Information Governance, Data Privacy & Security

Ontario's Move to Strengthen Personal Health Information Privacy

Information governance (IG) obligations applicable to the healthcare sector are expanding amidst a growing recognition by regulators that the rules governing the management of personal health information need to be stronger. This perception has been fuelled in part by a growing reliance on electronic health record systems, the sensitivity of personal health information, and a number of high-profile data breaches involving healthcare service providers.

For example, the Ontario Ministry of Health and Long-Term Care has proposed new health privacy legislation for the stated purpose of strengthening privacy and IG controls over personal health information and increasing transparency and accountability within the healthcare system. Below are some of the key amendments proposed by the new legislation:

  1. Introduction of the concept of a prescribed organization, which is a service provider of electronic health records and related systems. The amendments applicable to prescribed organizations impose the following requirements:

    a. A tri-annual audit of the subject organization's privacy and security framework by the Information and Privacy Commissioner of Ontario ("IPCO").
    b. Mandatory reporting of privacy breaches to the IPCO and in certain cases to the relevant professional regulatory colleges.

  2. Introduction of the concept of a consent directive, in which a patient may withhold or withdraw his or her consent to the collection, use and disclosure of personal health information contained in his or her electronic health record.

  3. Stronger penalties for non-compliance, with the doubling of fines for unauthorized access of health records from $50,000 to $100,000 for individuals, and from $250,000 to $500,000 for organizations. 

As the volume of electronic health data increases, health service organizations must develop strong IG programs to secure personal health information and achieve compliance. According to the American Health Information Management Association, "[an IG program] serves the dual purpose of optimizing the ability to extract clinical and business value from healthcare information while simultaneously meeting compliance needs and mitigating risk."  An effective IG program is therefore a business necessity for health service organizations facing the twin pressures of stricter privacy and IG regulations and budgetary constraints.


Contributors – Elvina Chow, Ricard Pochkhanawala, Jonathan Tam