On December 3, 2021, Québec’s Minister of Health and Social Services introduced Bill 19, An Act respecting health and social services and amending various legislative provisions (“Bill 19”). The bill’s four objectives are (i) to protect health and social services information (“HSSI”), (ii) to allow access to HSSI; (iii) to improve the quality of services offered to Quebecers; and (iv) to enable a needs-based management of health and social services.

Bill 19 is a welcome change not only because of the harmonization it provides with personal health information protection legislation in other Canadian provinces and also because of the transparency and simplification it brings to a body of law that up until now has grown increasingly opaque. However, it places substantial compliance requirements on health and social service bodies (“HSSB”) operating in Québec. While Bill 19 is only in the early stages of consideration by the National Assembly, and is therefore subject to possible revision, HSSBs should nevertheless be aware of the changes it proposes and of the corresponding penalties for non-compliance.

The paragraphs that follow summarize the HSSI governance requirements proposed by Bill 19.

A Broad Definition of HSSI

Bill 19 defines HSSI as “any information held by a health and social services body that concerns a person, whether or not it allows the person to be identified, and that has one of the following characteristics:

• it concerns the person’s state of physical or mental health and his or her health determinants, including his or her medical or family history;
• it concerns any material, including biological material, collected in the context of an assessment or treatment, and any implants, ortheses, prostheses or other aids that compensate for the person’s disability;
• it concerns the health services or social services provided to the person, including the nature of those services, their results, the location where they were provided and the identity of the persons or bodies that provided them;
• it was obtained in the exercise of a function under the Public Health Act; or
• any other characteristic determined by government regulation.”

The definition also includes any identifying information such as a person’s name, date of birth, contact information, or health insurance number when it appears next to the information listed above or when it is provided to register such a person is an institution or program.

An Inclusive Definition of HSSB

In addition to the Ministère de la Santé et des Services Sociaux (Ministry of Health and Social Services; the “Ministry”) Bill 19 includes in its list of HSSBs the following organizations or entities:

• The Health and Welfare Commissioner;
• Commission sur les soins de fin de vie (Commission on End of Life Care);
• Corporation d’urgences-santé (Health Emergency Corporation);
• Héma-Québec;
• Institut national d’excellence en santé et en services sociaux (National Institute for Excellence in Health and Social Services);
• Institut national de santé publique du Québec (National Institute for Public Health);
• Régie de l’assurance maladie du Québec (Health Insurance Board);
• an organization that coordinates organ or tissue donations, designated by the Ministry.
• a person or a partnership operating a private health facility within the meaning of the Act respecting health services and social services (chapter S-4.2);
• a person or a partnership operating a specialized medical centre within the meaning of the Act respecting health services and social services;
• a health communication centre governed by the Act respecting pre-hospital emergency services (chapter S-6.2);
• a person or a partnership operating a centre for assisted procreation within the meaning of the Act respecting clinical and research activities relating to assisted procreation (chapter A-5.01);
• a person or a partnership operating a laboratory within the meaning of the Act respecting medical laboratories and organ and tissue conservation (chapter L-0.2);
• a private seniors’ residence referred to in section 346.0.1 of the Act respecting health services and social services;
• an intermediate or family-type resource within the meaning of the Act respecting health services and social services;
• a resource offering lodging referred to in section 346.0.21 of the Act respecting health services and social services;
• a holder of a funeral services business license issued in accordance with the Funeral Operations Act (chapter A-5.02);
• a holder of an ambulance service permit issued in accordance with the Act respecting pre-hospital emergency services;
• a palliative care hospice within the meaning of the Act respecting end-of-life care (chapter S-32.0001).

