Law 5: a new legal framework for the protection of health information in Quebec – Privacy Protection – Privacy
Home » Business » Law 5: a new legal framework for the protection of health information in Quebec – Privacy Protection – Privacy

Law 5: a new legal framework for the protection of health information in Quebec – Privacy Protection – Privacy

by

The Health and Social Services Information Act

(“Law 5”) establishes a new legal framework for the management of health information and social services (“health information”) in Quebec. Law 5 incorporates several requirements introduced by Law 25 for the private and public sectors. Its provisions entered into force on July 1, 2024, with the exception of certain provisions which will apply subsequently

This bulletin presents the broad outlines of this new legal framework. For a detailed analysis of Law 5, including comparative tables with Law 25, consult our complete guide.

Champ d’application

Law 5 governs the processing of health information by organizations in the health and social services sector (“health organizations”). This includes any information that identifies a person and meets one of the following characteristics:

  • it concerns the state of physical or mental health, including medical and family history, of the person;
  • it concerns any material taken from this person as part of an assessment or treatment, as well as any implant or any orthosis, prosthesis or other aid replacing a disability of this person;
  • it concerns the health or social services received by that person;
  • it was obtained in the exercise of a function provided for by the Public Health Act;
  • it has any other characteristic determined by regulation.

Personal information such as a name, date of birth or health insurance number will also be considered health information when it is combined with other health information, for example a medical evaluation report, or when it is collected for the registration or admission of the person into an organization in the health and social services sector.

Law 5 applies to the management of health information by health organizations, which include:

  • the Department of Health and Social Services;
  • the Commissioner for Health and Well-being, the Commission on End-of-Life Care, the Corporation d’urgences-santé, Héma-Québec, the National Institute of Excellence in Health and Social Services, the Institute National Public Health Service of Quebec and the Régie de l’assurance santé du Québec;
  • a health and social services establishment;
  • a private professional practice within the meaning of the Act respecting health services and social services;
  • a specialized medical center within the meaning of the
    Act respecting health services and social services;
  • an assisted procreation center within the meaning of the
    Act respecting clinical and research activities relating to assisted procreation;
  • a laboratory within the meaning of Law on Medical Laboratories and Conservation of Organs and Tissues;
  • an operator of ambulance services within the meaning of the Emergency Pre-hospital Services Act;
  • a private residence for seniors within the meaning of Act respecting health services and social services;
  • a funeral services business within the meaning of the
    Funeral Activities Act;
  • a palliative care home within the meaning of the Law concerning end-of-life care.

The service provider of a health organization is also considered a health organization within the meaning of Bill 5, but only for its activities related to the provision of health services or social services on behalf of the organization.

Accountability and governance

Law 5 provides that the person with the highest authority within the health organization exercises the function of information protection officer unless this function has been delegated, in writing, in whole or in part. The name and contact details of the person responsible must be sent to the Minister of Health and Social Services and to the Commission d’access à l’information.

Law 5 requires health organizations to adopt a health information governance policy which must notably address the roles and responsibilities of staff members, access control, logging mechanisms, security measures, incident handling confidentiality, handling of complaints and staff training activities. This policy must be published on the organization’s website.

Law 5 also imposes an obligation to log uses of information by all members of staff and professionals working in the health organization. This logging must be the subject of an annual report to the Minister of Health and Social Services.

Technology products and services

Law 5 provides that a health organization must carry out a privacy impact assessment (PIA) of any project to acquire, develop and redesign technological products or services or electronic health delivery systems. services that involve the collection, retention, use, disclosure or destruction of health information.

Law 5 authorizes the Minister of Health and Social Services to determine by regulation the cases in which only a certified technological product or service may be acquired or used by a health organization. Where applicable, healthcare organizations must keep a record of the technology products and services they use and make it public.

Law 5 establishes an obligation to protect privacy by default similar to what Law 25 provides. Thus, an organization that collects health information by offering its customers a technological product or service with confidentiality settings must ensure that, by default, these settings ensure the highest level of confidentiality, without any intervention from the data subject.

Consent, transparency and use

Law 5 formally recognizes the sensitive nature of health information and specifies that it can only be used or communicated within the limits provided by law or with the express consent of the person concerned.

