Québec’s new law regarding health and social services information coming into force on July 1, 2024

Legislation
Written By AB

Bill 3, An Act respecting health and social services information and amending various legislative provisions[1](the “Act”) received royal assent on April 4, 2023, and the Québec government very recently announced that most of its provisions will come into effect on July 1, 2024.[2] The stated purpose of the Act is to ensure the protection of the health and social services information (“HSSI”) while enabling effective use and communication of the information. In addition, the Regulation respecting the application of certain provisions of the Act respecting health and social services information[3] (the “Regulation”) will also come into effect on July 1, 2024.

The Act amends over 30 provincial acts and enacts the Act respecting health and social services information[4] (the “HSSI Act”). The Regulation respecting the governance of health and social services information[5] (the “HSSI Reg”) will also come into force on July 1, 2024. The Commission d’accès à l’information (the “CAI”) is responsible for the oversight of the HSSI Act.

Once the HSSI Act comes into effect, HSSI will no longer be regulated under the Act respecting Access to documents held by public bodies and the Protection of personal information[6] (public sector) or the Act respecting the protection of personal information in the private sector[7](private sector).

On an unknown date in the future, the Act respecting the sharing of certain health information[8], which governs the sharing of the Québec Health Record, will be repealed. The Québec Health Record is analogous to Ontario’s electronic health record or “EHR”.

HSSI is information that allows a person “to be identified, even indirectly,” and that:

  • concerns the person’s state of physical or mental health, including medical or family history;

  • concerns material taken from the person, including biological sample collected in the context of an assessment or treatment, or any implants, prostheses or other aids;

  • concerns the health or social services provided to the person, including the nature of service, results, location and provider;

  • was obtained in the exercise of a function under the Public Health Act[9]; or

  • has any other characteristic determined by regulation.

Name, date of birth, contact information or health insurance number are HSSI when they appear together with HSSI, or when they are collected for registration or admission purposes by another health and social services body. However, information that concerns personnel of a health and social services body collected for human resources management purposes is not HSSI.

Under the HSSI Act, health and social services bodies (“bodies or “body”) are:

  • the Ministère de la Santé et des Services sociaux

  • a person or group listed in Schedule I and Schedule II of the HSSI Act (including a person/group entered into an agreement for the provision of health or social services on behalf of that body)

  • the Nunavik Regional Board of Health and Social Services (including a person/group entered into an agreement for the provision of health or social services on behalf of that body)

  • a college-level or university-level educational institution with respect to its activities related to the provision of health or social services (determined by the Regulation)

  • any other person or group determined by government regulation

In addition, a service provider who offers health or social services within a body other than an institution, and whose records are not kept by the body, is also a body.

Schedule I bodies are:

  • Health and Welfare Commissioner

  • Commission sur les soins de fin de vie

  • Corporation d’urgences-santé

  • Héma-Québec

  • Institut national d’excellence en santé et en services sociaux

  • Institut national de santé publique du Québec

  • Régie de l’assurance maladie du Québec

  • [Not in force on July 1, 2024] an organization that coordinates organ or tissue donations

Schedule II bodies are:

  • a person or a group operating a private health facility

  • a person or a group operating a specialized medical centre

  • a health communication centre

  • a person or a group operating a centre for assisted procreation

  • a person or a group operating a laboratory

  • a person or a group operating a private seniors’ residence

  • an intermediate or family-type resource

  • a resource offering lodging

  • a holder of a funeral services business licence

  • a holder of an ambulance service permit

  • a palliative care hospice

Collection of HSSI by a body

The collection of HSSI by a body is limited to the necessity to fulfil its mission or purpose, exercise its functions, or implement its management program. With exceptions, the body must inform the person of the name of the body or on whose behalf it is collected, purposes for which the information is collected; how the information is collected, the person’s right to access and rectification, the possibility of restricting or refusing access, as well as the retention period of the HSSI.

HSSI is confidential and must not be used or communicated except in accordance with the HSSI Act, subject to the express consent of the person concerned. The Regulation provided that any person may give consent, verbally or in writing, to the use or communication of HSSI about them. That consent may be withdrawn, verbally or in writing.

Profiling

The collection of HSSI using profiling technology requires informing the person of the use of such technology; and of the means available to “opt-in” the functions that allow a person to be identified, located or profiled. The definition of “profiling” is the same as that in the two provincial privacy acts except that analyzing the person’s work performance is excluded as a purpose.

