice that is required to be given in the case of an unauthorized use or disclosure under subsections 12 (2) and (3), if personal health information about an individual is collected without authority by means of the electronic health record, the health information custodian who is responsible for the unauthorized collection shall,

  (a)  notify the individual at the first reasonable opportunity of the unauthorized collection, and include in the notice a statement that the individual is entitled to make a complaint to the Commissioner under Part VI; and

  (b)  notify the Commissioner.

   (16)  The Act is amended by adding the following section:

Consent directives

   55.6  (1)  Subject to the limitations prescribed in the regulations, if any, an individual may at any time make a directive that withholds or withdraws, in whole or in part, the individual's consent to the collection, use and disclosure of his or her personal health information by means of the electronic health record by a health information custodian for the purposes of providing or assisting in the provision of health care to the individual.

Compliance

   (2)  Where the prescribed organization receives a directive made under subsection (1), it shall, in accordance with the requirements prescribed in the regulations, if any, implement the directive.

Withdrawal or modifications

   (3)  Subject to the limitations prescribed in the regulations, if any, an individual who has made a directive under subsection (1) may withdraw or modify the directive.

How to make directive

   (4)  An individual may make a directive under subsection (1) or withdraw or modify a directive under subsection (3) by submitting the directive to the prescribed organization.

Must contain sufficient detail

   (5)  The directive must contain sufficient detail to enable the prescribed organization to implement the directive.

Assistance

   (6)  If the directive does not contain sufficient detail to enable the prescribed organization to implement the directive with reasonable efforts, the prescribed organization shall offer assistance to the person in reformulating the directive to comply with subsection (5).

Information re directives

   (7)  If a health information custodian seeks to collect personal health information that is subject to a consent directive, the prescribed organization shall notify the custodian that an individual has made a directive under subsection (1) and shall ensure that no personal health information that is subject to the directive is provided.

   (17)  The Act is amended by adding the following section:

Consent overrides

   55.7  (1)  Despite the contents of a consent directive, a health information custodian may disclose personal health information that is subject to the directive by means of the electronic health record if the custodian that is seeking to collect the information obtains the express consent of the individual to whom the information relates.

Same, protection of individual

   (2)  Despite the contents of a consent directive, a health information custodian may disclose personal health information that is subject to the directive by means of the electronic health record if,

  (a)  the custodian that is seeking to collect the personal health information believes, on reasonable grounds, that the collection is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to the individual to whom the information relates; and

  (b)  it is not reasonably possible for the health information custodian that is seeking to collect the personal health information to obtain the individual's consent in a timely manner.

Same, protection of others

   (3)  Despite the contents of a consent directive, a health information custodian may disclose personal health information that is subject to the directive by means of the electronic health record, if the health information custodian that is seeking to collect the personal health information believes on reasonable grounds that the collection is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to a person other than the individual to whom the information relates or to a group of persons.

Use or disclosure

   (4)  Despite any other provision in this Act or its regulations, a health information custodian that collects personal health information under subsection (1), (2) or (3) may only use or disclose the information for the purpose for which the information was collected.

Audit, etc.

   (5)  The prescribed organization shall audit and monitor every instance where personal health information is collected in the circumstances described in subsection (1), (2) or (3).

Notice re consent overrides

   (6)  Where personal health information has been collected in the circumstances described in subsection (1), (2) or (3), the prescribed organization shall immediately provide written notice, in accordance with the requirements in the regulations, to the health information custodian that collected the personal health information.

Same

   (7)  Upon receiving notice under subsection (6), the custodian that collected the personal health information in the circumstances described in subsection (1), (2) or (3) shall, at the first reasonable opportunity,

  (a)  notify the individual to whom the information relates, in accordance with the requirements in the regulations; and

  (b)  if the personal health information has been collected in the circumstances described in subsection (3), give written notice to the Commissioner, in accordance with the regulations, in a manner that does not provide identifying information about the individual to whom the information relates or the person or group of persons at significant risk of serious bodily harm.

No identifying information

   (8)  Where personal health information has been collected in the circumstances described in subsection (3), in notifying the individual to whom the information relates, the custodian shall not provide identifying information about the person or group of persons at significant risk of serious bodily harm.

   (18)  The Act is amended by adding the following section:

Medication interaction checks

   55.8  Despite the contents of a consent directive, personal health information may be utilized by a system that is maintained by the prescribed organization and that retrieves, processes or integrates personal health information that is accessible by means of the electronic health record to provide alerts to health information custodians about potentially harmful medication interactions, as long as the alerts do not reveal personal health information that is subject to the consent directive.

   (19)  The Act is amended by adding the following section:

Collection of information by Ministry

   55.9  (1)  Despite section 55.5, and subject to subsection (2), the Minister may collect personal health information by means of the electronic health record for the purposes of,

  (a)  funding, planning or delivering health services that the Government of Ontario funds in whole or in part, directly or indirectly, or allocating resources to any of them; or

  (b)  detecting, monitoring or preventing fraud or inappropriate receipt of a payment, service or good, including any subsidy or other benefit funded in whole or in part, directly or indirectly, by the Government of Ontario, where such payment, service or good is health-related or is prescribed in the regulations.

Practices and procedures

   (2)  The Minister may only collect personal health information under subsection (1), if,

  (a)  the Lieutenant Governor in Council has prescribed not more than one unit of the Ministry to collect personal health information under subsection (1) on the Minister's behalf; and

  (b)  the prescribed unit of the Ministry has put in place practices and procedures,

           (i)  to protect the privacy of the individuals whose personal health information the Minister collects, and to maintain the confidentiality of the information, and

          (ii)  that are approved by the Commissioner.