Governance Requirements

If an entity qualifies as a HSSB, Bill 19 requires that it adhere to the following governance requirements when processing HSSI:

• Security safeguards: HSSBs must protect HSSI with measures that are reasonable given the sensitivity and the purposes to which the HSSI will be used, the quantity and distribution of the information, the medium on which it is stored and its format.
• Accuracy: HSSBs must ensure that HSSI is up to date and complete to serve the purposes for which it was collected or used. For example, health information used in an ongoing treatment of a patient will require a higher level of accuracy than contact details used for marketing purposes.
• Accountability: The person with the highest authority in the HSSB is responsible for ensuring compliance with Bill 19. This responsibility may be delegated in writing. The title of the person responsible for an HSSB’s compliance must be published on the web site or made available to the public.
• Access Restrictions: HSSBs must log all accesses they grant personnel and professionals practicing on their premises to the HSSI they hold as well as all uses made of the information. An annual report of these uses and accesses must be sent to the Ministry of Health and Social Services.
• Openness: HSSBs must adopt and make public on their website, or by another appropriate means, a governance policy the exact contents of which will be defined by the Minister but describing, among other things:
  • the roles and responsibilities of the personnel and professionals practicing their profession within HSSB as they concern the HSSI’s life cycle;
  • the categories of people who, in the exercise of their function, may have access to HSSI;
  • the logging mechanisms and security measures for ensuring protection of the HSSI;
  • an update schedule of the technological products or services an HSSB uses;
  • the procedure for managing data incidents;
  • the complaints handling procedure; and
  • a description of personnel training and awareness activities concerning the protection of HSSI.

HSSBs are also required to provide and train their employees and professional on their governance policy.

Privacy Impact Analysis (“PIA”): A HSSB must conduct a PIA every time it considers acquiring, developing, or overhauling a technological product or service or any electronic service delivery project where the project involves the collection use, storage, or destruction of HSSI. The PIA must be proportionate to the sensitivity of the information, the purpose for which it is used, the quantity distributed, and the medium on which it is stored and its format. It must also ensure that HSSI collected from an individual in a digital format be made accessible to that person in a structured, commonly used technological format. This requirement also appears in the overhaul of Québec’s private sector legislation that required PIA to be conducted not only when the acquisition and updating of technological products is considered but also when personal information is to be transferred outside provincial borders.

HSSBs are also required to keep a register of the technological products or services they use and make this available to the public on their websites or by another appropriate means.

Incidents: HSSBs that believe that HSSI has been compromised must notify the Minister of Health and Social Services, the Commission d’accès à l’information (Québec’s privacy commission; “CAI”) and the individuals whose HSSI is involved if the HSSBs have reason to believe that there is a risk of serious injury. HSSBs must also keep an incident register the contents of which are to be determined by government regulation.

Purpose limitation: Finally, HSSBs must dispose of HSSI once the purpose for which it was collected has been met. A government regulation will determine the minimum amount of time for which HSSI can be kept. This regulation has yet to be published.

Penalties.

Bill 19 provides for the following potential administrative monetary penalties:

• Fines ranging between $1,000 and $10,000 for a natural person or $3,000 and $30,000 in all other cases for anyone who:
  • collects, uses, keeps, destroys or accesses health or social services information in violation of the proposed law;
  • refuses to allow or impedes access to information that is accessible under the proposed law, in particular by destroying, modifying or concealing the information or by unduly delaying its transmission;
  • hinders the HSSI access authorization manager or a person in charge of the protection of HSSI in the exercise of the manager’s or person’s functions;
  • fails to report, where required to do so, a data incident to the Minister or to the CAI; or
  • fails to comply with the conditions set out in an authorization issued to a researcher or other body to access HSSI.
• Fines ranging between $5,000 and $100,000 for a natural person and $15,000 and $150,000 in all other cases for anyone who:
  • allows access to information to which access should be forbidden under the proposed law;
  • identifies or attempts to identify a natural person, without authorization, using de-identified information or using anonymized information,
  • uses a technological product or service that has not been certified by government regulation in instances in which such certification is required;
  • fails to comply with the governance requirements outlined above;
  • impedes the progress of an inquiry or inspection of the CAI or the hearing of an application by the CAI by providing false or inaccurate information, by failing to provide information it requires or otherwise;
  • fails to respond within the prescribed time to a demand sent by the CAI; or
  • fails to comply with an order of the CAI.

It should be noted that the CAI may also instigate penal proceedings for a breach of Bill 19. The statute of limitation for such an action is 5 years from the time the offence was committed.

Conclusion

Although certain provisions of Bill 19 may change before the final version of the Bill is voted on, the proposed law sends the message to HSSBs operating in Québec that they will be held to a relatively onerous HSSI governance standard – standards that already exist in other Canadian provinces.