Access to HSSI by a service provider or by a researcher

A “service provider” means a natural person who offers health or social services within a body or who provides a person with technical or administrative support services.

A service provider may access HSSI if it is necessary to provide health or social services to the person concerned or for the purposes of teaching, training or reflective practice. Guidelines for service providers may be determined by regulation concerning the access of HSSI for permitted purposes. The Regulation prescribes conditions of access by a service provider who is not a professional within the meaning of the Professional Code[10].

The HSSI Act also prescribes rules governing the access and protection of HSSI by researchers.

Use of HSSI within a body

A body may use HSSI for purposes consistent (i.e., having a relevant and direct connection) with the purposes for which it was collected; or purposes clearly beneficial to the person concerned; or otherwise permitted by law.

Automatic decision making

A body using HSSI to render an exclusively automated decision must inform the person concerned accordingly no later than at the time the decision is disclosed to the person. The body must also, upon request, inform the person of the HSSI used for rendering the decision; the reason and principal factors and parameters that led to the decision; and the right of the person to have the HSSI used to render the decision rectified. The person must be given the opportunity to submit observations to a member within the body who is in a position to review the decision.

Communication of HSSI by a body

A body must communicate HSSI to a service provider if the provider requires the information to provide health or social services, or for the purposes of teaching, training or reflective practice (see Access to HSSI by a service provider above). The service provider may keep the HSSI communicated only if keeping it is necessary for providing health or social services or for complying with their professional obligations.

The HSSI Act provided for other communications of HSSI to third parties necessary for public safety, law enforcement, fulfilment of contract, or otherwise permitted by law.

Communication outside Québec

Communication of HSSI outside Québec is permitted if a PIA has been conducted and if the PIA establishes that HSSI would receive adequate protection. The communication must be the subject of a written agreement that takes into account the results of the assessment and the terms agreed on to mitigate the risks identified in the PIA.

Protection of HSSI by a body

Security and accuracy

A body is responsible for the protection of the HSSI it holds and must take reasonable measures to ensure the security of HSSI depending on the sensitivity of the information, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored. The body must also ensure that HSSI it holds is up to date, accurate and complete.

HSSI Protection officer

The person exercising the highest authority within a body is responsible for complying with the HSSI Act. This person may be delegated in writing to a member of the board of directors, a senior officer, a member of personnel or to a professional practising within the body. The title and contact information of the person in charge of the protection of HSSI are sent to the Ministre de la Santé et des Services sociaux (the “Minister”) and to the CAI. The same must be made available to the public.

A body may enter into an agreement with another body to delegate all or part of its obligations under the HSSI Act. A copy of the agreement must be sent to the Minister and to the CAI.

Logging (not yet in force)

Audit logging obligations under the HSSI Act – not in force on July 1, 2024 – require audit logs that make it possible to identify which HSSI was accessed, used or communicated, who accessed, used or received communication of it, and the date and time it was accessed, used or communicated. When in force, the body sends a yearly report concerning all such accesses, uses or communications (excluding those by a service provider in a context of providing health or social services) to the Minister, who sends a yearly summary of the reports to the CAI.

Privacy by default

A body that collects HSSI when offering its clientele a technological product or service with privacy settings must ensure that those settings provide the highest level of confidentiality by default, without any intervention by the person. This requirement does not apply to privacy settings for browser cookies.

Privacy policy

A body must adopt a governance policy for the HSSI it holds that implements the information governance rules. The content requirement of the policy is similar to that of the provincial privacy acts. The body must make the policy known to all personnel and the professionals practising within the body and to the public.

Technological product or service

A body must conduct a privacy impact assessment (PIA) for any project to acquire, develop or overhaul technological products or services or an electronic service delivery system where the project involves the collection, retention, use, communication or destruction of HSSI held by the body.

If certain technological product or service requires certification by the Minister, a body must only use certified technological product or service.

A body must maintain a register of every technological product or service it uses. The Regulation prescribes the content requirement of the register. The body must make the register available to the public.

Confidentiality incident

A body that has cause to believe that a confidentiality incident involving HSSI it holds has occurred or that there is a risk of such an incident occurring must take reasonable measures to reduce the risk of injury and to prevent new incidents of the same nature.