De-identification

   (3)  Where personal health information has been collected by the Minister under subsection (1), the prescribed unit shall, subject to the additional requirements, if any, that are prescribed, and in accordance with the practices and procedures approved by the Commissioner under subclause (2) (b) (ii),

  (a)  create a record containing the minimal amount of personal health information necessary for the purpose of de-identifying the information and linking it to other information in the custody or control of the Minister; and

  (b)  de-identify the personal health information.

Link

   (4)  The prescribed unit of the Ministry may link the personal health information that has been de-identified under subsection (3) to other de-identified personal health information under the custody and control of the Minister.

Use in auditing, etc.

   (5)  The Minister may use personal health information collected under subsection (1) to conduct audits where there are reasonable grounds to believe there has been inappropriate receipt of a payment, service or good, including any subsidy or other benefit funded in whole or in part, directly or indirectly, by the Government of Ontario and where such payment, service or good is health-related or is prescribed in the regulations, if,

  (a)  the Lieutenant Governor in Council has prescribed not more than one unit of the Ministry to use the personal health information for the purpose set out in this subsection on the Minister's behalf; and

  (b)  the prescribed unit of the Ministry has put in place practices and procedures,

           (i)  to protect the privacy of the individuals whose personal health information the Minister collects, and to maintain the confidentiality of the information, and

          (ii)  that are approved by the Commissioner.

Disclosure

   (6)  The Minister may disclose personal health information used in an audit mentioned in subsection (5) if,

  (a)  the disclosure is required by law;

  (b)  the disclosure is for the purpose of a proceeding or contemplated proceeding in which the Minister or an agent or former agent of the Minister is, or is expected to be, a party or witness and the information relates to or is a matter in issue in the proceeding or contemplated proceeding; or

   (c)  the Minister has reasonable grounds to believe the audit reveals a contravention of the laws of Ontario or Canada and the disclosure is to a law enforcement agency in Canada to aid in an ongoing investigation by the agency or to enable the agency to determine whether to conduct an investigation, with a view to a law enforcement proceeding or from which a law enforcement proceeding is likely to result. 

No other uses and disclosures permitted

   (7)  Despite any other provision in this Act or the regulations, the Minister shall not use or disclose the personal health information collected under subsection (1) except as authorized by this section.

Direction to prescribed organization

   (8)  The Minister may issue a direction requiring the prescribed organization to provide the Minister with the information that the Minister is authorized to collect under subsection (1), and the prescribed organization must comply with the direction.

Terms and conditions

   (9)  A direction made under subsection (8) may specify the form, manner and timeframe in which the information that is the subject of the direction is to be provided to the Minister.

Disclosure

   (10)  If the Minister collects personal health information by means of the electronic health record under subsection (1), the disclosure of the personal health information to the Minister by the health information custodian who provided it to the prescribed organization is deemed to be permitted under this Act.

   (20)  The Act is amended by adding the following section:

Provision of information for purposes other than health care

   55.10  (1)  Despite any other provision in this Act or the regulations, the Minister may direct the disclosure of personal health information that is accessible by means of the electronic health record to a person, as if the Minister had custody or control of the information, if,

  (a)  a person has requested that the Minister disclose the personal health information in accordance with clause 39 (1) (c), subsection 39 (2), section 44 or 45 of this Act;

  (b)  the personal health information requested by the person was provided to the prescribed organization under this Part by more than one health information custodian;

   (c)  the Minister has,

           (i)  submitted the request to the advisory committee,

          (ii)  provided the advisory committee with 30 days to review the request and make recommendations to the Minister, and

         (iii)  considered the recommendations, if any, made by the advisory committee; and

  (d)  the Minister has determined that the disclosure of the personal health information would be in accordance with clause 39 (1) (c), subsection 39 (2) or section 44 or 45.

Shorter time period

   (2)  The Minister may shorten the time period in subclause (1) (c) (ii) if,

  (a)  in the Minister's opinion, the urgency of the situation requires it; and

  (b)  the request is for the disclosure of personal health information in accordance with subsection 39 (2).

Must comply

   (3)  The prescribed organization must comply with a direction under this section.

Terms and conditions

   (4)  A direction under this section may specify the form, manner and timeframe in which the information that is the subject of the direction is to be disclosed.

Disclosure only if necessary

   (5)  The Minister shall not direct the disclosure of personal health information under this section if other information will serve the purpose of the disclosure.

Only necessary disclosure

   (6)  The Minister shall not direct the disclosure of more personal health information than is reasonably necessary to meet the purpose of the disclosure.

   (21)  The Act is amended by adding the following section:

Advisory committee

   55.11  (1)  The Minister shall establish an advisory committee for the purpose of making recommendations to the Minister concerning,

  (a)  practices and procedures that the prescribed organization must have in place for the purpose of protecting the privacy of the individuals whose personal health information it receives and for maintaining confidentiality with respect to the information;

  (b)  practices and procedures that the prescribed organization must have in place for responding or facilitating a response to a request made by an individual under Part V for a record of personal health information relating to the individual that is accessible by means of the electronic health record;

   (c)  the administrative, technical and physical safeguards the prescribed organization should have in place to protect the privacy of the individuals whose personal health information it receives and to maintain confidentiality with respect to the information;

  (d)  the role of the prescribed organization in assisting a health information custodian to fulfil its obligations to give notice under subsection 12 (2) and 55.5 (6) and (7) in the event that personal health information that is accessible by means of the electronic health record is stolen or lost or is collected, used or disclosed without authority;

  (e)  the provision of notice in the event that personal health information that is accessible by means of the electronic health record is stolen or lost or is collected, used or disclosed without authority;

   (f)  anything that is referred to in this Part or in the regulations as capable of being the subject of a recommendation of the advisory committee; and

  (g)  any other matter referred to the advisory committee by the Minister.

Terms of reference

   (2)  Subject to the other provisions of this Part, the Minister shall determine the terms of reference of the advisory committee, including terms of reference with respect to conflicts of interest, the membership of the committee and the organization and governance of the committee.

