On December 3, 2021, the Quebec Minister of Health and Social Services tabled Bill 19, Act respecting health services and social services and amending various legislative provisions (“Bill 19”). The four objectives of the bill are (i) to protect health and social services information (“HSSIR”), (ii) to allow access to RSSS; (iii) improve the quality of services offered to Quebecers; and (iv) allow management of health and social services based on needs.
Bill 19 is a welcome change not only because of the harmonization it brings with personal health information protection laws in other Canadian provinces, but also because of the transparency and simplification it brings to a body of law which, until now, has become increasingly opaque. However, it imposes significant compliance requirements on health and social services organizations (“HSSB”) operating in Quebec. Although Bill 19 is only in the first stages of examination by the National Assembly, and therefore subject to a possible revision, the CSSS must nevertheless take note of the modifications it proposes and the corresponding sanctions. in case of non-compliance.
The following paragraphs summarize the HSSI governance requirements proposed by Bill 19.
A broad definition of HSSI
Bill 19 defines the FSSI as “any information held by a health and social services organization that relates to an individual, whether or not it allows that person to be identified, and that has one of the following characteristics:
- it concerns the physical or mental state of the person and their determinants of health, including their medical or family history;
- it is any material, including biological, collected in the context of an assessment or treatment, and any implant, orthosis, prosthesis or other aid compensating for the person’s disability;
- it concerns the health or social services provided to the person, including the nature of these services, their results, the place where they were provided and the identity of the persons or organizations who provided them;
- it was obtained in the exercise of a function falling within the Public Health Act; Where
- any other characteristic determined by government regulation. »
The definition also includes any identifying information such as a person’s name, date of birth, contact details or health insurance number when it appears next to the information listed above or when provided to enroll such a person in an institution or program.
An inclusive definition of HSSB
In addition to Ministry of Health and Social Services (Ministry of Health and Social Services; the “Ministry”) Bill 19 includes in its list of CSSS the following organizations or entities:
- The Health and Welfare Commissioner;
- End of Life Care Commission (Commission on End-of-Life Care);
- Health Emergencies Corporation (Health Emergency Society);
- National Institute of Excellence in Health and Social Services (National Institute of Excellence in Health and Social Services);
- National Institute of Public Health of Quebec (National Institute of Public Health);
- Régie de l’assurance maladie du Québec (Health Insurance Board);
- an organization that coordinates organ or tissue donations, designated by the ministry.
- a person or a company operating a private health establishment within the meaning of Act respecting health services and social services (chapter S-4.2);
- a person or company operating a specialized medical center within the meaning of Act respecting health services and social services;
- a health communication center governed by the Act respecting pre-hospital emergency services (chapter S-6.2);
- a person or company operating a center for assisted procreation within the meaning of Act respecting clinical and research activities relating to assisted procreation (chapter A-5.01);
- a person or company operating a laboratory within the meaning of Medical Laboratories and Organ and Tissue Preservation Act (chapter L-0.2);
- a private seniors’ residence referred to in section 346.0.1 of the Act respecting health services and social services;
- an intermediate or family-type resource within the meaning of Act respecting health services and social services;
- a resource offering lodging referred to in section 346.0.21 of the Act respecting health services and social services;
- holder of a funeral services business license issued in accordance with the Funeral Operations Act (chapter A-5.02);
- holder of an ambulance service permit issued in accordance with the Act respecting pre-hospital emergency services;
- a palliative care hospice within the meaning of Act respecting end-of-life care (chapter S-32.0001).
If an entity qualifies as an HSSB, Bill 19 requires that it meet the following governance requirements when processing HSSIs:
- Security measures: The CSSSs must protect the HSSIs by reasonable measures taking into account the sensitivity and the purposes for which the HSSIs will be used, the quantity and distribution of the information, the medium on which it is stored and its format.
- Precision: RSSS must ensure that the RSSI is current and complete to serve the purposes for which it was collected or used. For example, health information used as part of a patient’s ongoing treatment will require a higher level of accuracy than contact information used for marketing purposes.