If the incident presents a risk of serious injury, the body must promptly notify the Minister and the CAI. It must also notify any person affected. The Regulation specifies the content requirement of the notice to the Minister and the CAI as well as the notice to persons affected.

A body must keep a register of confidentiality incidents for 5 years. The Regulation also specifies the content of the register.

Destruction or anonymization of HSSI

At the end of the retention period of HSSI, a body must destroy or anonymize it. HSSI is “anonymized if it is, at all times, reasonably foreseeable in the circumstances that it irreversibly no longer allows the person to be identified, even indirectly.” Anonymization must be carried out according to generally accepted best practices and Regulation respecting the anonymization of personal information[11] made under the public sector privacy act with necessary modifications.

Destruction of HSSI must be performed in a secure and irreversible manner, in accordance with generally accepted best practices, depending on the sensitivity of the information and the medium on which it is stored. If carried out by a third person, a service contract (requirements in the HSSI Reg) for this purpose must be in place. A body must keep records of destruction.

Additional responsibilities provided by the Regulation

The HSSI Reg broadens the responsibilities of a body, such as:

  • ensuring that personnel and professionals receive recognized training (including refresher training) regarding the protection of HSSI

  • keeping records of consent

  • identifying a person in charge of handling notices of restriction

  • taking necessary measures to ensure the usability and integrity of HSSI

  • periodically evaluating the access, use and communication of HSSI and reducing risks

  • setting up a committee on the governance of HSSI (Schedule I bodies only)

  • maintaining and evaluating technological products and services it uses

Data subject rights

An individual has the following rights regarding HSSI about them held by a body:

  • the right to be informed of its existence and request access

  • the right to request correction

  • the right to be informed of the name of person/group having accessed, used, or received their HSSI, and the date and time of the access, use or communication

  • the right to restrict access to service providers (content requirement in the Regulation)

  • the right to refuse access to a spouse or relatives where access is related to a grieving process or cause of death, and to researchers (content requirement in the Regulation)

  • portability right

Minor under 14 years of age may have access rights only through their lawyer in the context of a judicial proceeding. A caretaker may request access of HSSI of the person under care within the exercise of that power. Heirs, successors, spouse, and close relatives may request access of HSSI about the deceased person under circumstances.

Penalty

The maximum penalty for contravening the HSSI Act is $100,000 for a natural person and $150,000 for all other cases. Fines for an offence committed by a director or officer are double those applicable to a natural person for the same offence.

Fines are doubled for a second offence and tripled for a third or subsequent offence. If an offence lasts more than one day, each day of the offense constitutes a separate offence. Anyone who helps or induces a person to commit an offence is considered to have committed the same offence.

[1] SQ 2023, c 5. Final text available at https://www.publicationsduquebec.gouv.qc.ca/fileadmin/Fichiers_client/lois_et_reglements/LoisAnnuelles/en/2023/2023C5A.PDF

[2] Vol. 156, No. 24 of the Quebec Official Gazette, June 12, 2024:  https://www.publicationsduquebec.gouv.qc.ca/fileadmin/gazette/pdf_encrypte/lois_reglements/2024A/106888.pdf

[3] Vol. 156, No. 24 of the Quebec Official Gazette, June 12, 2024:  https://www.publicationsduquebec.gouv.qc.ca/fileadmin/gazette/pdf_encrypte/lois_reglements/2024A/106889.pdf

[4] CQLR c R-22.1

[5] Vol. 156, No. 24 of the Quebec Official Gazette, June 12, 2024:  https://www.publicationsduquebec.gouv.qc.ca/fileadmin/gazette/pdf_encrypte/lois_reglements/2024A/106885.pdf

[6] CQLR c A-2.1

[7] CQLR c P-39.1

[8] CQLR c P-9.0001

[9] CQLR c S-2.2

[10] CQLR c C-26

[11] Vol. 156, No. 20 of the Quebec Official Gazette, May 15, 2024: https://www.publicationsduquebec.gouv.qc.ca/fileadmin/gazette/pdf_encrypte/lois_reglements/2024F/83286.pdf


AB
Previous

Internal Communications for Better Privacy Compliance
Next

Calming the Privacy Waters: Navigating your organization’s privacy maturity journey with a GAPP Analysis