Appointments

   (3)  The Minister shall appoint the members of the advisory committee in accordance with the requirements, if any, prescribed in the regulations.

Support by Ministry

   (4)  The Ministry,

  (a)  shall provide administrative support for the advisory committee;

  (b)  shall have custody and control of the records of the advisory committee for the purposes of the Freedom of Information and Protection of Privacy Act; and

   (c)  is responsible for compliance with the Archives and Recordkeeping Act, 2006, in connection with records created by or supplied to the advisory committee.

   (22)  The Act is amended by adding the following section:

Practices and procedures review

   55.12  (1)  The Commissioner shall review the practices and procedures of the prescribed organization referred to in paragraph 14 of section 55.3 and those of a prescribed unit of the Ministry referred to in clauses 55.9 (2) (b) and (5) (b) every three years after they are first approved to determine if the practices and procedures continue to meet the requirements of subparagraph 14 i of section 55.3 or of subclause 55.9 (2) (b) (i) or (5) (b) (i), as the case may be, and, after the review, the Commissioner may renew the approval.

Notice by Commissioner

   (2)  The Commissioner shall advise the prescribed organization or prescribed unit, as the case may be, of the results of its review under subsection (1).

   (23)  The Act is amended by adding the following section:

Regulations

   55.13  (1)  The Lieutenant Governor in Council may make regulations for carrying out the purposes and provisions of this Part.

Same

   (2)  Without limiting the generality of subsection (1), the Lieutenant Governor in Council may make regulations,

  (a)  prescribing an organization as the prescribed organization for the purposes of this Part and respecting the purposes for which the organization is prescribed, subject to subsection (3); 

  (b)  prescribing additional powers, duties and functions of the prescribed organization;

   (c)  prescribing additional requirements with which the prescribed organization must comply in developing or maintaining the electronic health record;

  (d)  specifying data elements collected, used or disclosed by a health information custodian under subsection 55.5 (2) that may not be made subject to a consent directive provided by an individual under subsection 55.6 (1);

  (e)  governing the notices that are required under section 55.7 and requiring notices under other circumstances and governing such notices;

   (f)  prescribing the level of specificity at which personal health information may be made subject to a consent directive, including whose collection, use and disclosure of the information may be restricted;

  (g)  prescribing the units of the Ministry that will be permitted to collect, use and disclose personal health information by means of the electronic health record on behalf of the Minister for the purposes described in section 55.9;

  (h)  requiring classes of health information custodians or specific health information custodians to provide personal health information to the prescribed organization under this Part and specifying what personal health information they are required to provide;

    (i)  respecting the provision of services related to the electronic health record by the prescribed organization directly to individuals;

    (j)  providing for anything that under this Part may or must be provided for or prescribed by the regulations.

Same, two or more organizations prescribed

   (3)  A regulation made under clause (2) (a) may prescribe more than one organization to act as the prescribed organization for the purposes of this Part and may provide for the respective powers, duties and functions of each organization under this Part.

Review

   (4)  The Minister shall review every regulation made under the authority of clause (2) (f) at least once in every three-year period.

Public consultation

   (5)  Section 74 applies, with necessary modification, to the making of a regulation under this section.

   (24)  Subsection 60 (1) of the Act is amended by adding "and" at the end of clause (a), by striking out "and" at the end of clause (b) and by striking out clause (c).

   (25)  Clauses 72 (2) (a) and (b) of the Act are repealed and the following substituted:

  (a)  if the person is a natural person, to a fine of not more than $100,000; and

  (b)  if the person is not a natural person, to a fine of not more than $500,000.

   (26)  Subsection 72 (5) of the Act is repealed and the following substituted:

Consent of Attorney General

   (5)  A prosecution shall not be commenced under subsection (1) without the consent of the Attorney General.

Presiding judge

   (6)  The Crown may, by notice to the clerk of the Ontario Court of Justice, require that a provincial judge preside over a proceeding in respect of an offence under subsection (1).

Protection of information

   (7)  In a prosecution for an offence under subsection (1) or where documents or materials are filed with a court under sections 158 to 160 of the Provincial Offences Act in relation to an investigation into an offence under this Act, the court may, at any time, take precautions to avoid the disclosure by the court or any person of any personal health information about an individual, including, where appropriate,

  (a)  removing the identifying information of any person whose personal health information is referred to in any documents or materials;

  (b)  receiving representations without notice;

   (c)  conducting hearings or parts of hearings in private; or

  (d)  sealing all or part of the court files.

No limitation

   (8)  Section 76 of the Provincial Offences Act does not apply to a prosecution under this Act.

   (27)  Subsection 73 (1) of the Act is amended by adding the following clause:

(n.1) requiring health information custodians to provide information to the Commissioner and specifying the type of information to be provided and the time at which and manner in which it is to be provided;

Drug Interchangeability and Dispensing Fee Act

   2.  Clause 4 (6) (a) of the Drug Interchangeability and Dispensing Fee Act is amended by striking out "handwritten" and substituting "written".

Narcotics Safety and Awareness Act, 2010

   3.  Subsections 5 (5) and (6) of the Narcotics Safety and Awareness Act, 2010 are repealed and the following substituted:

Disclosure to prescriber, dispenser etc.

   (5)  The Minister or the executive officer may disclose personal information about any monitored drugs that have or have not been prescribed or dispensed to a person to,

  (a)  a prescriber, if the prescriber is determining whether to prescribe a monitored drug to the person or has prescribed a monitored drug to the person;

  (b)  a dispenser, if the dispenser is determining whether to dispense a monitored drug to the person or has dispensed a monitored drug to the person; or

   (c)  an operator of a pharmacy, if a dispenser employed or retained by the pharmacy has dispensed a monitored drug to the person through the pharmacy.

Disclosure to health care practitioner

   (6)  The Minister or the executive officer may disclose personal information about any monitored drugs that have or have not been prescribed or dispensed to a person, to a health care practitioner who is providing health care to the person or assisting in providing health care to the person.

