On Dec. 3, 2021, the Québec government introduced Bill 19, An Act respecting health and social services information and amending various legislative provisions (Bill 19) which proposes a new legal framework for the management of health and social services information in Québec. One could say that Bill 19 fills a certain legal vacuum in this regard since Québec is the only Canadian province that does not have a specific privacy legislation for the health sector.
Several elements proposed by Bill 19, which contains more than 200 sections, are directly inspired by the new data protection requirements introduced by Bill 64. Given this, we encourage our readers to consult Québec Privacy Law Reform: A Compliance Guide for Organizations on the BLG website for a detailed analysis of these new requirements. This bulletin provides an overview of the reform proposed by Bill 19 in terms of health information management and discusses its main repercussions for organizations.
Table of contents
- Scope
- Accountability and governance
- Technological products and services
- Consent and transparency
- Research
- Access, correction and retention
- Breach reporting
- Penalties and enforcement
- Coming into force
1. Scope
In addition to amending several Québec statutes, Bill 19 proposes to repeal the Act respecting the sharing of certain health information and to replace it with the new Act respecting health and social services information and amending various legislative provisions (the ARHSSI).
Thus, the ARHSSI applies to health and social services information (HSSI) held by health and social services bodies (HSSBs). HSSI is deemed to include any information about an individual, whether or not it allows the individual to be identified, if it has one of the following characteristics:
- it concerns the individual’s state of physical or mental health and his or her health determinants, including his medical or family history;
- it concerns any material, including biological material, collected in the context of an assessment or treatment, and any implants, ortheses, prostheses or other aids that compensate for the individual’s disability;
- it concerns the health services or social services provided to the individual, including the nature of those services, their results, the location where they were provided and the identity of the persons or bodies that provided them;
- it was obtained in the exercise of a function under the Public Health Act; or
- any other characteristic determined by government regulation (s. 2, para. 1).1
Information concerning a personnel member of the body or a professional practising his or her profession within the body, including a student, a trainee, a mandatary or a service provider, is not HSSI when it is collected by that body for human resources management purposes (s. 2, para. 2).
It is important to mention that the concept of “health and social service information” within the meaning of the ARHSSI is broader than the notion of “personal information” since it does not require the information to be identifying.
That said, Bill 19 specifies that any identifier, such as an individual’s name, date of birth, contact information, health insurance number or any other information of the same nature, is considered HSSI when it is next to HSSI that meets one of the five aforementioned characteristics or when it is collected for the purpose of registering, enrolling or admitting the individual to or at a health and social services institution or for the purpose of having the individual taken in charge by another HSSB (s. 2, para. 3). In other words, personal information will be considered HSSI for the purposes of the ARHSSI if it is found alongside other HSSI about the individual (e.g. name + diagnosis). In fact, Bill 19 amends the Act respecting the protection of personal information in the private sector (the ARPPIPS) and the Act respecting access to documents held by public bodies and the protection of personal information (the Act respecting access) in order to specifically exclude health information, within the meaning of the ARHSSI, from their respective scopes of application (ss. 123 and 174).
Next, Bill 19 provides that the following organizations are HSSBs within the meaning of the ARHSSI:
- the Minister of Health and Social Services;
- a health and social services institution within the meaning of the Act respecting health services and social services;
- a person, partnership or body operating in the health and social services sector referred to in Schedule I or Schedule II;
- a person, partnership or body that enters into an agreement with an HSSB concerning the provision of certain health services or social services on behalf of that body (a “health and social service provider”). However, a health and social service provider will be subject to the ARHSSI only with respect to the activities associated with its provision of health and social services on behalf of an HSSB; and
- any other person, partnership or body determined by government regulation (s. 4).
The scope of the ARHSSI is considerably broader than that of the Act respecting health services and social services (the ARHSSS). Indeed, Schedule II of Bill 19 provides that a person or partnership operating a private health facility or a specialized medical centre is covered by the ARHSSI when it is not considered an “institution” within the meaning of the ARHSSS (see s. 95 of the ARHSSS). Schedule II also provides that laboratories, centres for assisted procreation, palliative care hospices and private seniors’ residences are all HSSBs.
