On July 1, 2024, most of the provisions of Québec’s Bill 3, An Act respecting health and social services and amending various legislative provisions took effect. Now known as the Act respecting health and social services information, CQLR c R-22.1 (the “Act”), the Act’s four objectives are (i) to protect health and social services information (“HSSI”); (ii) to allow legitimate access to HSSI; (iii) to improve the quality of services offered to Québecers; and (iv) to enable a needs-based management of health and social services.

The Act, originally passed on April 4, 2023, brings much needed clarity to Québec’s health information protection regime. It also provides a degree of harmony between Québec and other Canadian provinces with respect to the processing of HSSI. The Act, however, places substantial compliance requirements on health and social service bodies (“HSSB”) operating in Québec and by extension on any service providers a HSSB intends to engage.

This post considers 5 of the most salient features of the Act.

1. A Broad Definition of HSSI

The Act defines HSSI as “any information that allows a person to be identified, even indirectly, and that has any of the following characteristics:

• it concerns the person’s state of physical or mental health and his or her health determinants, including the person’s medical or family history;
• it concerns any material taken from the person, including biological material, collected in the context of an assessment or treatment, or any implants, ortheses, prostheses or other aids that compensate for the person’s disability;
• it concerns the health services or social services provided to the person, including the nature of those services, their results, the location where they were provided and the identity of the persons or groups that provided them;
• it was obtained in the exercise of a function under the Public Health Act; or
• any other characteristic determined by government regulation.”

The definition also includes any identifying information such as a person’s name, date of birth, contact information, or health insurance number when it appears next to the information listed above or when it is provided to register such a person is an institution or program.

2. An Inclusive Definition of HSSB

In addition to the Ministère de la Santé et des Services Sociaux (Ministry of Health and Social Services; the “Ministry”) the Act includes in its list of HSSBs, or entities subject to the Act, the following organizations or entities:

• The Health and Welfare Commissioner;
• Commission sur les soins de fin de vie (Commission on End of Life Care);
• Corporation d’urgences-santé (Health Emergency Corporation);
• Héma-Québec;
• Institut national d’excellence en santé et en services sociaux (National Institute for Excellence in Health and Social Services);
• Institut national de santé publique du Québec (National Institute for Public Health);
• Régie de l’assurance maladie du Québec (Health Insurance Board);
• an organization that coordinates organ or tissue donations, designated by the Ministry.
• a person or a group operating a private health facility within the meaning of the Act respecting health services and social services;
• a person or a group operating a specialized medical centre within the meaning of the Act respecting health services and social services;
• a health communication centre governed by the Act respecting pre-hospital emergency services;
• a person or a group operating a centre for assisted procreation within the meaning of the Act respecting clinical and research activities relating to assisted procreation;
• a person or a group operating a laboratory within the meaning of the Act respecting medical laboratories and organ and tissue conservation;
• a person or a group operating a private seniors’ residence referred to in section 346.0.1 of the Act respecting health services and social services;
• an intermediate or family-type resource within the meaning of the Act respecting health services and social services;
• a resource offering lodging referred to in section 346.0.21 of the Act respecting health services and social services;
• a holder of a funeral services business license issued in accordance with the Funeral Operations Act;
• a holder of an ambulance service permit issued in accordance with the Act respecting pre-hospital emergency services;
• a palliative care hospice within the meaning of the Act respecting end-of-life care.

3. Governance Requirements

If an entity qualifies as a HSSB, the Act requires that it adhere to the following governance requirements when processing HSSI:

Security safeguards

HSSBs must protect HSSI with measures that are reasonable given the sensitivity and the purposes to which the HSSI will be used, the quantity and distribution of the information, the medium on which it is stored and its format.

Accuracy

HSSBs must ensure that HSSI is up to date, accurate and complete to serve the purposes for which it was collected or used. For example, health information used in an ongoing treatment of a patient will require a higher level of accuracy than contact details used for fundraising purposes.

Accountability

The person with the highest authority in the HSSB is responsible for ensuring compliance with the Act. This responsibility may be delegated in writing to a member of the body’s board of directors, to a senior officer or to another person identified in the Act. The title of the person responsible for an HSSB’s compliance must be published on the web site or made available to the public.

Access Restrictions

HSSBs must log all accesses they grant personnel and professionals practicing on their premises to the HSSI they hold as well as all uses made of the information. An annual report of these uses and accesses must be sent to the Ministry of Health and Social Services.