Definition, health care practitioner

   (7)  In subsection (6),

"health care practitioner" means a health care practitioner as defined in clause (a) of the definition of health care practitioner in section 2 of the Personal Health Information Protection Act, 2004.

Regulated Health Professions Act, 1991

   4.  The Regulated Health Professions Act, 1991 is amended by adding the following section:

Electronic health record

   36.2  (1)  The Minister may make regulations,

  (a)  requiring one or more Colleges to collect from their members information relating to their members that is specified in those regulations and that is, in the Minister's opinion, necessary for the purpose of developing or maintaining the electronic health record under Part V.1 of the Personal Health Information Protection Act, 2004, including ensuring that members are accurately identified for purposes of the electronic health record;

  (b)  requiring the College or Colleges to provide the information to the prescribed organization in the form, manner and timeframe specified by the prescribed organization;

   (c)  respecting the notice mentioned in subsection (4).

Members to provide information

   (2)  Where the Minister has made a regulation under subsection (1), and a College has requested information from a member in compliance with the regulation, the member shall comply with the College's request.

Use and disclosure by prescribed organization

   (3)  Despite a regulation made under subsection (1), the prescribed organization,

  (a)  may only collect, use or disclose information under this section for the purpose provided for in subsection (1);

  (b)  shall not use or disclose personal information collected under this section if other information will serve the purpose; and

   (c)  shall not use or disclose more personal information collected under this section than is necessary for the purpose.

Notice required by s. 39 (2) of FIPPA

   (4)  Where the Minister has made a regulation under subsection (1), and a College is required to collect personal information from its members, the notice required by subsection 39 (2) of the Freedom of Information and Protection of Privacy Act is given by,

  (a)  a public notice posted on the prescribed organization's website; or

  (b)  any other public method that may be prescribed in regulations made by the Minister under subsection (1).

Same

   (5)  If the prescribed organization publishes a notice referred to under subsection (4), the prescribed organization shall advise the College of the notice and the College shall also publish a notice about the collection on the College's website within 20 days.

Definitions

   (6)  In this section,

"information" includes personal information, but does not include personal health information; ("renseignements")

"personal health information" has the same meaning as in section 4 of the Personal Health Information Protection Act, 2004; ("renseignements personnels sur la santé")

"prescribed organization" has the same meaning as in section 2 of the Personal Health Information Protection Act, 2004. ("organisation prescrite")

Commencement

   5.  This Schedule comes into force on a day to be named by proclamation of the Lieutenant Governor.

 

schedule 2
Quality of Care Information Protection Act, 2015

CONTENTS

Preamble

1.

Purpose

2.

Interpretation

3.

Application of Freedom of Information and Protection of Privacy Act

4.

Interviews and disclosure not affected

5.

Conflict

6.

Restrictions on use of committee

7.

Quality of care information continues

8.

Disclosure to quality of care committee

9.

Restriction on disclosure

10.

Non-disclosure in proceeding

11.

Non-retaliation

12.

Offence

13.

Immunity

14.

Review

15.

Regulations

16.

Public consultation before making regulations

17.

Repeal

18.

Commencement

19.

Short title

______________

Preamble

The people of Ontario and their Government:

Believe in patient-centred health care;

Remain committed to improving the quality of health care provided by health facilities and maintaining the safety of patients;

Believe that quality health care and patient safety is best achieved in a manner that supports openness and transparency to patients and their authorized representatives regarding patient health care;

Recognize that health care providers and other staff in health facilities sometimes need to hold confidential discussions to identify and analyze errors affecting patients, systemic problems and opportunities for quality improvement in patient health care;

Believe that protections are needed to encourage and enable health care providers and other staff of health facilities to share all available information, provide honest assessment and opinions and participate in discussions to improve patient health care without fear of retaliation;

Believe that sharing information about critical incidents and quality improvement helps to improve the quality of health care for patients;

Are committed to ensuring that measures to facilitate the sharing of information for quality improvement purposes do not interfere with the right of patients and their authorized representatives to access information about their health care or with the obligations of health facilities to disclose such information to patients and their authorized representatives; and

Affirm that the inclusion of patients and their authorized representatives in the process of reviewing a critical incident helps to improve patient care, and therefore quality of care information protection must be implemented in a manner that supports such inclusion.

Purpose

   1.  The purpose of this Act is to enable confidential discussions in which information relating to errors, systemic problems and opportunities for quality improvement in health care delivery can be shared within authorized health facilities, in order to improve the quality of health care delivered to patients.

Interpretation

   2.  (1)  In this Act,

"critical incident" means any unintended event that occurs when a patient receives health care from a health facility that,

  (a)  results in death, or serious disability, injury or harm to the patient, and

  (b)  does not result primarily from the patient's underlying medical condition or from a known risk inherent in providing the health care; ("incident critique")

"disclose" means, with respect to quality of care information, to provide or make the information available to a person who is not a member of the quality of care committee with which the information is associated, and "disclosure" has a corresponding meaning; ("divulguer", "divulgation")

"health care" means any observation, examination, assessment, care, service or procedure that is done for a health-related purpose and that,

  (a)  is carried out or provided to diagnose, treat or maintain an individual's physical or mental condition,

  (b)  is carried out or provided to prevent disease or injury or to promote health, or

   (c)  is carried out or provided as part of palliative care,

and includes,

  (d)  the compounding, dispensing or selling of a drug, a device, equipment or any other item to an individual, or for the use of an individual, pursuant to a prescription, and

  (e)  a prescribed type of service; ("soins de santé")

"health facility" means,

  (a)  a hospital within the meaning of the Public Hospitals Act,

  (b)  a private hospital within the meaning of the Private Hospitals Act,

   (c)  a psychiatric facility within the meaning of the Mental Health Act,

  (d)  an independent health facility within the meaning of the Independent Health Facilities Act, or

