Home Compliance Bulletins IPC voices its concerns with proposed PHIPA digital health amendments

IPC voices its concerns with proposed PHIPA digital health amendments

In December the Ontario Minister of Health tabled Bill 231 introducing amendments to the Personal Health Information Protection Act, 2004 (PHIPA) designed to support activation of the government’s “Digital First for Health” strategy.[1]  Specifically, they include a number of features aimed at operationalizing patients’ access to their health records, as contained in the province’s Electronic Health Record system (“EHR”), as well as enabling digital access to an increasing range of digital health care resources.  The Ontario Information and Privacy Commissioner (”IPC”) has submitted a detailed commentary on the amendments, raising significant concerns from both privacy and equity perspectives.[2]

The key component of the proposed digital access system will be a “Digital Health ID” intended to authenticate the user/patient and validate their request to access the EHR and other digital health care resources.  The Digital Health ID would be maintained by Ontario Health, the government agency that also maintains the EHR as well as a number of other repositories of personal health information collected for purposes of health care planning and research.

The substance of the Bill 231 amendments originally was set forth in two proposed amendments to the PHIPA Regulations published for consultation last summer.[3]  At the time, the IPC responded citing a number of privacy concerns with both the new access rules and the Digital Health ID.[4]

The IPC has reiterated these concerns in providing comments on Bill 231 but also has stressed other concerns, including the undefined nature of potential uses for the Digital Health ID, the potentially major remaking of PHIPA’s rules and responsibilities regime through regulation as opposed to statutory amendment, and the blurring together of Ontario Health’s various roles as a prescribed entity for receiving PHI for purposes of research and system planning without patient consent at the same time being the designated provider of the Digital Health ID.

As set forth by the IPC in its commentary on the earlier proposed regulations,

[t]he Proposal seeks to introduce separate but related programs aimed at providing individuals access to various digital health resources, including certain personal health information held in the provincial [Electronic Health Record]. A central component of this broad initiative is a digital identity ecosystem that depends on the collection and use of Ontarians’ personal health information …  within a new database. The Proposal also introduces a new model of health care delivery by digital means.

The proposed amendments are designed to advance the province’s “Digital First for Health Care” strategy[5] and can be viewed as actioning toward the integrated health data strategy outlined in the Ontario Health Data Council’s 2023 Report, A Vision for Ontario’s Health Data EcosystemThe OHDC’s Report set forth a number of recommendations for a harmonized integrated health data approach benefiting both patients and providers with a view to informing care decisions, plans, and experiences.  Beyond direct care, the OHDC saw health data as needed for planning and research purposes for use by administrators, system planners, policymakers and researchers who, to achieve their goals, need to be able to share, and have access to, real-time integrated clinical data.

The EHR access amendments

The EHR is intended to provide a centralized, single access, province-wide record of all patient interactions with the health care system – including physicians’ reports, hospital visits, lab tests and other diagnostic results.  While it is designed primarily for use by health care providers and other health care system stakeholders it also is intended to be used by patients with a view to enabling their access to information right under PHIPA as well as enabling them to make more informed decisions about their care experiences.

The amendments will establish rules for patient access to the EHR and to the extent that they apply to data in the EHR will replace PHIPA’s current access to information rules, in place but not yet in force.

Currently, under the PHIPA provisions relating to the EHR, individuals are entitled to access their health records as well as the logs documenting interactions with the EHR required to be maintained by Ontario Health.[6]  The Ministry of Health previously (in 2022) proposed regulations setting out the rules and restrictions for giving effect to these rights.

Bill 231 would repeal the current, not yet in force EHR access provisions and replace them with new rules that require a “digital means of access” relying on the framework contemplated by the Digital Health ID.  The new digital framework would confirm an individual’s identity in order for them to access their records in the EHR. As part of this process an “Ontario Health Account” would be created for the individual, and maintained by Ontario Health, as a persistent digital health identity to be used in authentication for subsequent digital access purposes.

In its commentary, the IPC articulated two key concerns with the proposed new EHR access rules.

Firstly, on its face the new rules would set up a two-tiered access system: one for those who can use Digital Health IDs to gain digital access and one for those who cannot use it. For example, minors who lack the capacity to consent to the collection, use and disclosure of their PHI and individuals who lack access to devices would not be eligible to use a Digital Health ID and therefore not be able to use the digital access system.

Secondly and arguably most importantly, while Bill 231 contemplates reintroducing EHR access rights, it does so in a manner that would reduce Ontarians’ right to access all of their health records, for the following reasons.

The new access regime would not come into force until a later date and would authorize the government to restrict access rights by excluding classes of records and classes of persons from access to those records, or by blocking access altogether.

Furthermore, while Ontario Health will be required to provide individuals with access to the logs of interactions with their record, this requirement would be scaled back from providing access to the logs themselves to providing only “summaries” of the logs.

