BILL 88
Personal Health Information
Privacy and Access Act
Her Majesty, by and with the advice and
consent of the Legislative Assembly of New Brunswick, enacts as follows:
PART 1
INTERPRETATION, PURPOSES AND APPLICATION
Definitions
1 The following definitions apply in this Act.
“agent”, in relation to a custodian,
means an individual or organization that acts for or on behalf of
the custodian in respect of personal health information for the purposes
of the custodian and not for the agent’s own purposes, whether
or not employed by the custodian or being remunerated. (mandataire)
“Commissioner” means the Access
to Information and Privacy Commissioner appointed under the Right to Information and Protection of
Privacy Act or any person performing the duties and exercising
the powers of the Access to Information and Privacy Commissioner under
that Act. (commissaire)
“common-law partner”, in relation
to any person, means a person who, not being the spouse of that person,
is residing with that person and who has cohabited continuously in
a conjugal relationship with that person for at least 2 years. (conjoint de fait)
“custodian” means an individual
or organization that collects, maintains or uses personal health information
for the purpose of providing or assisting in the provision of health
care or treatment or the planning and management of the health care
system and includes (dépositaire)
(a) public bodies,
(b) health care providers,
(c) the Minister,
(d) the following organizations or agencies:
(i) Ambulance New Brunswick Inc.,
(ii) the New Brunswick Health Council,
(iii) FacilicorpNB Ltd.,
(iv) regional health authorities,
(v) the
Workplace Health, Safety and Compensation Commission, and
(vi) the Canadian Blood Services,
(e) information managers,
(f) researchers conducting
a research project approved in accordance with this Act,
(g) health care facilities,
(h) a laboratory or a
specimen collection centre,
(i) nursing homes and
operators as those terms are defined in the Nursing Homes Act, and
(j) a person designated in the regulations as a custodian.
“data matching” means
the creation of identifying information by combining identifying information
or de-identified personal health information or other information
from 2 or more electronic data bases or 2 or more electronic records. (appariement de données)
“de-identified”, when referring
to personal health information, means personal health information
from which all identifying information has been removed. (anonymisé)
“health care” means any observation,
examination, assessment, care, service or procedure that is carried
out or provided for a health-related purpose and (soins de santé)
(a) to diagnose, treat
or maintain an individual’s physical or mental condition,
(b) to prevent disease or injury or to promote health, or
(c) as part of rehabilitative or palliative care,
and includes
(d) the compounding
of a drug, for the use of an individual, pursuant to a prescription,
(e) the dispensing or selling of a drug, a device, equipment
or any other item to an individual, or for the use of an individual,
pursuant to a prescription, and
(f) a health care service
prescribed by regulation.
“health care facility” means (établissement de soins de santé)
(a) a hospital,
(b) a community health centre,
(c) a medical clinic,
(d) a pharmacy, and
(e) any other facility
in which health care is provided and that is designated in the regulations.
“health care provider”
means a person who is registered or licensed to provide health care
under an Act of the Legislature or who is a member of a class of persons
designated as a health care provider in the regulations. (fournisseur de soins de santé)
“identifying information” means
information that identifies an individual or for which it is reasonably
foreseeable in the circumstances that it could be utilized, either
alone or with other information, to identify an individual. (renseignements identificatoires)
“information manager” means
an individual or organization that on behalf of a custodian (gestionnaire de l’information)
(a) processes,
stores, retrieves, archives or disposes of personal health information,
(b) de-identifies or otherwise transforms personal health
information, or
(c) provides information management or information
technology services.
“information practices”, in
relation to a custodian, means the policy of the custodian governing
actions in relation to personal health information, including (pratiques relatives aux renseignements)
(a) when, how
and the purposes for which the custodian routinely collects, uses,
modifies, discloses, retains or disposes of personal health information,
and
(b) the administrative, technical and physical safeguards
and practices that the custodian maintains with respect to the information.