  (e)  a prescribed entity that provides health care; ("établissement de santé")

"information" includes personal health information as defined in the Personal Health Information Protection Act, 2004; ("renseignements")

"Minister" means the Minister of Health and Long-Term Care; ("ministre")

"patient" means a recipient of health care; ("patient")

"patient record" means a record that is maintained for the purpose of providing health care to a patient; ("dossier du patient")

"prescribed" means prescribed by the regulations; ("prescrit")

"proceeding" includes a proceeding that is within the jurisdiction of the Legislature and that is held in, before or under the rules of a court, a tribunal, a commission, a justice of the peace, a coroner, a committee of a College within the meaning of the Regulated Health Professions Act, 1991, a committee of the Board of Regents continued under the Drugless Practitioners Act, a committee of the Ontario College of Social Workers and Social Service Workers under the Social Work and Social Service Work Act, 1998, an arbitrator or a mediator, but does not include any activities carried on by a quality of care committee; ("instance")

"quality of care committee" means a body of one or more individuals that performs quality of care functions and,

  (a)  that is established, appointed or approved,

           (i)  by a health facility,

          (ii)  by a quality oversight entity, or

         (iii)  by any combination of health facilities or quality oversight entities, and

  (b)  that meets the prescribed criteria, if any; ("comité de la qualité des soins")

"quality of care functions", in respect of a quality of care committee, means activities carried on for the purpose of studying, assessing or evaluating the provision of health care with a view to improving or maintaining the quality of the health care and include conducting reviews of critical incidents; ("fonctions liées à la qualité des soins")

"quality oversight entity" means a prescribed entity that carries on activities for the purpose of improving or maintaining the quality of care provided by a health facility, a health care provider or a class of health facility or health care provider; ("entité de surveillance de la qualité")

"regulations" mean the regulations made under this Act; ("règlements")

"use", with respect to quality of care information, does not include to disclose the information and "use", as a noun, does not include disclosure of the information; ("utiliser", "utilisation")

"witness" means a person, whether or not a party to a proceeding, who, in the course of the proceeding,

  (a)  is examined or cross-examined for discovery, either orally or in writing,

  (b)  makes an affidavit, or

   (c)  is competent or compellable to be examined or cross-examined or to produce a document, whether under oath or not. ("témoin")

Quality of care information

   (2)  Subject to subsection (3), in this Act,

"quality of care information" means information that,

  (a)  is collected or prepared by or for a quality of care committee for the sole or primary purpose of assisting the committee in carrying out its quality of care functions,

  (b)  relates to the discussions and deliberations of a quality of care committee in carrying out its quality of care functions, or

   (c)  relates solely or primarily to any activity that a quality of care committee carries on as part of its quality of care functions, including information contained in records that a quality of care committee creates or maintains related to its quality of care functions.

What is not included

   (3)  "Quality of care information" does not include any of the following:

    1.  Information contained in a patient record.

    2.  Information contained in a record that is required by law to be created or to be maintained.

    3.  Information relating to a patient in respect of a critical incident that describes,

            i.  facts of what occurred with respect to the incident,

           ii.  what the quality of care committee or health facility has identified, if anything, as the cause or causes of the incident,

          iii.  the consequences of the critical incident for the patient, as they become known,

          iv.  the actions taken and recommended to be taken to address the consequences of the critical incident for the patient, including any health care or treatment that is advisable, or

           v.  the systemic steps, if any, that a health facility is taking or has taken in order to avoid or reduce the risk of further similar incidents.

    4.  Information that a regulation specifies is not quality of care information and that a quality of care committee collects or prepares after the day on which that regulation comes into force.

Application of Freedom of Information and Protection of Privacy Act

   3.  The Freedom of Information and Protection of Privacy Act does not apply to quality of care information.

Interviews and disclosure not affected

   4.  (1)  Nothing in this Act interferes with a requirement under applicable law for a health facility or health care provider to,

  (a)  interview a patient or the authorized representative of the patient or the patient's estate in any review of an incident or circumstances involving the provision of health care to the patient;

  (b)  include a staff member responsible for patient relations on a committee or other similar body conducting any review of a critical incident; or

   (c)  disclose information specified under the applicable law that is related to a critical incident to a patient or the authorized representative of the patient or the patient's estate.

Authorized representative

   (2)  For the purposes of subsection (1), the authorized representative of a patient includes a person who was lawfully authorized to make treatment decisions on behalf of the patient immediately prior to the patient's death, or who would have been so authorized if the patient had been incapable.

Conflict

   5.  In the event of a conflict between a provision of this Act or its regulations and a provision of any other Act or its regulations, this Act and its regulations prevail unless this Act or its regulations specifically provide otherwise.

Restrictions on use of committee

   6.  Where a regulation has been made restricting or prohibiting the use of a quality of care committee for the purpose of reviewing critical incidents, every quality of care committee and health facility shall comply with that regulation.

Quality of care information continues

   7.  Quality of care information collected by or for a quality of care committee while it is constituted and operating in accordance with this Act shall continue to be treated as quality of care information after,

  (a)  the quality of care committee by or for which the information was collected is no longer in operation; or

  (b)  a health facility or entity that established, appointed or approved the quality of care committee is no longer eligible to establish, appoint or approve a quality of care committee.

Disclosure to quality of care committee

   8.  (1)  Despite this Act and the Personal Health Information Protection Act, 2004, a person may disclose any information to a quality of care committee for the purposes of carrying out quality of care functions.

Disclosure among committees

   (2)  Any quality of care committee may disclose any information, including quality of care information, to any other quality of care committee for the purpose of carrying out quality of care functions, and any person may disclose information that has been disclosed to any quality of care committee to any other quality of care committee.

