IAPP-GDPR Web Banners-300x250-FINAL

By Megan Brister and Michelle Gordon

The Ontario government recently introduced new legislation—Bill 78, the Electronic Personal Health Information Protection Act, 2013 (EPHIPA)—that would, if passed, modernize Ontario’s health privacy legislation, the Personal Health Information Protection Act, 2004 (PHIPA), to enable the transition to electronic health records (EHRs) while protecting the personal health information of patients.

In spring 2013, EPHIPA passed first reading in the Ontario legislature, which has adjourned for the summer but will proceed with the bill this fall. Once enacted, the legislation would impose privacy and security requirements on organizations involved in the sharing of EHRs, defined as “prescribed organizations” under EPHIPA. These organizations may include the regional clusters—comprised of local health integration networks and funded by eHealth Ontario to integrate healthcare systems and give healthcare providers timely and secure access to personal health information—Northern and Eastern Ontario, Greater Toronto Area, South Western Ontario and eHealth Ontario, which are implementing EHRs to enable personal health information to be shared between hospitals and other healthcare providers. EPHIPA also includes detailed consent management requirements, which EHR vendors should be prepared to address in the design of their software.

Proposed Privacy and Security Requirements

PHIPA currently imposes specific privacy and security requirements on organizations that provide EHR services, such as health information network providers, service providers and eHealth Ontario. For example, health information network providers are required to notify all health information custodians using their services of breaches; provide custodians and the public a description of their services and safeguards; perform privacy impact assessments and threat and risk assessments; maintain audit logs of all accesses and transfers of personal health information; manage third-party and employee compliance with privacy and security requirements, and enter into agreements with health information custodians outlining these requirements.

EPHIPA provides significantly more granular requirements for “prescribed organizations,” which are responsible for “creating or maintaining the electronic health record.” EPHIPA would amend PHIPA to require prescribed organizations to comply with the following privacy and security obligations:

  • Accountability

Notify the custodian if personal health information is stolen, lost or improperly accessed.

  • Consent

Maintain an electronic record of all instances where a consent directive is made, withdrawn or modified and comply with regulations when managing consent directives.

 Limiting Use and Disclosure

Take reasonable steps to limit the personal health information received; limit how its employees and/or contractors view, handle or otherwise deal with personal health information, and ensure third parties comply with necessary restrictions and conditions.

  • Safeguards

Maintain a detailed electronic record of all instances where personal health information in the EHR is viewed, handled or dealt with; audit and monitor required electronic records and conduct both a privacy impact assessment and threat and risk assessment for each system that retrieves, processes or integrates personal health information in the EHR, making these assessments available to health information custodians and a summary of the assessments available to the public.

  • Openness

Make available to the public and to health information custodians a plain-language description of the electronic health record and any directives, guidelines and policies that apply to the personal health information in the EHR.

  • Access

Put in place practices and procedures for responding to individual requests regarding personal health information in the EHR or maintained by a prescribed organization.

The most significant requirements for prescribed organizations are those regarding the role of the Ontario Information and Privacy Commissioner (OIPC). Specifically, prescribed organizations will need to put in place practices and procedures that protect individual privacy in the context of the EHR and that are approved by the OIPC every three years. This is similar to the role the OIPC plays in prescribed entities and registries, which are also required to have their practices and procedures reviewed and approved every three years. Further, prescribed organizations will also be required to notify the OIPC of potential breaches within the EHR. Currently, health information network providers are the only organizations required to notify of data breaches, and notification is made to the health information custodians to whom they are providing services. Finally, prescribed organizations will be required to submit an annual report to the OIPC on every instance in which personal health information was disclosed in a given year.

Consent Management Requirements

Under PHIPA, individuals may currently block some of their personal health information from being accessed by certain healthcare providers by requesting a “lock-box” be placed on their health records. EPHIPA formalizes this process within EHRs by introducing “consent directives” provisions. These provisions enable an individual to provide to a prescribed organization a directive that withholds or withdraws the individual’s consent to the collection, use and disclosure of his or her personal health information contained in the EHR for the purpose of providing or assisting in the provision of healthcare to the individual. The prescribed organization would be responsible for implementing the directive and would be required to assist the patient in amending and/or modifying the directive to ensure it is clear.

The prescribed organization would be exempt from following the directive—and, therefore, permitted to disclose personal health information identified in the directive—if there was a significant risk of serious bodily harm to the patient or someone else and consent could not be obtained in a timely manner. In this situation, the prescribed organization would notify the health information custodian, who would then be responsible for notifying the patient. The consent directive may also be used if necessary to provide an alert to health information custodians about potentially harmful medication interactions, as long as the personal health information that is subject to the directive is not revealed.

This means that prescribed organizations will need to have in place consent management procedures to accommodate consent directives from patients. Moreover, the technology supporting EHRs must enable prescribed organizations to technically implement these provisions.

Next Steps for Organizations Providing EHRs

Prescribed organizations and EHR vendors will want to monitor developments in the legislation as it proceeds through the Ontario legislative process. Before EPHIPA can become law, the bill must undergo further readings and debate by the House and a committee review and report.  

EPHIPA formalizes several of the leading practices that organizations providing EHRs are following. Nonetheless, organizations will want to consider the proposed privacy and security requirements as they are developing local, regional and provincial policies and practices to govern EHRs to avoid costly rework when legislation is passed and policies are reviewed and approved by the OIPC.

Megan Brister, CISSP, PMP, is a senior manager at Deloitte who has over 13 years of experience advising executive and project teams on privacy and information security strategies to support major business transformations and IT implementations. Megan has worked as a privacy officer in healthcare and has advised clients in the health, government, gaming and consumer business sectors.

Michelle Gordon, LLB, LLM, is a privacy lawyer in the Enterprise Risk practice at Deloitte who has a specialized understanding of Canadian privacy legislation and advises clients on privacy and legal compliance, policies, consent management and information governance.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»