2. Accountability and governance
The ARHSSI states that HSSBs must comply with the rules for the governance of HSSI defined by the Ministère de la Santé et des Services sociaux (MSSS) (s. 40). Those rules will set out the obligations of HSSBs concerning, among other things, the retention and monitoring of HSSI access logs, the minimizing of risks of a confidentiality incident, and the terms for keeping and destroying information (s. 41). HSSBs will need to adopt a governance policy in order to implement these rules; the policy must specify, among other things,
- the roles and responsibilities of the members of the personnel and professionals with regard to HSSI throughout its life cycle;
- the categories of individuals who may, in the exercise of their functions, access HSSI;
- the logging mechanisms and the security measures for ensuring the protection of HSSI;
- an update schedule for the technological products or services the body uses;
- a procedure for processing confidentiality incidents;
- a procedure for processing complaints regarding the protection of HSSI; and
- a description of the training and awareness activities concerning the protection of the HSSI the body provides to its personnel and to professionals (s. 54).
Much like Bill 64, the ARHSSI introduces an accountability principle with regard to the management of HSSI. Specifically, section 51 states that HSSBs are responsible for protecting the HSSI they hold. Along with this responsibility comes an obligation to take reasonable security measures to protect the information (s. 51, para. 2) and to ensure that information is accurate (s. 51, para. 3).
Another rule that tracks Bill 64 is that the individual with the highest authority within an HSSB is deemed, by default, to be the “person in charge of the protection of health and social services information” (s. 52). This function can however be delegated in whole or in part to a member of the body’s personnel, to a professional practising his or her profession within the body, or to a member of its board of directors. The title and contact information of the person in charge of the protection of HSSI are to be published on the body’s website. Unlike Bill 64, the ARHSSI does not allow the “person in charge” function to be delegated outside the body.
The ARHSSI states that HSSBs must log all accesses to the HSSI they hold, as well as all uses of such information by any member of their personnel and any professionals practising their profession within the body. Such logging must make it possible to identify the information accessed or used, the person who accessed or used it and the date and time it was accessed or used (s. 53).
Another key measure that the ARHSSI borrows from Bill 64 is the obligation to conduct a privacy impact assessment (PIA). Such assessments must be carried out prior to any project to acquire, develop or overhaul technological products or services or any electronic service delivery project, where the project involves the collection, use, keeping or destruction of HSSI or access to HSSI. A PIA must be proportionate to the sensitivity of the information concerned, the purposes for which it is to be used, the quantity and distribution of the information, the medium on which it is stored and its format. In addition, the PIA must ensure that computerized information collected from the individual is accessible to that person “in a structured, commonly used technological format.” (s. 55).
3. Technological products and services
The ARHSSI provides that the government may, by regulation, determine the cases and circumstances in which only a certified technological product or service may be used by an HSSB. Such certification is ensured by the Minister or by any person, partnership or body to whom or which the Minister entrusts responsibility for the product or service (s. 43). A list of certified technological products and services will be published on the Ministère’s website (s. 46). Accordingly, an HSSB may not, in the cases or circumstances provided for in a regulation, acquire or use a non-certified technological product or service (s. 44).
In addition, HSSBs must record in a register any technological product or service they use (s. 56). The term “technological product or service” means equipment, an application or a service required to collect, keep or access information, such as a database or an information system, a telecommunications system, technological infrastructure, software or a computer component of medical equipment (s. 3, para. 5).
4. Consent and transparency
The ARHSSI provides that HSSI is confidential and, subject to the consent of the individuals, it may be used, or access to it may be granted, only in accordance with the ARHSSI (s. 5). With respect to consent validity, the ARHSSI applies the same criteria introduced in Bill 64, namely, that consent must be clear, free and informed and be given for specific purposes, and must be requested for each such purpose, in clear and simple language (s. 6, para. 1). The ARHSSI empowers the government to determine by regulation the terms on which an individual may give consent (s. 6, para. 6).
It should be noted that the ARHSSI does not require the consent of the individuals for the collection of their HSSI, but does provide that an HSSB can collect only HSSI that is necessary for fulfilling its mission or its purpose, exercising its functions or activities or implementing a program under its management (s. 10). This test is similar to the test set out under section 64 of the Act respecting access, which provides that a public body cannot collect personal information if it is not necessary for the exercise of the rights and powers of the body or the implementation of a program under its management.