Restriction, personal health information

   (3)  A disclosure permitted under this section shall not contain more personal health information, as defined in the Personal Health Information Protection Act, 2004, than is reasonably necessary for the purpose of the disclosure

Restriction on disclosure

   9.  (1)  Despite the Personal Health Information Protection Act, 2004, no person shall disclose quality of care information except as permitted by this Act.

Definition

   (2)  In this section,

"management", with respect to a health facility, includes members of the senior management staff, the board of directors, governors or trustees and members of the commission or other governing body or authority of the facility.

Exception, quality of care committee

   (3)  Despite subsection (1) and the Personal Health Information Protection Act, 2004, a quality of care committee may disclose quality of care information to,

  (a)  the management of a health facility that established, appointed or approved the committee if the committee considers it appropriate to do so for the purpose of improving or maintaining the quality of health care provided in or by the facility; or

  (b)  the management of a health facility or health care provider, where a quality oversight entity carries on activities for the purpose of improving or maintaining the quality of health care provided by the facility, the provider or a class including the facility or the provider, if the committee considers it appropriate to do so for the purpose of improving or maintaining the quality of health care provided in or by the facility, provider or class.

Exception, any person

   (4)  Despite subsection (1) and the Personal Health Information Protection Act, 2004, a person may disclose quality of care information if the disclosure is necessary for the purposes of eliminating or reducing a significant risk of serious bodily harm to a person or group of persons.

Further disclosure of information

   (5)  A member of the management of a health facility or health care provider described in subsection (3) to whom quality of care information is disclosed under that subsection may disclose the information to an agent or employee of the facility or provider if the disclosure is necessary for the purposes of improving or maintaining the quality of health care provided in or by the facility or provider.

Use of information

   (6)  A person to whom information is disclosed under subsection (3), (4) or (5) shall not use the information except for the purposes for which the information was disclosed to the person.

Restriction on further disclosure

   (7)  A person to whom information is disclosed under subsection (3), (4) or (5) shall not disclose the information except if subsection (4) or (5) permits the disclosure.

Restriction, personal health information

   (8)  A disclosure permitted under this section shall not contain more personal health information, as defined in the Personal Health Information Protection Act, 2004, than is reasonably necessary for the purpose of the disclosure.

Non-disclosure in proceeding

   10.  (1)  No person shall ask a witness and no court or other body holding a proceeding shall permit or require a witness in the proceeding to disclose quality of care information.

Non-admissibility of evidence

   (2)  Quality of care information is not admissible in evidence in a proceeding.

Non-retaliation

   11.  No one shall dismiss, suspend, demote, discipline, harass or otherwise disadvantage a person by reason that the person has disclosed information to a quality of care committee under section 8.

Offence

   12.  (1)  Every person who contravenes section 9 or 11 is guilty of an offence.

Penalty

   (2)  A person who is guilty of an offence under subsection (1) is liable, on conviction,

  (a)  to a fine of not more than $50,000, if the person is an individual; or

  (b)  to a fine of not more than $250,000, if the person is a corporation.

Officers, etc.

   (3)  If a corporation commits an offence under this Act, every officer, member, employee or other agent of the corporation who authorized the offence, or who had the authority to prevent the offence from being committed but knowingly refrained from doing so, is a party to and guilty of the offence and is liable, on conviction, to the penalty for the offence, whether or not the corporation has been prosecuted or convicted.

Immunity

   13.  (1)  No action or other proceeding may be instituted against a person who in good faith discloses information to a quality of care committee at the request of the committee or for the purposes of assisting the committee in carrying out quality of care functions.

Same, committee member

   (2)  No action or other proceeding, including a prosecution for an offence under section 12, may be instituted in respect of,

  (a)  a member of a quality of care committee who, in good faith, discloses quality of care information for a purpose described in subsection 9 (3); or

  (b)  a person who, in good faith, discloses information for a purpose described in subsection 9 (4), if the disclosure is reasonable in the circumstances.

Same, failure to disclose

   (3)  No action or other proceeding may be instituted against a member of a committee in respect of the failure of the committee to make a disclosure described in subsection 9 (3) or (4).

Review

   14.  Within five years of the coming into force of this section, and at five-year intervals thereafter, the Minister shall conduct a review of this Act.

Regulations

   15.  (1)  Subject to section 16, the Lieutenant Governor in Council may make regulations,

  (a)  defining any term used in this Act that is not defined in this Act;

  (b)  subject to subsection (2), governing anything that this Act refers to as being prescribed, provided for or specified in the regulations;

   (c)  for carrying out the purposes and provisions of this Act.

Minister's regulations

   (2)  The Minister may make regulations,

  (a)  prescribing anything that the definition of "health care", "health facility" or "quality of care committee" in subsection 2 (1) mentions as being prescribed;

  (b)  restricting or prohibiting the use of quality of care committees for the purpose of reviewing critical incidents.

Public consultation before making regulations

   16.  (1)  The Lieutenant Governor in Council shall not make any regulation under subsection 15 (1) unless,

  (a)  the Minister has published a notice of the proposed regulation on a website of the Government of Ontario and in any other format the Minister considers advisable;

  (b)  the notice complies with the requirements of this section;

   (c)  the time periods specified in the notice, during which members of the public may exercise a right described in clause (2) (b) or (c), have expired; and

  (d)  the Minister has considered whatever comments and submissions that members of the public have made on the proposed regulation in accordance with clause (2) (b) or (c) and has reported to the Lieutenant Governor in Council on what, if any, changes to the proposed regulation the Minister considers appropriate.

Contents of notice

   (2)  The notice mentioned in clause (1) (a) shall contain,

  (a)  a description of the proposed regulation and the text of it;

  (b)  a statement of the time period during which members of the public may submit written comments on the proposed regulation to the Minister and the manner in which and the address to which the comments must be submitted;

   (c)  a description of whatever other rights, in addition to the right described in clause (b), that members of the public have to make submissions on the proposed regulation and the manner in which and the time period during which those rights must be exercised;

  (d)  a statement of where and when members of the public may review written information about the proposed regulation; and

  (e)  all other information that the Minister considers appropriate.

