ARTICLE
18 June 2024

The Act Respecting Health And Social Services Information: New Regulation

GW
Gowling WLG

Contributor

Gowling WLG logo
Gowling WLG is an international law firm built on the belief that the best way to serve clients is to be in tune with their world, aligned with their opportunity and ambitious for their success. Our 1,400+ legal professionals and support teams apply in-depth sector expertise to understand and support our clients’ businesses.
Explore
Lexpert Firm Profile
In order to prepare for the imminent coming into force of the Act respecting health and social services information ("Law 5"), on July 1, 2024, the government has published two regulations aimed...
Canada Food, Drugs, Healthcare, Life Sciences
Photo of Antoine Guilmain
Photo of Nayla El Zir
Photo of Nawal Sassi
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

In Quebec, 2024 is shaping up to be a landmark year for the protection of personal health information.

In order to prepare for the imminent coming into force of the Act respecting health and social services information ("Law 5"), on July 1, 2024, the government has published two regulations aimed at clarifying the governance of health and social services information ("Information") held by organizations in the health and social services sector ("Organizations"). These regulations, published on June 12, 2024 in Part 2 of the Gazette officielle du Québec, will come into force on July 1, 2024.

First Regulation

The Regulations respecting the application of certain provisions of the Act respecting health and social services information (in French only) provided for in sections 4, 6, 9, 39, 107, 108 and 110 of Law 5 (the "First Regulation") broadens the scope of Organizations. It specifies the consent procedures, the access conditions for a service provider who is not a professional within the meaning of the Professional Code, the content of the technological products and services register, and describes the information that must be included in confidentiality incident notices and register.

Second Regulation

The Regulation respecting the governance of health and social services information (in French only),provided for in section 90 of Law 5 (the "Second Regulation") defines the scope of the rules governing information. It establishes the responsibilities that fall on Organizations, and the procedures for keeping and destroying Information, as well as the maintenance and evaluation of technological products or services. It should be noted that the governance rules concerning the quality of Information, categorization standards, mobility and enhancement of Information are not included in the Second Regulation, as the provisions of Law 5 providing for them will not be in force on July 1, 2024.

The main provisions of the First Regulation

  • Organization (s. 1): Educational institutions at college or university-level are added to the list of Organizations if they provide, among other things, health or social services.
  • Consent (ss. 2 to 6): The procedures for obtaining and withdrawing consent from individuals regarding the use and communication of their Information are defined. Consent may be given in writing or verbally, and may be withdrawn in the same manner. The way in which individuals may exercise their rights to restrict or refuse access to their Information is also specified.
  • Conditions to allow access to a service provider who is not a professional within the meaning of the professional code (ss. 7 to 9): The conditions that allow a service provider who is not a professional to access Information held by the Organizations are defined in the First Regulation.

First, these parties are authorized to access the Information if it is necessary in order to provide health or social services, or to provide technical or administrative support to the person concerned. Before accessing this information, the parties in question must meet certain requirements: they must be members of the Organization's personnel, have completed specific training on how to protect personal information in accordance with the regulation and undertake in writing to respect the confidentiality of any information that may come to their knowledge in the course of their duties.

Finally, they must obtain the necessary authorizations from the person exercising the highest authority within the Organization.

In addition to Organization members, this authorization may be granted to:

  • Students or trainees supervised by a health or social services professional, as part of their college or university studies.
  • Volunteers providing invasive care to assist with activities of daily living and administering prescribed medication, as described in articles 39.7 and 39.8 of the Professional Code.
  • An employee of a licensed personnel placement agency or a person who is independent labour, in accordance with the relevant legislation.
  • Content of the technological products and services register (s. 10): Organizations are required to keep a register of technological products and services. This register must contain the type of technological product or service, its description, the name of the supplier if applicable, and an indication of whether it is certified by the Minister and if it uses Information to render a decision based exclusively on automated processing.
  • Content of confidentiality incident notices and of the confidentiality incidents register (ss. 11 to 16): These provisions set out the content that must be included in notices sent to the Minister, the Commission d'accès à l'information, and the individuals affected by the incident, as well as in the register of confidentiality incidents.

The main provisions of the Second Regulation:

  • Training (ss. 1 and 2): Organizations must provide the member of their personnel, professionals, students and trainees with an initial training recognized by the Minister. They must also ensure that everyone's knowledge of Information protection is kept up to date on an annual basis. This obligation also applies to volunteers providing invasive care to assist with activities of daily living and the administration of prescribed medication, as described in sections 39.7 and 39.8 of the Professional Code, as well as to employees of a licensed personnel placement agency or to persons who are independent labour, in accordance with the relevant legislation.
  • Consent (s. 3): Organizations must keep proof of any consent received in accordance with Law 5.
  • Duty to manage Information and individuals (ss. 5 to 7 and 9): Organizations will need to review the relevance of the categories of individuals identified in their information governance policy. They will also have to assess the compliance of logging mechanisms and monitor access, use and communication of Information held on a monthly basis. Until section 103 of Law 5 comes into force, Organizations will have to assess the compliance of logging mechanisms.
  • Creation of a governance committee (s. 8): All Organizations, except a few, will be required to set up a committee on the governance of information to support the person exercising the highest authority within the Organization in the exercise of the person's responsibilities.
  • Storage and destruction of Information (ss. 10 to 14): Organizations must ensure the protection of Information by controlling access to the premises where information is kept and complying with restrictions or refusals of access to Information. They must also destroy the Information in a secure and documented manner and must retain proof of such destruction. If the Information is destroyed by an external service provider, there must be a detailed contract in place with said service provider to ensure that destruction procedures are followed and confidentiality obligations met.
  • Appointment of individuals with new duties (ss. 4 and 16): Organizations will be required to appoint persons responsible for ensuring that individuals who have given notice of a restriction on access to their Information are adequately informed of the potential consequences and risks associated with the restricted exercise of this right. Organizations shall also appoint a person responsible for ensuring that technological standards applicable to the technological products or services are met and that the Information is secure.
  • Maintenance and assessment of technological products or services (ss. 15 and 17): Organizations will need to take steps to avoid or minimize the potential impacts of a technological product because its use is no longer compliant or the service is no longer provided and evaluate the products or services used in accordance with applicable standards.

Key takeaways

To summarize, these regulatory measures represent a significant step forward in strengthening personal information protection in Quebec's health and social services sector.

By reinforcing the governance structures and clarifying the protocols for accessing and storing this information, the government seeks to ensure that data is managed in a more secure and transparent way, thereby enhancing the protection of all citizens.

Read the original article on GowlingWLG.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Antoine Guilmain
Antoine Guilmain
Photo of Nayla El Zir
Nayla El Zir
Photo of Nawal Sassi
Nawal Sassi
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More