Openness

HSSBs must adopt a governance policy the exact contents of which will be defined by the Minister but describing, among other things:

• the roles and responsibilities of the personnel and professionals including students and trainees, practicing their profession within HSSB as they concern the HSSI’s life cycle;
• the categories of people who, in the exercise of their function, may have access to HSSI;
• the logging mechanisms and security measures for ensuring protection of the HSSI;
• an update schedule of the technological products or services an HSSB uses;
• the terms and conditions according to which HSSI may be communicated;
• the procedure for managing data incidents;
• the complaints handling procedure; and
• a description of personnel training and awareness activities concerning the protection of HSSI.

HSSBs are required to keep a register of the technological products or services they use and make this available to the public on their websites or by another appropriate means.

HSSBs are also required to provide and train their employees, including students and trainees, and professional on their governance policy.

Privacy Impact Analysis (“PIA”)

A HSSB must conduct a PIA every time it considers acquiring, developing, or overhauling a technological product or service or any electronic service delivery project where the project involves the collection use, storage, communication or destruction of HSSI. The PIA must be proportionate to the sensitivity of the information, the purpose for which it is used, the quantity distributed, and the medium on which it is stored and its format. It must also ensure that HSSI collected from an individual in a digital format be made accessible to that person in a structured, commonly used technological format.

As with Québec’s private sector personal information protection legislation, a PIA must also be conducted prior to communicating HSSI outside of the province of Québec.

Purpose limitation

Finally, HSSBs must dispose of or anonymise HSSI once the purpose for which it was collected has been met.

4. Incidents

A particular requirement the Act imposes on HSSBs and that will surely require further guidelines is the duty to report to the Commission d’accès à l’information (“CAI”) (the Information and Privacy Commissioner) as well as to the individuals whose information is involved, not only a confidentiality incident that has occurred but one that the HSSB has reason to believe will occur if such an incident presents a risk of serious injury. The factors to consider in determining whether there is a risk of serious injury are the sensitivity of the information, the anticipated consequences of its use and the likelihood that it will be misused. The HSSBs must also keep an incident register, the contents of which are to be determined by government regulation.

5. Penalties

The Act provides for the following potential administrative monetary penalties:

Fines ranging between $1,000 and $10,000 for a natural person or $3,000 and $30,000 in all other cases for anyone who:

• keeps or destroys information in contravention of the Act
• refuses to communicate information that they must communicate under the Act or impedes such communication, in particular by destroying, modifying or concealing the information or by unduly delaying its communication,
• hinders the delegated manager of government digital data or a person in charge of the protection of information in the performance of their functions,
• fails to report, where required to do so, a confidentiality incident to the Minister or to the Commission d’accès à l’information or
• fails to comply with a condition, other than a condition relating to the use of information, set out in an authorization issued to transfer personal information outside of Québec or provided for by an agreement entered into for research purposes, for data processing by a third party or for an intra group transfer;

Fines ranging between $5,000 and $100,000 for a natural person and $15,000 and $150,000 in all other cases for anyone who:

• communicates information that cannot be communicated under the Act,
• collects, accesses or otherwise uses information in contravention of the Act or a regulation made under the Act,
• sells or otherwise alienates information held by a body or information communicated to them by a body, unless, in the latter case, the information concerns them,
• identifies or attempts to identify a natural person using de-identified information without the authorization of the body that holds it or using anonymized information,
• fails to comply with a condition relating to the use of information set out in an authorization issued to transfer personal information outside of Québec or provided for by an agreement entered into for research purposes, for data processing by a third party or for an intra group transferor,
• contravenes requirements relating to the use of certified service providers,
• holds information without complying with prescribed security measures to protect this information,
• impedes the progress of an investigation or inspection of the CAI or the hearing of an application by the CAI by providing it with false or inaccurate information, by omitting to provide information it requires or otherwise,
• fails to comply, within the specified time, with a demand made to service providers regarding certification or otherwise to another entity regarding compliance with the Act, or
• fails to comply with an order of the CAI allows access to information to which access should be forbidden under the proposed law.

It should be noted that the CAI may also instigate penal proceedings for a breach of the Act. The statute of limitation for such an action is 5 years from the time the offence was committed.

Conclusion

Although certain provisions of the Act have yet to be implemented, the law will hold HSSIs to severe governance standards – standards that already exist in other Canadian provinces. Any service provider to a Québec HSSB should therefore expect to have comparable governance requirements imposed on them as the Act begins to take effect.

[View source.]