Time period for comments

   (3)  The time period mentioned in clauses (2) (b) and (c) shall be at least 30 days after the Minister gives the notice mentioned in clause (2) (a) unless the Minister shortens the time period in accordance with subsection (4).

Shorter time period for comments

   (4)  The Minister may shorten the time period if, in the Minister's opinion,

  (a)  the urgency of the situation requires it;

  (b)  the proposed regulation clarifies the intent or operation of this Act or the regulations; or

   (c)  the proposed regulation is of a minor or technical nature.

Discretion to make regulations

   (5)  Upon receiving the Minister's report mentioned in clause (1) (d), the Lieutenant Governor in Council, without further notice under subsection (1), may make the proposed regulation with the changes that the Lieutenant Governor in Council considers appropriate, whether or not those changes are mentioned in the Minister's report.

No public consultation

   (6)  The Minister may decide that subsections (1) to (5) should not apply to the power of the Lieutenant Governor in Council to make a regulation under this section if, in the Minister's opinion,

  (a)  the urgency of the situation requires it;

  (b)  the proposed regulation clarifies the intent or operation of this Act or the regulations; or

   (c)  the proposed regulation is of a minor or technical nature.

Same

   (7)  If the Minister decides that subsections (1) to (5) should not apply to the power of the Lieutenant Governor in Council to make a regulation under this section,

  (a)  those subsections do not apply to the power of the Lieutenant Governor in Council to make the regulation; and

  (b)  the Minister shall give notice of the decision to the public as soon as is reasonably possible after making the decision.

Contents of notice

   (8)  The notice mentioned in clause (7) (b) shall include a statement of the Minister's reasons for making the decision and all other information that the Minister considers appropriate.

Publication of notice

   (9)  The Minister shall publish the notice mentioned in clause (7) (b) on a website of the Government of Ontario and give the notice by all other means that the Minister considers appropriate.

Temporary regulation

   (10)  If the Minister decides that subsections (1) to (5) should not apply to the power of the Lieutenant Governor in Council to make a regulation under this section because the Minister is of the opinion that the urgency of the situation requires it, the regulation shall,

  (a)  be identified as a temporary regulation in the text of the regulation; and

  (b)  unless it is revoked before its expiry, expire at a time specified in the regulation, which shall not be after the second anniversary of the day on which the regulation comes into force.

No review

   (11)  Subject to subsection (12), a court shall not review any action, decision, failure to take action or failure to make a decision by the Lieutenant Governor in Council or the Minister under subsections (1) to (10).

Exception

   (12)  Any person resident in Ontario may make an application for judicial review under the Judicial Review Procedure Act on the grounds that the Minister has not taken a step required by subsections (1) to (10).

Time for application

   (13)  No person shall make an application under subsection (12) with respect to a regulation later than 21 days after the regulation is filed.

Repeal

   17.  (1)  The Quality of Care Information Protection Act, 2004 is repealed.

Transition

   (2)  Despite subsection (1), the Quality of Care Information Protection Act, 2004, as it existed at the relevant time before its repeal, continues to apply to quality of care information created before its repeal.

Commencement

   18.  The Act set out in this Schedule comes into force on a day to be named by proclamation of the Lieutenant Governor.

Short title

   19.  The short title of the Act set out in this Schedule is the Quality of Care Information Protection Act, 2015.

 

EXPLANATORY NOTE

Schedule 1
Amendments to the Personal Health Information Protection act, 2004 and to certain related statutes

Numerous amendments are made to the Personal Health Information Protection Act, 2004 to provide for the development and maintenance of the electronic health record and for the collection, use and disclosure of personal health information by means of the electronic health record.

The definition of "use" in section 2 of the Act is amended to clarify that the viewing of personal health information, including the viewing of the information by means of the electronic health record, constitutes a use of personal health information under the Act.

A new section 11.1 is added to require that a health information custodian take reasonable steps to ensure that personal health information is not collected without authority.

The notice requirements in subsections 12 (2) and (3) of the Act which currently require notice to be given to an individual wherever personal health information about the individual in the custody or control of a health information custodian is lost, stolen or accessed by an unauthorized person, are amended to apply to any unauthorized use or disclosure, instead of just access by unauthorized persons.  Subsection 12 (2) of the Act is also amended to ensure that notice is given to the Commissioner and that the notice to the individual include a statement that the individual has the right to make a complaint to the Commissioner under Part VI.

Section 17 of the Act currently allows health information custodians to permit agents to collect, use or disclose personal health information on behalf of the custodian.  The section is amended to clarify that such a permission may be subject to conditions or restrictions imposed by the custodian or to prescribed requirements.  Amendments are also made to clarify the respective responsibilities of the custodian and its agent where personal health information is collected, used or disclosed by the agent.

New section 17.1 will ensure that a health information custodian give notice to the College of a regulated health profession under the Regulated Health Professions Act, 1991 or to the Ontario College of Social Workers and Social Service Workers if a member of the College, who is employed by the custodian, who holds privileges with the custodian or who is affiliated with it, has committed or is suspected of having committed an unauthorized collection, use, disclosure, retention or disposal of personal health information and if, as a result of such unauthorized action, the custodian takes disciplinary action with respect to the member's employment, privileges or affiliation.

Section 34 of the Act is amended to permit prescribed persons who are not health information custodians to collect and use health numbers for purposes related to the electronic health record.

Section 51 of the Act is amended to make Part V of the Act apply to the prescribed organization as if it were a health information custodian with respect to the specified records and as if the organization has custody or control of the records.  Section 51 is also amended to apply Part V to certain records in the custody or control of a health information custodian.

The Schedule adds a new Part V.1, entitled "Electronic Health Record", to the Act.