“Minister” means the
Minister of Health. (ministre)
“personal health information”
means identifying information about an individual in oral or recorded
form if the information (renseignements personnels sur la
santé)
(a) relates to the individual’s
physical or mental health, family history or health care history,
including genetic information about the individual,
(b) is the individual’s
registration information, including the Medicare number of the individual,
(c) relates to the provision of health care to the individual,
(d) relates to information about payments or eligibility
for health care in respect of the individual, or eligibility for coverage
for health care in respect of the individual,
(e) relates to
the donation by the individual of any body part or bodily substance
of the individual or is derived from the testing or examination of
any body part or bodily substance,
(f) identifies the individual’s
substitute decision-maker, or
(g) identifies an individual’s
health care provider.
“pharmacy” means a shop, store
or place of business holding a valid certificate of accreditation
under the Pharmacy Act. (pharmacie)
“public body” means a public
body as defined in the Right to Information
and Protection of Privacy Act. (organisme public)
“record” means a record containing
information in any form, including information that is oral, written,
photographed, recorded or stored in any manner, on any storage medium
or by graphic, electronic, mechanical or any other means, but does
not include electronic software or any mechanism that produces records. (document)
“registration information”
means information about an individual that is collected for the purpose
of registering the individual for the provision of health care, and
includes a health care number, hospital record number and any other
identifier assigned to an individual. (renseignements d’inscription)
“research” means a systematic
investigation designed to develop or establish principles, facts or
general knowledge, or any combination of them, and includes the development,
testing and evaluation of research. (recherche)
“spouse” in relation
to any person, means a person who is married to and residing with
that person. (conjoint)
“substitute decision-maker”,
in relation to an individual, means, unless the context requires otherwise,
a person who is authorized under this Act to give, withhold or to
withdraw consent on behalf and in the place of the individual with
respect to the collection, use or disclosure of the individual’s
personal health information. (mandataire spécial)
“use” means to handle
or deal with information and includes reproducing the information,
but does not include disclosing the information. (utiliser)
Purposes
2 The purposes of this Act are
(a) to provide individuals with a right to examine and
receive a copy of their personal health information maintained by
a custodian, subject to the limited and specific exceptions set out
in this Act,
(b) to provide individuals with the right to request the
correction of or amendment to their personal health information maintained
by a custodian, subject to the limited and specific exceptions set
out in this Act,
(c) to establish a set of rules for custodians regarding
the collection, use, disclosure, retention and secure destruction
of personal health information that protects the confidentiality of
personal health information and the privacy of the individual to whom
the personal health information relates,
(d) to facilitate the effective provision of care and planning
and management of the health care system,
(e) to establish mechanisms to ensure the accountability
of persons having custody or control of personal health information
and to safeguard the security and integrity of the personal health
information in their custody or control,
(f) to establish mechanisms to safeguard the security and
integrity of personal health information by those persons having custody
or control of that information,
(g) to provide for an independent review and resolution
of complaints made in respect to personal health information, and
(h) to provide effective remedies for contraventions
of this Act.
Application
3(1) This Act applies
(a) to personal health information that is collected, used
or disclosed by a custodian or that is in the custody or control of
a custodian, and
(b) to personal health information that was collected before
the coming into force of this Act and that is prescribed by regulation.
3(2) Unless otherwise specifically provided in this Act, this Act
does not apply to
(a) anonymous or statistical information that does not,
either by itself or when combined with other information available
to the holder of the information, permit individuals to be identified,
(b) an individual’s personal health information
if
(i) one hundred years have passed since
the record containing the information was created, or
(ii) fifty years have passed since the
death of the individual,
(c) an individual or organization that collects, maintains
or uses personal health information for purposes other than health
care or treatment and the planning and management of the health care
system, including
(i) employers,
(ii) insurance companies,
(iii) regulatory bodies of health care
providers,
(iv) licensed or registered health care
providers who do not provide health care, or
(v) any other individual or organization
prescribed by regulation,
(d) a note made by or for, or a communication or draft decision
of, a person who is acting in a judicial or quasi-judicial capacity,
(e) a constituency record of a Minister of the Crown,
and
(f) information in a court record, a record of a judge,
a judicial administration record or a record relating to support services
provided to a judge or to a court official.