The ARHSSI contains an obligation of information that is similar to that in Bill 64 and is applicable upon the collection of information. Specifically, an HSSB must, upon collecting HSSI and subsequently upon request, inform the individual, in simple and clear language:
- of the name of the body collecting the information or on whose behalf it is collected;
- of the purposes for which the information is collected;
- of the means by which the information is collected;
- of his or her right to access or rectify the information; and
- of the period of time the information will be kept (s. 11).
In the private sector, this obligation of transparency is usually embodied in a privacy policy. Accordingly, in addition to establishing a governance policy as mentioned above, HSSBs might consider having an external privacy policy to provide individuals with details regarding how their HSSI will be handled.
The ARHSSI provides some exceptions that allow HSSBs to use HSSI for purposes other than those for which it was originally collected—specifically, where the use is:
- for purposes consistent with the purposes for which it was collected;
- clearly for the benefit of the individual;
- necessary for the application of an Act in Québec; or
- necessary for the exercise of its functions relating to the organization and assessment of health and social services, with a view to sound management (s. 12).
It is important to specify that the latter can only be invoked by the MSSS, a health or social services institution, or an HSSB referred to in Schedule I.2
Under the ARHSSI, an HSSB may allow a person, partnership or body to access HSSI it holds, to the extent that it is necessary for the application of an Act in Québec, and where the disclosure is expressly provided for by law (s. 34). In addition, if an HSSB can access or use HSSI in a form that does not allow the individual to be identified directly, it must access or use it in that form (s. 5, para. 3). Curiously, the ARHSSI does not use the concept of “de-identified information”, although it is found in section 116, under the penal provisions. However, the wording of section 5 seems to suggest a de-identification threshold for HSSI, that is to say the removal or alteration of direct identifiers.
5. Research
One goal of Bill 19 is to stimulate health research by simplifying data access for researchers. In this regard, the ARHSSI draws a distinction between internal and external research projects. Researchers attached to a health and social services institution (e.g. Hospital, CLSC, CHSLD, etc.) or to an HSSB referred to in Schedule I3 who wish to have access, without the consent of the individual, to HSSI necessary for carrying out a research project, must present a request for authorization to the institution or HSSB to which they are attached (s. 31). Researchers who wish to access HSSI held by another organization must present their request for authorization to the new research access centre established pursuant to section 62 of the ARHSSI (s. 32).
In both situations, the request for authorization must comply with several formalities, including a detailed presentation of the research activities, the completion of a PIA and the approval of the project by a research ethics committee (s. 31, para. 2).
Bill 19 does not define the concept of “researcher” suggesting that the term may apply to both public and private sector research initiatives. This means that a private sector organization could submit a request for authorization to the research access centre pursuant to section 32 of the ARHSSI. However, such access will be governed by an agreement between the researcher and the centre, which must specify, among other things, that the HSSI for which authorization is sought:
- may be made accessible only to individuals who need to examine it to exercise their functions and who have signed a confidentiality agreement;
- may not be used for purposes other than those specified in the detailed presentation of the activities related to the research project;
- may not be paired with any other information than that provided for in the detailed presentation of the activities related to the research project; and
- may not be communicated, published or otherwise distributed in a form allowing the individuals to be identified (s. 32, para. 3).
Furthermore, under section 5, paragraph 3 of the ARHSSI, where the research project can be carried out using only de-identified information, the agreement must specify that researchers may only have access to information in this form in carrying out their research (s. 32, para. 4(2)).
Although several questions remain unanswered—including the name of the public body that will act as the research access centre and the time it will take to process requests for authorization—the HSSI access regime introduced by Bill 19 looks promising for organizations conducting health research.
6. Access, correction and retention
The ARHSSI recognizes that individuals have a right to access their HSSI (s. 14), to request its correction where it is inaccurate, incomplete or equivocal, and to request its deletion if it was collected or is being kept in contravention of the law (s. 15). The ARHSSI also provides specific rules governing access to HSSI by third parties.
ARHSSI also provides that a government regulation can specify a minimum retention period for HSSI held by HSSBs. This period may vary depending, among other factors, on the types of information or the types of body involved (s. 60).
