ARTICLE
30 July 2024

Quebec's Act Respecting Health And Social Services Information: What About Service Providers?

R
ROBIC

Contributor

ROBIC logo
Explore
Following on from our article describing in greater detail the new obligations arising from the coming into force of the Act respecting health and social services information in Quebec and its impact on organizations in the health and social services sector...
Canada Food, Drugs, Healthcare, Life Sciences
Photo of Tara D’aigle-Curley
Photo of Ariane Ohl-Berthiaume
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

This article is the second in a series of two on the theme of Quebec's new law on health and social services information.

Following on from our article describing in greater detail the new obligations arising from the coming into force of the Act respecting health and social services information1 (the "Act") in Quebec and its impact on organizations in the health and social services sector ("HSSB"), we will now focus on the impact of the coming into force of the Act in the situation where an HSSB uses a service provider who does not render health and social services, but to whom health and social services information ("HSSI") will have to be communicated.

If your company must deal with HSSB as part of its activities and/or if some of your customers qualify as HSSB within the meaning of the Act, but you do not provide health or social services yourself, certain provisions of the Act will probably apply to your contractual relationship with this customer. It is therefore essential to be fully aware of the potential impact on your activities before doing business with a customer who qualifies as an HSSB within the meaning of the Act.

The first factor to consider when a HSSB must provide you with HSSI to enable the provision of your services is the necessity criterion. The Act stipulates that a HSSB may only communicate HSSI if it is necessary for the exercise of a mandate or the performance of a contract.2 In order to comply with this requirement, we recommend that you assess the real need for your company to receive communication of HSSI or to be granted access to this information, according to the criteria established by the courts and the directives of the Commission d'accès à l'information. If HSSI is not really necessary to provide your services, it is better to refrain from receiving and using it, in order to limit your risks. In each case, ask yourself whether it is possible to provide your services with as little information as possible, and whether this information can be denominated or anonymized before being transmitted to you.

To be valid, the mandate or contract with the HSSB must be in writing.3 It must also include the following provisions4:

  • The provisions of the Act that apply to HSSI communicated under the contract;
  • Measures your company must take during the term of the contract to ensure:
    • respecting the confidentiality of HSSI;
    • the protection of HSSI in accordance with the governance rules and specific rules defined by the network information officer5 ; and
    • that HSSI will only be used for the performance of the mandate or contract.
  • The obligations to be met by your company, such as:
    • before any communication, forward to the HSSB a confidentiality agreement completed by any person to whom a HSSI may be communicated or who may use it in the exercise of the mandate or for the performance of the contract;
    • use only technological products or services authorized by the HSSB to collect, store, use or communicate the HSSI when the mandate is exercised or the contract executed remotely;
    • notify the person in charge of the protection of information of the HSSB without delay of any breach or attempted breach by any person of any of the obligations relating to the protection of HSSI set out in the contract;
    • enable the HSSB to conduct audits or investigations related to the protection of HSSI;
    • transmit to the HSSB any information obtained or produced in the exercise of the mandate or in the performance of the contract, free of charge and whenever requested; and
    • do not keep the HSSI once the mandate has ended, and destroy them safely.

As a service provider to a HSSB, you must notify the HSSB in writing before engaging a subcontractor to carry out a mandate or perform a contract, and ensure that your subcontractor will be subject to the same obligations as your company.6 It is therefore important to ensure that you have the appropriate procedures and documentation in place to be able to disclose the list of your subcontractors to the HSSB. Your contract with your subcontractors must also comply with the terms and conditions set out in the Act.

Finally, a HSSB wishing to entrust a mandate or enter into a contract involving the disclosure of HSSI outside Quebec must carry out a privacy impact assessment ("PIA").7 The mandate may only be entrusted or the contract concluded if the PIA demonstrates that the HSSI would benefit from adequate protection, particularly with regard to generally recognized privacy principles. The agreement between your company and the HSSB must take into account the results of the PIA and, if applicable, the terms and conditions agreed upon to mitigate the risks identified in the PIA.

If your services involve the communication of HSSI outside Quebec, and considering the obligation for your customers who qualify as HSSB, it may be appropriate to carry out an initial PIA yourself for efficiency purposes, which can be provided to your current or potential customers at their request. In addition, you'll need to ensure that the contractual agreement in place reflects the results of this PIA.

Finally, if you have any doubts about the implications of the Act on your business relationship with your customers, including the extent to which the Act applies to your activities or those of your customers, we recommend that you contact our team to ensure that you meet your obligations in this regard. Please do not hesitate to contact the members of our Data Protection, Privacy and Cybersecurity group if you have any questions about the Act or any other subject related to the protection of personal information.

Footnotes

1. R-22.1 – Act respecting health information and social services (gouv.qc.ca)

2. R-22.1 – Act respecting health and social services information (gouv.qc.ca), section 77.

3. R-22.1 – Act respecting health and social services information (gouv.qc.ca), section 77.

4. R-22.1 – Act respecting health and social services information (gouv.qc.ca), sections 77, 90 and 97.

5. The network information officer is designated by the Minister and defines the specific rules applicable to organizations with respect to the management of the information they hold. (R-22.1 – An Act respecting health information and social services (gouv.qc.ca), sections 97 and following).

6. R-22.1 – Act respecting health and social services information (gouv.qc.ca), section 77.

7. R-22.1 – Act respecting health and social services information (gouv.qc.ca), sections 45 and 78.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Tara D’aigle-Curley
Tara D’aigle-Curley
Photo of Ariane Ohl-Berthiaume
Ariane Ohl-Berthiaume
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More