3(3) Unless otherwise specifically provided in this Act, this Act
(a) does not affect the law of evidence,
(b) does not restrict information that is otherwise available
by law to a party to legal proceedings,
(c) does not affect any information that would disclose
privileged communications,
(d) does not affect the power of a court or tribunal to
compel a witness to testify or to compel the production of documents,
(e) does not interfere with the activities of a
body with statutory responsibility for the discipline of health care
providers,
(f) does not affect a court order that prohibits a person
from making information public or from publishing information,
(g) is in addition to and does not replace existing
procedures for access to records or information normally available
to the public, and
(h) does not prohibit the transfer, storage or disposition
of a record in accordance with another Act of the Legislature or the
Parliament of Canada.
Conflict with another Act
4(1) Unless otherwise provided in the regulations, if a provision
of this Act is in conflict with a provision of another Act of the
Legislature, this Act prevails unless the other Act of the Legislature
more completely protects the privacy of the personal health information.
4(2) Unless otherwise provided in this Act or the regulations, this
Act does not apply to a record created or information held by a person
under or for the purpose of the provisions of the following Acts of
the Legislature, notwithstanding that the information would otherwise
be considered to be personal health information or the person would
otherwise be considered to be a custodian within the meaning of this
Act:
(a) sections 11.1 and 11.2, Part III and Part V of the Family Services Act; and
(b) any Act of the Legislature or any provision
of an Act of the Legislature prescribed by regulation.
4(3) For greater certainty, the provisions of the Mental Health Act prevail over
this Act.
4(4) For the purpose of this section, a
conflict shall not exist unless it is impossible to comply with both
this Act and another Act of the Legislature.
Application of the Medical Consent of Minors Act
5 The Medical Consent of Minors Act applies for the purpose of providing the consent of the person to
the collection, use or disclosure of personal health information or
for the refusal or withdrawal of the person’s consent.
Right to Information
and Protection of Privacy Act
6(1) The Right to Information and
Protection of Privacy Act does not apply to personal health
information in the custody or under the control of a custodian unless
this Act specifies otherwise.
6(2) If a request is made under section 7 that contains information to which the Right to Information and Protection of
Privacy Act applies, the part of the request that relates to
that information is deemed to be a request under section 8 of the Right to Information and Protection of
Privacy Act and that Act applies to that part of the request
as if it had been made under section 8 of that Act.
6(3) If a request is made under section 15 to correct information to which the Right to Information and Protection of
Privacy Act applies, the request is deemed to be a request
under section 40 of the Right to
Information and Protection of Privacy Act and that Act applies
to the request as if it had been made under section 40 of that Act.
6(4) Subsection (2) or (3) does not apply if the custodian that receives
the request is not a public body.
PART 2
ACCESS TO PERSONAL HEALTH INFORMATION
Division A
Right to examine or copy personal health
information
Right to examine or copy personal health
information
7(1) Subject to this Act, an individual has a right, on request, to
examine or receive a copy of his or her personal health information
maintained by a custodian.
7(2) A request made under this section shall
(a) be made to the custodian that the individual believes
has custody and control of the personal health information, and
(b) contain sufficient detail to permit the custodian
to identify and locate the record with reasonable efforts.
7(3) A custodian may require a request to be in writing.
Duty to assist an individual
8 If a request under section 7 does
not contain sufficient detail to permit the custodian to identify
and locate the record containing the personal health information with
reasonable efforts, the custodian shall offer assistance to the person
who made the request to reformulate the request to comply with that
section.
Application of the Official Languages Act
9 A custodian to whom the Official
Languages Act applies shall, if an individual’s record
containing personal health information is not available in the individual’s
official language of choice, accommodate the individual’s official
language needs by
(a) providing the individual with access to a physician
or other health care provider to assist the individual in interpreting
his or her record, or
(b) translating or causing to be translated the relevant
provisions of the individual’s record for the purpose of a unilingual
physician treating the individual if the record is in an official
language the physician cannot understand.
Custodian’s response
10(1) A custodian shall respond to a request made under section 7 as promptly as required in the circumstances,
but no later than 30 days after receiving it, unless the time limit
for responding is extended under subsection (6) or (7) or the request
is transferred to another custodian under section 11.
10(2) The failure of a custodian to respond to a request within the
30-day period is to be treated as a decision to refuse to permit the
personal health information to be examined or copied.