7. Breach reporting
The ARHSSI introduces a breach reporting regime that is very similar to the one provided in Bill 64. Thus, an HSSB will have to notify the Minister of Health and Social Services, the Commission d’accès à l’information (the CAI) and the affected individuals if there is cause to believe that a confidentiality incident involving HSSI it holds has occurred and the incident presents a risk of serious injury to the individuals (s. 57, para. 2).
The ARHSSI defines the concept of confidentiality incident as “an access not authorized by law to health or social services information, a use not authorized by law of such information, or loss of such information or any other breach of its protection” (s. 3). Unlike Bill 64, the ARHSSI does not expressly provide that the unauthorized disclosure of HSSI is a confidentiality incident although it could probably be considered as “any other breach of its protection.”
The factors to be considered in assessing the risk of injury for affected individuals are the same as those contained in Bill 64, namely:
- the sensitivity of the information;
- the anticipated consequences of its use; and
- the likelihood that such information will be used for injurious purposes (s. 58).
Like Bill 64, the ARHSSI requires the HSSB to record all confidentiality incidents in a register, regardless of their severity. Moreover, a copy of this register must be sent to the Minister of Health and Social Services or to the CAI upon request (s. 59).
8. Penalties and enforcement
The CAI is the public body charged with overseeing the enforcement of the ARHSSI. As part of this mission, it can carry out inspections, conduct investigations and issue orders (ss. 75 to 85).
The ARHSSI provides two categories of penal sanctions which differ according to the seriousness of the infraction and the potential fine amounts. The less serious offences carry a maximum fine of $10,000 for individuals and $30,000 for entities. The offences apply to anyone who:
- collects, uses, keeps, destroys or accesses HSSI without authorization;
- refuses to allow access to information or impedes such access, in particular by destroying, modifying or concealing the information or by unduly delaying its transmission;
- hinders the HSSI access authorization manager or the person in charge of the protection of HSSI in the exercise of its functions;
- fails to report, where required to do so, a confidentiality incident to the Minister or the CAI; or
- fails to comply with the conditions set out in a HSSI access authorization issued to a researcher (s. 115).
The most serious offences carry a maximum fine of $100,000 for individuals and $150,000 for entities. The offences apply to anyone who:
- allows access to information that cannot be made accessible under the ARHSSI;
- identifies or attempts to identify a natural person, without authorization, using de-identified or anonymized information;
- acquires or uses a non-certified technological product or service in contravention of a government regulation;
- fails to meet the accountability and governance requirements set out in sections 51 to 61 in relation to the protection of HSSI;
- impedes the progress of an inquiry, inspection or the hearing of an application by the CAI by providing it with false or inaccurate information or by omitting to provide information it requires;
- refuses or neglects to comply, within the prescribed time, with a demand issued by the CAI for the production of documents; or
- fails to comply with an order of the CAI (s. 116).
The prescription (limitation) period applicable to a penal prosecution instituted under the ARHSSI is five years after the commission of the offence (s. 122).
9. Coming into force
If adopted, the provisions of the ARHSSI will come into force on the dates to be set by the government (s. 221).
***
Public bodies and private-sector organizations are already experiencing a major overhaul of the legal framework governing the protection of personal information and if Bill 19 is adopted it will be the turn of health and social services bodies to undergo such a reform. Although several aspects of Bill 19 still require clarification, the proposed new regime seeks to provide better access to health data for research purposes as well as stronger safeguards and responsibilities with respect to the management and processing of health information in Québec.
For any questions regarding recent developments in Québec’s data protection framework, please contact a member of BLG’s Cybersecurity, Privacy & Data Protection Team.
1 Unless otherwise specified, the provisions referred to in this bulletin are from Bill 19.
2 Namely, the Health and Welfare Commissioner, the Commission sur les soins de fin de vie [Commission on end-of-life care], the Corporation d’urgences-santé [Québec’s public emergency medical service], Héma-Québec [the public body that coordinates blood, plasma and other donations], the Institut national d’excellence en santé et en services sociaux [Québec institute for excellence in health and social services], the Institut national de santé publique du Québec [Québec public health institute], the Régie de l’assurance maladie du Québec (RAMQ) or a body designated by the Minister that coordinates organ and tissue donations.
3 Id.