Law & Governance
Bill 31, Health Information Protection Act, 2003
"Personal health information" refers to identifying information, whether in oral or recorded form, that relates to the individual's physical or mental health, the provision of health care to the individual, payments or eligibility for health care, the donation of a body part or bodily substance, and the individual's health care number, health care provider or substitute decision maker. Other significant features of the Bill are:
- Health information custodians must have information practices
in place that are in compliance with the requirements for dealing
with personal health information;
- It provides a right of access to one's personal health
information and the ability to require corrections, subject to
certain limitations and exceptions;
- Individual consent for the collection, use or disclosure of
personal information may be either express or implied, with
limitations on when consent may be implied. Consent may also be
withdrawn, with notice;
- It establishes who may act on behalf of another with respect to
personal health information, and under what
- Accountability is dealt with by the establishment of a process
of appeal to the provincial Information and Privacy Commissioner.
Mechanisms for investigating and settling complaints and reviewing
information practices are provided, as are penalties for
- Quality of care information is dealt with separately from personal health information. Disclosure of information collected or prepared for the purpose of assisting a quality of care committee of a hospital, or other entity, is limited to certain prescribed circumstances.
Schedule B of the Bill, the Quality of Care Information Protection Act, finally brings Ontario in line with all other Canadian provinces and territories and the 50 U.S. states, all of which have similar legislation protecting quality of care information from being disclosed or used as evidence in legal proceedings. Hospitals should note in particular:
- The Bill protects from disclosure only "quality of care
information", which is information prepared or collected by the
hospital's Quality of Care Committee or relating solely or
primarily to that Committee's activities. All hospitals should
review the terms of reference of their Quality of Care Committee
(or equivalent) to ensure that it will qualify as a Quality of Care
Committee under the Bill. "Quality of care information" does not
include information contained in a medical record.
- Quality of care information is not admissible as evidence in a
legal proceeding, nor can a witness be asked about it.
- The Bill contains immunity sections protecting specific persons
from liability. These persons include those (i) who disclose
information to the Quality of Care Committee and (ii) members of
the Committee who disclose quality of care information to reduce a
quality of care risk or to improve healthcare within the
- The Bill requires that the Minister hold public consultations before making regulations under this Act.
The Bill contains a number of provisions which may be of particular concern to hospitals, including:
- Restrictions on collection, use and disclosure of personal
health information for fundraising purposes without the
individual's express consent, which is substantially different from
the current requirements under PIPEDA;
- Requirement that health information custodians using an
electronic format for personal health information comply with
prescribed requirements (to be provided in regulation), which could
be costly to implement;
- Requirement that health information custodians using or
disclosing personal health information take steps to ensure that
the information is as accurate, complete and as up-to-date as
necessary for the purposes of the use or disclosure (or, in
disclosure situations only, that any limitations on the accuracy
etc. of the information are set out). Assuring accuracy etc. could
potentially be a very onerous task in the hospital setting, given
that information is collected by a number of health professionals,
over extended periods of time;
- The penalties for offences are significant (maximum $50,000 for
individuals, $250,000 for corporations); and
- Directors, officers, employees etc. of a corporation, including a public hospital, can be held personally liable for an offence, whether or not the corporation is prosecuted or convicted, and responsible for the penalty amounts upon conviction. However, a due diligence defence is available.
Although there are a number of significant differences, Bill 31 is substantially similar to Bill 159 (Personal Information Privacy Act), which was introduced by the Conservative government and passed first reading in December, 2000, but was never enacted. All indications suggest that the government intends to move this Bill forward very quickly. The commencement date for the legislation is identified in the Bill as July 1, 2004. If you are interested in making oral or written submissions on the Bill to the Standing Committee, you can refer to the Legislative Assembly of Ontario website for more information at
Acknowledgment© 2004 Cassels Brock & Blackwell LLP. Cassels Brock is a trade-mark of Cassels Brock & Blackwell LLP. All rights reserved.
Be the first to comment on this!
Personal Subscriber? Sign In
Note: Please enter a display name. Your email address will not be publically displayed