10(3) In responding to a request, a custodian shall do one of the following:
(a) make the personal health information available
for examination and provide a copy, if requested, to the individual;
(b) inform the individual in writing if the information
does not exist or cannot be found; or
(c) inform the individual in writing that the request is
refused, in whole or in part, for a specified reason described in
section 14, and advise the individual
of the right to make a complaint about the refusal under Part 6.
10(4) A custodian shall, on request, provide assistance to an individual
in reviewing the individual’s personal health information.
10(5) If a request is made for personal health information that a custodian
maintains in electronic form, the custodian shall produce a record
of the information for the individual in a form usable by the individual
if it can be produced using the custodian’s normal computer
hardware and software and technical expertise.
10(6) The custodian may extend the time for responding to a request
for up to an additional 30 days if
(a) the individual making the request does not give enough
detail to enable the custodian to identify a requested record,
(b) the individual making the request does not respond
to a request for clarification by the custodian as soon as practicable,
(c) the relevant provisions of the individual’s
record are being translated for a unilingual physician treating the
individual if the record is in an official language the physician
cannot understand,
(d) a large number of records is requested or must be searched
or responding within the time period set out in subsection (1) would
interfere unreasonably with the operations of the custodian,
(e) time is needed to notify and receive representations
from a third party or to consult with another custodian before permitting
the personal health information to be examined or copied, or
(f) the individual requests records that relate
to a proceeding commenced by a Notice of Action or a Notice of Application.
10(7) In any case referred to in subsection (6), the custodian may,
if approved by the Commissioner, extend the time limit for responding
to a request for a period longer than 30 days.
10(8) If the time limit for responding to a request is extended under
subsection (6) or (7), the custodian shall send a written notice to
the applicant setting out
(a) the reason for the extension,
(b) when a response can be expected, and
(c) if the time limit is extended without the approval of
the Commissioner, that the person may file a complaint with the Commissioner
about the extension.
Transferring a request to another custodian
11(1) Within 10 days after receiving a request
under section 7, a custodian may
transfer a request to another custodian if
(a) the personal health information is maintained by the
other custodian, or
(b) the other custodian was the first to collect the personal
health information.
11(2) If a request under section 7 is transferred under this section,
(a) the custodian who transferred the request shall notify
the individual making the request of the transfer in writing as soon
as possible, and
(b) the custodian to which the request is transferred shall
respond to the request within 30 days after receiving it, unless the
time for responding to the request is extended under subsection 10(6).
Custodian shall take precautions about
release
12 A custodian shall
(a) not permit personal health information to be examined
or copied without being satisfied as to the identity of the individual
making the request, and
(b) take reasonable steps to ensure that any personal health
information intended for an individual is received only by that individual.
Fees
13(1) A custodian shall permit an individual to examine a record free
of charge and may, in accordance with the regulations, require an
individual to pay to the custodian a fair and reasonable fee for search,
preparation, copying and delivery services.
13(2) The custodian may, in accordance with the regulations, if any,
waive the payment of all or part of a fee.
13(3) The search, preparation, copying and delivery fees referred to
in subsection (1) must not exceed the greater of the following:
(a) the amount provided for in the regulations;
and
(b) the actual costs of the services provided.
Reasons for refusing request
14(1) A custodian is not required to permit an individual to examine
or copy his or her personal health information under this Part
(a) if knowledge of the information could reasonably
be expected to endanger the health or safety of the individual or
another person,
(b) if disclosure of the information would reveal personal
health information about another person who has not consented to the
disclosure,
(c) if disclosure of the information could reasonably be
expected to identify a third party, other than another custodian,
who supplied the information in confidence under circumstances in
which confidentiality was reasonably expected,
(d) if the information was compiled and is used solely
(i) for the purpose of review by
a committee established to study or evaluate the health care practices
of a health care facility,
(ii) for the purpose of a body with statutory
responsibility for the discipline of health care providers or to regulate
the quality or standards of professional services provided by health
care providers, or
(iii) for the purposes of risk management,
error management or for the purpose of activities to improve or maintain
the quality of care or to improve or maintain the quality of any related
programs or services of the custodian,
(e) if the information was compiled principally in anticipation
of, or for use in, a civil, criminal or quasi-judicial proceeding
to which the custodian is or may be a party or is protected by privilege,
(f) if the information is protected by privilege,
(g) if another Act of the Legislature or the Parliament
of Canada or a court order prohibits disclosure of the personal health
information to the individual,
(h) if the personal health information was collected for
purposes of an investigation conducted pursuant to an Act of the Legislature,
or
(i) for any reason prescribed by regulation.