Finally, as currently proposed, only data related to laboratory reports and digital imaging will be included, contrasting with the phased-in approach to include access to clinical reports and drugs as under the current not-yet-proclaimed regulations.  Thus, in the IPC’s view, the proposed regime limits eventual access to all clinical data in the EHR relating to an individual and undermines meaningful access to their health records.

The Digital Health ID amendments

The key element in the new individual access rules will be the proposed “Digital Health ID” which is intended to provide a secure digital identity to authenticate and validate, for each individual patient, their identity when seeking to access their records in the EHR as well as to other resources and services within the health care system, which are foreseen to be provided, going forward, on an increasingly digital basis.  In essence, the Digital Health ID would serve as an individual’s “digital doorway” not only to accessing their health information record but also, increasingly, to health care services.

The proposed Digital Health ID system would create a central database that holds an individual’s “Ontario Health Account” and all the personal information used to substantiate it, including their health card number, date of birth, photograph and any other information that is required to authenticate their identity.

The Ministry proposes a system that will deliver digital identity confirmation services—i.e. validation, verification and authentication, among digital resources so that the providers of those resources such as Ontario Health, approved custodians and the Ministry can be sure that a person is who they say they are before allowing them to access health care resources and services, including the EHR.  In the IPC’s words, the component parts of the system are complex and technical but viewed altogether, they create a “digital identity ecosystem” with Ontario Health at the center.

The IPC references a 2019 Resolution of the provincial and territorial privacy regulators in which it was recognized that such systems pose significant privacy, security, transparency and accountability concerns given that their essence is the communicating of an individual’s identity for purposes of accessing digital resources.  In the Resolution the regulators set out a non-exhaustive list of requirements for such systems, including: privacy impact assessments; the availability of alternative forms of identification which are convenient and accessible so as to ensure equitable access to services for all potential users; limiting the amount of personal health information needed to confirm an individual’s identity; not creating any central databases containing such information; and ensuring that such systems are properly protected not only from illegal use but also from tracking or tracing purposes. Finally, such systems must be subject to independent oversight.

In the IPC’s view, it is not clear whether or how the proposed digital identity framework will meet the requirements for digital identity systems set out by the privacy regulators.  In particular, it contemplates the on-going collection and use of an individual’s sensitive identifying information between private and public sector entities providing the validation and health care resources, without clear accountability and without any access or correction rights.

The IPC notes that the access to information rules under Part V of PHIPA will not apply to an individual’s Ontario Health Account with the result that there will be no right of access to that database, including who is viewing and using their PHI.

In sum, in the IPC’s view, the proposed Digital Health ID model requires more careful upfront consideration, planning and design than exists within the digital identity system as proposed.

Other provisions potentially altering established PHIPA rules

The IPC also expressed concern regarding Bill 231’s provisions potentially altering established rights under PHIPA through future regulations.  It cites by way of example the Act’s core consent requirement, which under the Bill may be excluded with respect to PHI within the digital identifier system for “specified activities”, to be set out through future regulations.

In the IPC’s view, fundamental policy choices under the legislation such as exceptions to the consent rule should be circumscribed by a clear and justifiable purpose in the law itself, not left open to be determined through future regulations.

The Bill also provides for the use of Ministerial Directives to make policy determinations such as prescribing categories of individuals eligible to participate in the digital identifier system.  In the IPC’s view, Ministerial Directives are not appropriate for the purposes for which they are being proposed under the Bill. Directives are appropriate for guiding the implementation of legal requirements, not for establishing the very legal requirements to be implemented.

Summary

In sum, in the IPC’s view the proposed amendments appear unduly rushed and awkwardly tacked onto PHIPA. The result is a complex and confusing set of provisions that will be very difficult to interpret, implement and enforce in practice.  The proposed model represents a significant shift to digital tools in how individuals interact with the health care system which requires more careful consideration to ensure the necessary level of accountability, transparency and independent oversight.  While the IPC supports the objective underlying the digital identity system – enabling easy, meaningful access to one’s health records – as currently set forth in proposed legislation, in the IPC’s view, the proposal does not achieve this objective.

For more information please contact:      David Young       416-968-6286     david@davidyounglaw.ca

Note:     The foregoing does not constitute legal advice. © David Young

Read the PDF: IPC voices its concerns with proposed PHIPA digital health amendments

[1] Bill 231, More Convenient Care Act, 2024, Schedule 6.

[2] Letter dated December 12, 2024 to Christine Hogarth, Chair, Standing Committee on Social Policy, Legislative Assembly of Ontario.

[3] Amendment of Regulation O. Reg. 329/04 (General) under the Personal Health Information Protection Act, 2004 (PHIPA) to provide validation, verification and authentication services and support access to personal health information held in the electronic health record (EHR);

[4] Letter dated September 4, 2024 to Paul Pirie, Director (Acting), Digital Health Program Branch Digital and Analytics Strategy Division, Ministry of Health | Ministry of Long-Term Care.

[5] “Ontario Expanding Digital and Virtual Health Care”, News Release, November 13, 2019.

[6] PHIPA, s. 51(5).