Law 5 states that a health organization may only collect information necessary for its mission, functions, or implementation of its programs. When collecting health information, the health organization must inform individuals:

  • the name of the organization that collects the information or for which it is collected;
  • the purposes for which the information is collected;
  • the means by which the intelligence is collected;
  • the right to access and rectify information;
  • the possibility of restricting or refusing access to information, as well as the methods for exercising this right;
  • of the retention period of the information.

Law 5 further incorporates the restriction introduced by Law 25 with regard to identification, location or profiling technologies. Thus, a health organization that collects health information using technology that includes functions to identify, locate or carry out profiling of an individual must inform the individual of the use of this technology and the means offered to activate identification, location or profiling functions.

Outsourcing and transfer of information outside Quebec

Bill 5 introduces rigorous rules to govern the transfer of health information to a service provider. Thus, Law 5 provides that the health organization which communicates health information to a third party which provides it with services (other than health or social services) must enter into an agreement which provides:

  • the provisions of Law 5 applicable to the information communicated;
  • the protective measures that the supplier must take to respect the confidentiality of the information, ensure that it is only used in the exercise of its mandate and is not kept at the end of the mandate;
  • the obligation to obtain an undertaking of confidentiality from persons having access to information;
  • the use of technological products or services authorized by the organization;
  • notification of any violation or attempted violation of any of the provider’s confidentiality obligations;
  • authorization to carry out any audit or investigation relating to the protection of information;
  • the obligation to transmit to the organization any information obtained or produced in the exercise of the mandate.

In addition, when a health organization wishes to transfer health information outside of Quebec, Law 5 requires first carrying out a PIA which takes into account:

  • the sensitivity of the information;
  • the purpose of their use;
  • applicable protection measures, including contractual clauses;
  • the legal regime applicable in the State where the information would be communicated.

Research

Law 5 sets up a system of simplified access to health information for research purposes, with specific conditions depending on whether or not the researcher is linked to a health organization.

  • Researchers linked to a health organization must submit their request for authorization to the person responsible for the protection of health information within that organization.
  • Unrelated researchers must submit their request to Santé Québec, the government-designated research access center.
  • In both cases, the access request must include a detailed description of the research project, a PIA and a documented decision from an ethics committee.

Individual rights

Law 5 gives individuals the right to access their health information and request its correction. It also introduces the right to restrict access to one’s health information, by designating a particular worker or a category of workers, certain family members or researchers.

Conservation, destruction and anonymization

Law 5 provides that a health organization cannot retain health information beyond the period necessary to achieve the purposes for which it collected or used it, subject to certain exceptions provided for by the
Archives Act or the Professional Code. Law 5 authorizes health organizations to anonymize health information according to generally recognized best practices and according to the criteria and modalities determined by the
Regulations on the anonymization of personal information.

Privacy incidents

Bill 5 introduces a mandatory reporting regime for confidentiality incidents consistent with Bill 25. A health organization that has reason to believe that a confidentiality incident has occurred must take reasonable measures to reduce the risks of harm. The organization must notify the people affected by the incident as well as the Commission for Access to Information when the incident presents a risk of serious harm. This notice must contain the elements provided for by regulation. Healthcare organizations must also record each confidentiality incident in a log.

Sanctions and enforcement

The Commission for Access to Information is responsible for ensuring the application of Law 5. Unlike Law 25, Law 5 does not introduce a system of administrative monetary penalties (SAP). However, Law 5 provides for criminal penalties of up to $150,000 depending on the seriousness of the offense.

Contact us

For any questions about recent developments regarding the protection of personal and health information in Quebec, please contact one of the members of the Privacy and Protection of Personal Information team at Borden Ladner Gervais.

About BLG

Related posts:

Update on Liability Insurance Obligation for Motor Vehicles under Directive (EU) 2021/2118
Top Tech Trends at Mobile World Congress: From Bendable Phones to Transparent Laptops
The Škoda Enyaq passed the lottery test, the result is not flattering
Mercedes-Benz gets too carried away with compact models - Motor
Two suspects wanted following a theft at a convenience store in Saint-Ludger-de-Milot

Two suspects wanted following a theft at a convenience store in Saint-Ludger-de-Milot

“I am not alone but I am not committed either”: Samuel Le Bihan reveals that he is no longer a heart to take

“I am not alone but I am not committed either”: Samuel Le Bihan reveals that he is no longer a heart to take

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.