14(2) A custodian may consult with a health care provider who has been
involved in an individual’s care, or another health care provider,
before deciding to refuse to permit personal health information to
be examined or copied under paragraph (1)(a).
14(3) A custodian who refuses to permit personal health information
to be examined or copied under subsection (1) shall, to the extent
possible, sever the personal health information that cannot be examined
or copied and permit the individual to examine and receive a copy
of the remainder of the information.
Division B
Correction of personal health information
Right to request a correction
15(1) For purposes of accuracy or completeness, an individual may make
a request to correct any personal health information that the individual
may examine and copy under this Part.
15(2) A request shall be in writing.
15(3) Within 30 days after receiving a request under subsection (1),
the custodian shall do one of the following:
(a) make the requested correction to the record of the personal
health information in a manner that it will be read with and form
part of the record or be adequately cross-referenced to it;
(b) inform the individual, in writing, if the personal
health information no longer exists or cannot be found;
(c) if the custodian does not maintain the personal health
information,
(i) inform the individual making the request
that the custodian does not maintain the personal health information;
(ii) provide the individual with
the name and address of the custodian who maintains the personal health
information, if known; and
(iii) if the custodian who maintains the
personal health information is known, transfer the request to that
custodian and notify the individual making the request of the transfer;
(d) inform the individual in writing of the custodian’s
refusal to correct the record as requested, the reason for the refusal,
and the individual’s right to add a statement of disagreement
to the record and to make a complaint about the refusal under Part
6.
15(4) The custodian may, if approved by the
Commissioner, extend the time limit for responding to a request for
a period longer than 30 days.
15(5) A custodian who refuses to make a correction that is requested
under this section shall
(a) permit the individual to file a concise statement of
disagreement stating the correction requested and the reason for the
correction, and
(b) add the statement of disagreement to the record in a
manner that it will be read with and form part of the record or be
adequately cross-referenced to it.
15(6) If a custodian makes a correction or adds a statement of disagreement
under this section, the custodian shall, when practicable, notify
any other custodian or person to whom the personal health information
has been disclosed about the correction or statement of disagreement.
15(7) A custodian shall make the correction or add the statement of
disagreement, if applicable, to any record of the personal health
information that the custodian maintains.
15(8) A custodian shall not charge a fee in connection with a request
for a correction made under this section.
Division C
Informal Access
Informal access
16 Nothing in this Part prevents a custodian from
(a) granting an individual access to a record of his or
her personal health information if the individual makes an oral request
for access or makes no request, provided that access is authorized
under this Part, and
(b) communicating with the individual about the collection,
use or disclosure of the individual’s personal health information.
PART 3
CONSENT RE PERSONAL HEALTH INFORMATION
Division A
General
Elements of consent
17(1) If this Act or any other Act of the Legislature requires the
consent of an individual to the collection, use or disclosure of personal
health information by a custodian, the consent
(a) shall be a consent of the individual, if the individual
is capable of granting consent, or the consent of a substitute decision-maker,
(b) shall be knowledgeable,
(c) shall be able to be withdrawn or withheld,
(d) shall relate to the personal health information,
(e) shall not be obtained through deception or coercion,
and
(f) may be express or implied.
17(2) The consent to the collection, use or disclosure of an individual’s
personal health information is knowledgeable if it is reasonable in
the circumstances to believe that the individual knows
(a) the purpose of the collection, use or disclosure, as
the case may be,
(b) that the individual may give or withhold consent, and
(c) that the information can only be collected used
or disclosed without his or her consent in accordance with the provisions
of this Act.
