Law 5: A new legal framework for the protection of health data in Québec

Scope

Law 5 governs the processing of health information by bodies in the health and social services sector (health and social services bodies, or HSSBs). This includes any information that allows a person to be identified and that has any of the following characteristics:

• it concerns the person’s state of physical or mental health, including medical or family history;
• it concerns any material collected from the person in the context of an assessment or treatment, or any implants, ortheses, prostheses or other aids that compensate for a disability;
• it concerns health or social services provided to the person;
• it was obtained in the exercise of a function under the Public Health Act; or
• any other characteristic determined by regulation.

Personal information such as name, date of birth, or health insurance number is also considered health information when it appears with other health information, such as in a medical assessment report, or when it is collected to register or admit the person to an HSSB.

Law 5 applies to the management of health information by HSSBs, which includes:

• the Ministère de la Santé et des Services sociaux;
• the Health and Welfare Commissioner, the Commission sur les soins de fin de vie, the Corporation d’urgences-santé, Héma-Québec, the Institut national d’excellence en santé et en services sociaux, the Institut national de santé publique du Québec, and the Régie de l’assurance maladie du Québec (RAMQ);
• a health and social services institution;
• a private health facility within the meaning of the Act respecting health services and social services; 
• a specialized medical centre within the meaning of the Act respecting health services and social services;
• a centre for assisted procreation within the meaning of the Act respecting clinical and research activities relating to assisted procreation; 
• a laboratory within the meaning of the Act respecting medical laboratories and organ and tissue conservation;
• an operator of ambulance services within the meaning of the Act respecting pre-hospital emergency services;
• a private seniors’ residence within the meaning of the Act respecting health services and social services;
• a funeral services business within the meaning of the Funeral Operations Act; or
• a palliative care hospice within the meaning of the Act respecting end-of-life care.

Any body providing services on behalf of an HSSB is itself considered an HSSB within the meaning of Law 5, but only for activities relating to the provision of health or social services on behalf of that body.

Governance and accountability

Law 5 mandates that the person exercising the highest authority within an HSSB must oversee the protection of information, unless all or part of that function has been delegated in writing to another person. The name and contact information of the person in charge must be sent to the Minister of Health and Social Services and the Commission d’accès à l’information (CAI).

Additionally, Law 5 requires HSSBs to adopt a health information governance policy outlining the roles and responsibilities of the members of personnel, access controls, logging mechanisms, procedures for handling confidentiality incidents and complaints, as well as training activities offered to personnel. This policy must be published on the organization’s website.

Finally, Law 5 establishes an obligation to log all instances of information use by all employees and professionals practising within the HSSB. This log must be included in an annual report to the Minister of Health and Social Services.

Technological products and services

Law 5 requires an HSSB to conduct a privacy impact assessment (PIA) for any project to acquire, develop or overhaul technological products or services or an electronic service delivery system involving the collection, keeping, use, communication or destruction of health information.

It also authorizes the Minister of Health and Social Services to determine, by regulation, the cases in which only a certified technological product or service may be acquired or used by an HSSB. If applicable, HSSBs must record every product and technological service they use and publish this register publicly.

Law 5 establishes a confidentiality by default obligation similar to the one set out in Law 25. An HSSB that collects health information when offering its clientele a technological product or service having privacy settings must ensure that those settings provide the highest level of confidentiality by default, without any intervention by the person concerned.

Consent, transparency, and use

Law 5 formally recognizes the sensitive nature of health information and specifies that it may only be used or communicated in accordance with the Act, or with the express consent of the person concerned.

Similarly, Law 5 stipulates that an HSSB may only collect information necessary for its mission, functions, or implementation of its programs. When collecting health information, the HSSB must inform the person concerned of:

• the name of the body collecting the information or on whose behalf it is collected;
• the purposes for which the information is collected;
• the means by which the information is collected;
• the person’s right to have access to the information or to have it rectified;
• the possibility of restricting or refusing access to the information and the terms under which this right can be exercised; and
• the period of time the information will be kept.

Law 5 also adopts the restrictions introduced in Law 25 on technologies designed to identify, locate, or profile. An HSSB collecting health information using a technology that includes functions for identifying, locating or profiling a person must inform the person concerned of the use of this technology and of the means available to activate the functions for identification, location, or profiling.

Outsourcing and transferring health information outside Québec

Law 5 introduces strict regulations for the transfer of health information to a service provider. An HSSB communicating health information to a third-party provider of services other than health or social services must enter into an agreement with that provider establishing:

• the provisions of Law 5 that are applicable to the communicated information;
• the service providers’ protection measures ensuring the confidentiality of the information, that the information is used only for purposes of carrying out the mandate and that the information is only retained for the duration of the mandate;
• the obligation for all persons who will have access to the information to sign a confidentiality agreement;
• the use of technological products or services authorized by the HSSB;
• notification of any violation or attempted violation of any of the service provider’s confidentiality obligations;
• authorization for the HSSB to conduct any verification or investigation relating to the protection of the information; and
• the obligation to send the HSSB any information obtained or produced while carrying out the mandate.

Additionally, if an HSSB wishes to transmit health information outside Québec, Law 5 requires the use of a PIA that considers:

• the sensitivity of the information;
• the purposes for which it is to be used;
• applicable protection measures, including contractual clauses; and
• the legal framework applicable in the State in which the information would be communicated.

Research

Law 5 simplifies access to health information for research purposes, with specific terms depending on whether the researcher is affiliated to an HSSB.

• Researchers affiliated to an HSSB must submit a written request for authorization to the person in charge of the protection of information within the HSSB.
• Researchers not affiliated to an HSSB must submit their application to Santé Québec, the government-designated research access centre.
• In either case, the request for access must include a detailed description of the research project, a PIA, and a documented decision from an ethics committee.

Individual rights

Law 5 grants persons the right to access their health information and to request to have it rectified. It also confers upon them the right to restrict access to their health information by designating a specific service provider or category of service providers, certain members of their family, or researchers.

Conservation, destruction, and anonymization

Law 5 provides that an HSSB may not keep health information beyond the time required to achieve the purposes for which it was collected or used, subject to certain exceptions under the Archives Act or the Professional Code. Law 5 authorizes HSSBs to anonymize health information according to generally accepted best practices, as well as the criteria and terms determined by the Regulation respecting the anonymization of personal information.

Confidentiality incidents

Law 5 introduces a mandatory confidentiality incident notification regime consistent with the provisions of Law 25. An HSSB that has cause to believe that a confidentiality incident has occurred must take reasonable measures to reduce the risk of injury. The HSSB must notify the persons affected by the incident, as well as the CAI when the incident poses a risk of serious injury. This notice must contain the elements prescribed by regulation. HSSBs must likewise keep a register of confidentiality incidents.

Penalties and enforcement

The CAI is responsible for applying Law 5. Unlike Law 25, Law 5 does not introduce a procedure for administrative monetary penalties (AMPs). Law 5 does, however, provide for penal sanctions of up to $150,000 depending on the severity of the offence.

Contact us

For any questions concerning recent developments affecting the protection of personal information and health data in Québec, please contact a member of BLG’s Cybersecurity, Privacy & Data Protection Team.

The author is grateful to student-at-law Chloé Hughes-Légaré for her valuable contribution to this article.