OneTrust_Square Banner_300x250_DD_ROS_01_19

By Megan Brister and Michelle Gordon

The Ontario government recently introduced new legislation—Bill 78, the Electronic Personal Health Information Protection Act, 2013 (EPHIPA)—that would, if passed, modernize Ontario’s health privacy legislation, the Personal Health Information Protection Act, 2004 (PHIPA), to enable the transition to electronic health records (EHRs) while protecting the personal health information of patients.

In spring 2013, EPHIPA passed first reading in the Ontario legislature, which has adjourned for the summer but will proceed with the bill this fall. Once enacted, the legislation would impose privacy and security requirements on organizations involved in the sharing of EHRs, defined as “prescribed organizations” under EPHIPA. These organizations may include the regional clusters—comprised of local health integration networks and funded by eHealth Ontario to integrate healthcare systems and give healthcare providers timely and secure access to personal health information—Northern and Eastern Ontario, Greater Toronto Area, South Western Ontario and eHealth Ontario, which are implementing EHRs to enable personal health information to be shared between hospitals and other healthcare providers. EPHIPA also includes detailed consent management requirements, which EHR vendors should be prepared to address in the design of their software.

Proposed Privacy and Security Requirements

PHIPA currently imposes specific privacy and security requirements on organizations that provide EHR services, such as health information network providers, service providers and eHealth Ontario. For example, health information network providers are required to notify all health information custodians using their services of breaches; provide custodians and the public a description of their services and safeguards; perform privacy impact assessments and threat and risk assessments; maintain audit logs of all accesses and transfers of personal health information; manage third-party and employee compliance with privacy and security requirements, and enter into agreements with health information custodians outlining these requirements.

EPHIPA provides significantly more granular requirements for “prescribed organizations,” which are responsible for “creating or maintaining the electronic health record.” EPHIPA would amend PHIPA to require prescribed organizations to comply with the following privacy and security obligations:

  • Accountability

Notify the custodian if personal health information is stolen, lost or improperly accessed.

  • Consent

Maintain an electronic record of all instances where a consent directive is made, withdrawn or modified and comply with regulations when managing consent directives.

 Limiting Use and Disclosure

Take reasonable steps to limit the personal health information received; limit how its employees and/or contractors view, handle or otherwise deal with personal health information, and ensure third parties comply with necessary restrictions and conditions.

  • Safeguards

Maintain a detailed electronic record of all instances where personal health information in the EHR is viewed, handled or dealt with; audit and monitor required electronic records and conduct both a privacy impact assessment and threat and risk assessment for each system that retrieves, processes or integrates personal health information in the EHR, making these assessments available to health information custodians and a summary of the assessments available to the public.

  • Openness

Make available to the public and to health information custodians a plain-language description of the electronic health record and any directives, guidelines and policies that apply to the personal health information in the EHR.

  • Access

Put in place practices and procedures for responding to individual requests regarding personal health information in the EHR or maintained by a prescribed organization.

The most significant requirements for prescribed organizations are those regarding the role of the Ontario Information and Privacy Commissioner (OIPC). Specifically, prescribed organizations will need to put in place practices and procedures that protect individual privacy in the context of the EHR and that are approved by the OIPC every three years. This is similar to the role the OIPC plays in prescribed entities and registries, which are also required to have their practices and procedures reviewed and approved every three years. Further, prescribed organizations will also be required to notify the OIPC of potential breaches within the EHR. Currently, health information network providers are the only organizations required to notify of data breaches, and notification is made to the health information custodians to whom they are providing services. Finally, prescribed organizations will be required to submit an annual report to the OIPC on every instance in which personal health information was disclosed in a given year.

Consent Management Requirements

Under PHIPA, individuals may currently block some of their personal health information from being accessed by certain healthcare providers by requesting a “lock-box” be placed on their health records. EPHIPA formalizes this process within EHRs by introducing “consent directives” provisions. These provisions enable an individual to provide to a prescribed organization a directive that withholds or withdraws the individual’s consent to the collection, use and disclosure of his or her personal health information contained in the EHR for the purpose of providing or assisting in the provision of healthcare to the individual. The prescribed organization would be responsible for implementing the directive and would be required to assist the patient in amending and/or modifying the directive to ensure it is clear.

The prescribed organization would be exempt from following the directive—and, therefore, permitted to disclose personal health information identified in the directive—if there was a significant risk of serious bodily harm to the patient or someone else and consent could not be obtained in a timely manner. In this situation, the prescribed organization would notify the health information custodian, who would then be responsible for notifying the patient. The consent directive may also be used if necessary to provide an alert to health information custodians about potentially harmful medication interactions, as long as the personal health information that is subject to the directive is not revealed.

This means that prescribed organizations will need to have in place consent management procedures to accommodate consent directives from patients. Moreover, the technology supporting EHRs must enable prescribed organizations to technically implement these provisions.

Next Steps for Organizations Providing EHRs

Prescribed organizations and EHR vendors will want to monitor developments in the legislation as it proceeds through the Ontario legislative process. Before EPHIPA can become law, the bill must undergo further readings and debate by the House and a committee review and report.  

EPHIPA formalizes several of the leading practices that organizations providing EHRs are following. Nonetheless, organizations will want to consider the proposed privacy and security requirements as they are developing local, regional and provincial policies and practices to govern EHRs to avoid costly rework when legislation is passed and policies are reviewed and approved by the OIPC.

Megan Brister, CISSP, PMP, is a senior manager at Deloitte who has over 13 years of experience advising executive and project teams on privacy and information security strategies to support major business transformations and IT implementations. Megan has worked as a privacy officer in healthcare and has advised clients in the health, government, gaming and consumer business sectors.

Michelle Gordon, LLB, LLM, is a privacy lawyer in the Enterprise Risk practice at Deloitte who has a specialized understanding of Canadian privacy legislation and advises clients on privacy and legal compliance, policies, consent management and information governance.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»