Publication
Digitization of the health and social services network and the personal information it contains: How will your organization be affected?
Canada | Publication | August 6, 2024
In a recent update, we announced the publication of two draft regulations in the Gazette officielle du Québec concerning the Act respecting health and social services information (the Act)1. More than a year after the Act was assented to, several provisions of the statute and its regulations are now in force, and have been since July 1, 2024.
Purpose
The Act’s adoption is part of the profound changes being made to the health and social services network and the digitization that has been underway for a number of years in Quebec’s public sector. The Act seeks to improve the quality of the services offered to Quebecers by promoting the free circulation of health and social services information (HSSI) between the network’s various stakeholders.2 It establishes a governance model based on the responsibility and accountability of service providers and bodies in the health and social services sector (HSSB) to ensure the protection and allow the optimal use of HSSI.3 Another goal of the secure sharing of information is to encourage innovation and develop knowledge and technologies within the health and social services network.
Application
The Act applies to HSSBs, which include the Ministère de la Santé et des Services sociaux and public institutions such as hospitals. The Act’s scope is not limited to public bodies, however.4 For example, it also applies to private health facilities such as physicians’ or dentists’ offices, specialized medical centres, laboratories and private seniors’ residences,5 as well as to the service providers retained by certain HSSBs.
The acronym “HSSI,” for its part, refers to any information that allows a person to be identified directly or indirectly and that concerns: (1) the person’s physical or mental health and his or her health determinants, including the person’s medical or family history; (2) any material taken from the person, including biological material, collected in the context of an assessment or treatment; (3) the health services or social services provided to the person, including the nature of those services, their results, where they were provided and the identity of the persons or groups that provided them; (4) information that was obtained in the exercise of a function under the Public Health Act;6 or (5) any other characteristic determined by government regulation.7 The definition for HSSI also extends to information collected at the time the person is taken in charge, for example his or her name, date of birth or health insurance number.
Legal obligations
The obligations provided for in the Act are very similar to those introduced by Law 25 (see our earlier publications here and here for more information).
Collection and use
According to the Act, the collection and keeping of HSSI is limited to that which is necessary for the body to fulfill its mission or purpose, exercise its functions or carry on its activities, or implement a program under its management.8
Any HSSI held by an HSSB is confidential and must not, without the express consent of the person concerned by the information, be used or communicated except in accordance with the Act.9 If such information is used or collected, it must, whenever possible, be done in an de-identified form, i.e. in a manner that does not allow the person concerned to be identified directly.10
When an HSSB collects HSSI from a person, it must inform that person in clear and simple language of certain elements in order to obtain his or her clear, free and informed consent, including the purposes for which the information is collected and the person’s right to have access to the information or have it rectified.11 Consent must be requested by the HSSB for each of the purposes for which it will be used or communicated.12
Protection and governance measures
Compliance with and implementation of the Act within a body must be ensured by the person in charge of protecting information.13 For example, an HSSB must adopt a governance policy for the information it holds.14 This policy must necessarily contain the elements provided for in the Act, such as the logging mechanisms and the security measures for ensuring the protection of the HSSI that the body puts in place and a procedure for processing confidentiality incidents.15
An HSSB is also responsible for protecting the HSSI it holds.16 Security measures for ensuring the protection of this information must be taken. The HSSB must also ensure the information it holds is up to date, accurate and complete so that it serves the purposes for which it was collected or is used.17
Confidentiality incidents
When an HSSB believes a confidentiality incident has occurred, such as communicating information that is not authorized under the Act, it must take measures to reduce the risk of injury and to prevent new incidents of the same nature.18 If the incident presents a risk of serious injury, the body must notify the Minister of Health and Social Services and the Commission d’accès à l’information (CAI).19 Given the general sensitivity of the HSSI, various related confidentiality incidents will likely trigger sending a mandatory notice.
Use for research purposes
The Act introduces a regime for accessing HSSI for research purposes. While the terms and conditions of this regime remain to be clarified, the Act does provide for the circumstances under which researchers may access HSSI for the purposes of completing their research projects. The procedures vary based on the researcher’s status and provide for a simplified approach. One notable change is that agreements may now come into effect without waiting for a 30-day period to have elapsed after having been sent to the CAI.
Measures to be implemented
Despite the similarities between the Act and Law 25, measures will need to be taken to comply with the Act, including: (1) modifying or adapting the documents used, for instance policies and consent forms, so they refer to the Act and take it into consideration; (2) revising the role of the person in charge of protecting information; and (3) setting up the various measures prescribed by regulation (see our earlier publication here).
Sanctions
Much like the Act respecting Access to documents held by public bodies and the Protection of personal information, the Act prescribes fines of up to $150,000 for a failure to comply, such as keeping or destroying HSSI, failing to report a confidentiality incident where required to do so, or identifying or attempting to identify a natural person using anonymized information. It bears noting the fines prescribed by the Act are doubled for a second offence and tripled for a third or subsequent offence.20
As the Act has only recently come into force, several questions remain as to how it will apply in practice, which is good reason to keep a close eye on developments in this area over the next few months.
The authors would like to thank, Marilou Bouthiette, articling student, for her contribution to preparing this legal update.
Footnotes
Recent publications
Subscribe and stay up to date with the latest legal news, information and events . . .