- Responsibility: The person with the highest authority at the CSSS is responsible for ensuring compliance with Law 19. This responsibility can be delegated in writing. The title of the person responsible for compliance of a CSSS must be published on the website or made available to the public.
- Access restrictions: CSSSs must record all the access they grant to personnel and professionals practicing on their premises to the RSSI they hold, as well as all the uses made of it. An annual report of these uses and access must be sent to the Ministry of Health and Social Services.
- Opening: CSSSs must adopt and make public on their website, or by any other appropriate means, a governance policy whose exact content will be defined by the Minister but describing, among other things:
- the roles and responsibilities of personnel and professionals practicing their profession within the CSSS with respect to the life cycle of the CSSS;
- the categories of persons who, in the performance of their duties, may have access to the HSSI;
- logging mechanisms and security measures to ensure the protection of the HSSI;
- a schedule for updating the technological products or services used by a CSSS;
- the data incident management procedure;
- the procedure for handling complaints; and
- a description of staff training and awareness activities regarding the protection of HSSIs.
CSSSs are also required to provide and train their employees and professionals on their governance policy.
Privacy Impact Analysis (“PIA”): An HSSB must perform a PIA whenever it plans to acquire, develop or redesign a technology product or service or any electronic service delivery project where the project involves the collection, use, storage or destruction of HSSI. The PIA must be proportionate to the sensitivity of the information, the purpose for which it is used, the quantity disseminated, the medium on which it is stored and its format. It must also ensure that the HSSIs collected from an individual in digital form are made accessible to that person in a structured and commonly used technological format. This requirement is also found in the overhaul of Quebec legislation on the private sector which required the performance of PIAs not only when the acquisition and updating of technological products are envisaged but also when personal information must be transferred to the outside provincial borders.
The RGSS are also required to maintain a register of the technological products or services that they use and to make it available to the public on their websites or by any other appropriate means.
Incidents: CSSSs that believe that the HSSI has been compromised must notify the Minister of Health and Social Services, the Commission for access to information (Quebec Privacy Protection Commission; “CAI”) and individuals whose FSSI is involved if the CSSSs have reason to believe there is a risk of serious injury. CSSSs must also keep a register of incidents, the content of which is determined by government regulation.
Lens limitation: Finally, the CSSSs must dispose of the HSSIs once the purpose for which they were collected has been achieved. A governmental regulation will determine the minimum duration during which the HSSI can be kept. These regulations have not yet been published.
Bill 19 provides the following potential administrative monetary penalties:
- Fines varying between $1,000 and $10,000 for a natural person or $3,000 and $30,000 in all other cases for anyone:
- collects, uses, retains, destroys or accesses health or social services information in violation of the Proposed Act;
- refuses to allow or obstructs access to the information accessible under the proposed law, in particular by destroying, modifying or concealing the information or by unduly delaying its transmission;
- hinders the HSSI access authorization manager or a person in charge of the protection of HSSI in the exercise of the functions of the manager or the person;
- fails to report, when required, a data incident to the Minister or the CAI; Where
- does not comply with the conditions set out in an authorization issued to a researcher or other organization to access the HSSI.
- Fines varying between $5,000 and $100,000 for a natural person and between $15,000 and $150,000 in all other cases for anyone who:
- allows access to information to which access should be prohibited under the proposed law;
- identifies or attempts to identify a natural person, without authorization, using anonymized information or using anonymized information,
- uses a technology product or service that has not been certified by government regulations where such certification is required;
- does not comply with the governance requirements described above;
- obstructs the conduct of a CAI investigation or inspection or the hearing of a claim by the CAI by providing false or inaccurate information, by failing to provide information required by it or otherwise;
- does not respond within the prescribed time to a formal notice sent by the CAI; Where
- fails to comply with a CAI order.
It should be noted that the CAI can also initiate criminal proceedings for an offense under Law 19. The limitation period for such an action is 5 years from the commission of the offence.
Although certain provisions of Bill 19 may change before the vote on the final version of the bill, the bill sends the message to CSSSs operating in Quebec that they will be held to a relatively onerous standard of governance in terms of SSSI – standards that already exist in other provinces.