Various terms are defined for the purposes of Part V.1 and interpretation rules are added to describe when a health information custodian is considered to be collecting, using or disclosing personal health information by means of the electronic health record.

The Lieutenant Governor in Council is given the power to prescribe one or more organizations to act as the prescribed organization under the Act.

The prescribed organization is required to exercise enumerated functions with respect to the electronic health record, and must comply with specified requirements in developing and maintaining the electronic health record.  The Minister is authorized to make directives to the prescribed organization with respect to the carrying out of these responsibilities and functions.  The Minister would be required to take the recommendations of the advisory committee and the Information and Privacy Commissioner into account before so directing the prescribed organization.

Part V.1 prohibits a health information custodian from collecting personal health information by means of the electronic health record except for the purposes of providing or assisting in the provision of health care to an individual, or eliminating or reducing a significant risk of serious bodily harm to a person or group of persons, where the health information custodian believes on reasonable grounds that the collection is necessary for this purpose. Part V.1 permits health information custodians to collect, use and disclose prescribed data elements for the purpose of uniquely identifying individuals in order to collect their personal health information that is accessible by means of the electronic health record.

An individual may provide to the prescribed organization a directive that withholds or withdraws the individual's consent to the collection, use and disclosure of his or her personal health information by means of the electronic health record for the purpose of providing or assisting in the provision of health care to the individual.  The individual is permitted to amend and modify a directive previously made. The prescribed organization would be required to comply with the directive.

A health information custodian is authorized to disclose personal health information despite the contents of a consent directive in specified circumstances, including: to another health information custodian if the custodian that is seeking to collect the information obtains the express consent of the individual to whom the information relates; to another custodian if the custodian that is seeking to collect the information believes on reasonable grounds that the collection is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to the individual to whom the information relates, and it is not reasonably possible for the custodian to obtain the individual's consent in a timely manner; and to another custodian if the custodian that is seeking to collect the information believes on reasonable grounds that the collection is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to a person other than the individual to whom the information relates or to a group of persons.

The prescribed organization is required to audit, log and monitor access to personal health information that is the subject of a consent directive, and provide notice to health information custodians where consent directives are overridden as described above.  A health information custodian so notified would be required to notify the individual who made the consent directive and the Information and Privacy Commissioner.

Despite a consent directive, the prescribed organization is permitted to utilize personal health information to provide alerts to health information custodians about potentially harmful medication interactions, as long as the information that is subject to the directive is not provided.

The Minister may collect personal health information by means of the electronic health record for funding, planning and delivering health services funded by the Government of Ontario, and for detecting, monitoring or preventing fraud or inappropriate receipt of health-related payments, goods or services funded by the Government of Ontario.  The Minister may use this information to conduct audits where there are reasonable grounds to believe there has been an inappropriate receipt of a payment, service or good funded by the Government of Ontario, and may disclose this information where required by law, for the purpose of a legal proceeding or to a law enforcement agency for investigation purposes. The Lieutenant Governor in Council must prescribe a unit of the Ministry to collect and use the information for these purposes. Part V.1 would require the prescribed unit to take certain steps to de-identify such personal health information.  The prescribed unit would be required to put in place practices and procedures to protect the privacy of the individuals whose personal health information the Ministry collects for such purposes.  These practices and procedures would require the approval of the Information and Privacy Commissioner every three years.

When the required conditions are met, the Minister may direct the disclosure of personal health information that is accessible by means of the electronic health record to specified persons as if the Minister had custody or control of the information for the purposes of certain provisions of the Act.  In directing the prescribed organization to make such disclosures, the Minister is required to take into account any recommendations of the advisory committee.

The Minister is required to establish an advisory committee for the purpose of making recommendations to the Minister concerning specified matters related to the electronic health record.  The Minister may determine the terms of reference of the advisory committee, and appointments to the committee.  The Ministry shall provide administrative support for the committee.

Regulation-making powers of the Lieutenant Governor in Council are set out at the end of Part V.1.

The Act is amended to increase fines for persons guilty of offences under the Act, to provide that there is no limitation period for prosecution for offences under the Act and to permit the court to take precautions to avoid the disclosure of personal health information in the course of an investigation or a prosecution under the Act.  The Act is also amended to require the consent of the Attorney General for the commencement of any prosecution under the Act and to allow the Crown to elect to have a provincial judge preside over a proceeding under the Act.

The Drug Interchangeability and Dispensing Fee Act is amended to remove the requirement that certain instructions on prescriptions be handwritten.

The Narcotics Safety and Awareness Act, 2010 is amended to allow the Minister or executive officer to disclose personal information about monitored drugs to certain individuals in specified circumstances.   

The Regulated Health Professions Act, 1991 is amended to permit the Minister to make regulations requiring the College of a regulated health profession to collect from its members information specified in the regulations that is necessary for the purpose of developing or maintaining the electronic health record and requiring the College to provide such information to the prescribed organization.  A member of the College would be required to comply with the College's request for information.

schedule 2
Quality of Care Information Protection Act, 2015

The Quality of Care Information Protection Act, 2004 is repealed and replaced. The purpose of the Act is to enable confidential discussions in which information relating to errors, systemic problems and opportunities for quality improvement in health care delivery can be shared within authorized health facilities, in order to improve the quality of health care delivered to patients.

Among the matters provided for in the Act:

    1.   "Quality of care information" is defined, and matters that the term does not include are provided for including specified information relating to critical incidents.

    2.   It is provided that nothing in the Act interferes with a requirement under applicable law for a health facility or health care provider to conduct interviews and disclose information with regard to critical incidents.

    3.   It is provided that despite the Personal Health Information Protection Act, 2004, a person may disclose any information to a quality of care committee for the purposes of carrying out quality of care functions. However, no more personal health information may be disclosed than is reasonably necessary.

    4.   Rules are set out concerning the disclosure and use of quality of care information.

    5.   Offences and regulation-making powers are provided for.