Ontario’s health privacy law also applies to virtual visits: new guidelines

Patients’ consent to collect personal health information via virtual care tech should be obtained

Ontario’s health privacy law also applies to virtual visits: new guidelines

Ontario’s information and privacy commissioner has issued guidelines for health information custodians to better protect patients’ privacy and security on virtual health care visits, which may entail forms of digital communication like messaging, telephone consultation, and videoconferencing.

“The timing of these guidelines is fitting, as this month Ontarians mark the anniversary of the Covid-19 pandemic, which has accelerated the adoption of virtual health care options across the province,” wrote Clancy Catelin, a lawyer at Rosen Sunshine LLP, in a blog post dated Mar. 23.

The provincial health privacy law, the Personal Health Information Protection Act, 2004, SO 2004, c 3, Sch A, applies to virtual care the same way it does to in-person care. The commissioner’s guidelines explained the key requirements in the legislation pertaining to all custodians, including those offering virtual health care, and provides practical steps to custodians to safeguard personal health information in the virtual health care context.

Ontario’s health privacy law requires that custodians not collect, use or disclose personal health information if other information can serve the purpose of the collection, use or disclosure or if the info affected is more than is reasonably necessary to meet the objective. Custodians should also take reasonable steps to safeguard personal health information against theft, loss and unauthorized use or disclosure, and ensure that records are protected against unauthorized copying, modification, and disposal and securely retained, transferred, and disposed.

If an electronic service provider is involved, the custodians and the electronic service provider face additional obligations, which will depend on whether the provider is the custodian’s agent.

As for practical steps for health information custodians, these include determining which statutory, professional, or regulatory rules govern them and understanding their obligations. The guidelines also advise custodians to conduct privacy impact assessments and develop a virtual health care policy addressing the specifics for the provision of virtual health care, identifying any conditions or restrictions in doing so and setting out the administrative, technical and physical safeguards to be implemented. These custodians should also have a robust information security management framework and ensure that their employees and agents participate in ongoing privacy and security training.

The guidelines also direct custodians to inform patients, in plain language, of the limitations and risks of virtual health care visits and to document this discussion. Custodians should acquire patients’ consent to collect, use and disclose personal health information via virtual care technologies and services and tell patients that they may withdraw consent anytime. Custodians should then implement and ensure the compliance of technical, physical, and administrative safeguards for the protection of personal health information and additional safeguards for emails while keeping in mind that this protection is an ongoing obligation.

While virtual health care delivery has the benefit of convenience, it gives rise to new privacy and security concerns and cybersecurity risks, considering that it relies on technologies, communication infrastructures, and remote environments, said the news release.

Ontario Health has designed a standard that aims to help custodians as they select a vendor of virtual visits solutions and provides the requirements for a product or service to be verified by Ontario Health.

Recent articles & video

Manitoba First Nations' class action seeks treaty annuity payments

Roundup of law firm hires, promotions, departures: April 22, 2024 update

Supreme Court of Canada sets hearings for Aboriginal, administrative, criminal law cases

Fasken, Stikeman Elliot, TGF act in commercial cases worth $350–500 million

Overcoming the challenges of starting your own personal injury practice

What could you be doing with your money if it wasn't tied up in disbursements?

Most Read Articles

BC Supreme Court upholds mother’s will against son's claims for greater inheritance

BC Supreme Court clarifies when spousal and child support obligations should end

Federal Court approves $817 million settlement for disabled Canadian veterans

2024 Canadian Law Awards Excellence Awardees revealed