17(3) Unless it is not reasonable in the circumstances to make the
assumption, a custodian is entitled to assume that an individual knows
the purpose of the collection, use or disclosure of the individual’s
personal health information by a custodian if the custodian posts
or makes readily available a notice describing the purpose where it
is likely to come to the individual’s attention or provides
the individual with such a notice.
Implied, knowledgeable and continuing consent
18(1) Unless it is not reasonable in the circumstances to make the
assumption, a custodian is entitled to assume that he or she has the
individual’s implied consent, and to assume the consent is knowledgeable,
to collect or use the individual’s personal health information
or to disclose that information to another custodian or person for
the purpose of providing health care to that individual.
18(2) If a custodian receives personal health information relating
to an individual from the individual, the individual’s substitute
decision-maker or another custodian for the purpose referred to in
subsection (1), the custodian is entitled to assume that he or she
has the individual’s continuing implied consent to collect,
use or disclose the personal health information for that purpose,
unless the custodian that receives the personal health information
is aware that the individual has expressly withheld or withdrawn the
consent.
Express consent
19(1) Unless otherwise provided in this Act, express consent of an
individual is required in relation to the collection, use or disclosure
of his or her personal health information by a custodian, including
when the custodian discloses information to
(a) the media,
(b) a person for the purpose of fundraising activities,
(c) a visitor to a health care facility,
(d) a person outside New Brunswick, and
(e) a person for the purpose of research.
19(2) The consent of an individual to the collection, use or disclosure
of personal health information by a custodian is express if
(a) the custodian requests the individual to provide
the personal health information,
(b) the individual knows the purpose of the collection,
use or disclosure of the information, as the case may be, and
(c) the individual grants the custodian permission,
the contents of which may be prescribed by regulation, in writing,
to collect, use or disclose the information.
19(3) Additional requirements of what constitutes express consent of
an individual may be prescribed by regulation.
Conditional consent
20 If an individual places a condition on his or her consent to have
a custodian collect, use or disclose the individual’s personal
health information, the condition is not effective to the extent that
it purports to prohibit or restrict any recording of personal health
information by a custodian that is required by law or by established
standards of professional practice or institutional practice.
Assumption of validity
21 A custodian who has obtained an individual’s consent to the
collection, use or disclosure of the individual’s personal health
information or who has received a copy of a document purporting to
record the individual’s consent to the collection, use or disclosure
of the information is entitled to assume that the consent fulfils
the requirements of this Act and the individual has not withdrawn
it, unless it is not reasonable in the circumstances to make the assumption.
Refusal to consent or withdrawal of consent
22(1) An individual may refuse to grant his or her consent or withdraw
his or her consent to the collection, use or disclosure of the individual’s
personal health information by a custodian except if
(a) it is prohibited by law to withdraw consent,
(b) the collection, use or disclosure is for the
purposes of a program to monitor the prescribing, dispensing or use
of certain classes of drugs,
(c) the collection, use or disclosure is for the purposes
of the creation or maintenance of an electronic health record, or
(d) the collection, use or disclosure is for another
purpose provided for in this Act.
22(2) If an individual refuses to grant consent or withdraws his or
her consent to the collection, use or disclosure of his or her personal
health information under subsection (1), the custodian shall
(a) take reasonable steps to act in accordance with
the decision,
(b) inform the individual of the implications of the refusal
or withdrawal, and
(c) inform the other custodians, if any, holding the individual’s
personal health information of the decision.
22(3) A custodian may refuse to comply with the refusal or withdrawal
of an individual’s consent to the collection, use or disclosure
of his or her personal health information under subsection (1) if
compliance with the individual’s refusal or withdrawal of consent
is likely to endanger the health of the individual or the health of
another person.
22(4) If the custodian refuses to comply with the refusal or withdrawal
of an individual’s consent for the reasons referred to in subsection
(3), the custodian shall inform the individual, as soon as possible,
of the collection, use or disclosure of his or her personal health
information.
Division B
Capacity to consent
Capacity to consent
23(1) An individual is capable of consenting to the collection, use
or disclosure of personal health information if the individual is
able
(a) to understand the information that is relevant to deciding
whether to consent to the collection, use or disclosure, as the case
may be, and
(b) to appreciate the reasonably foreseeable consequences
of giving, not giving, withholding or withdrawing the consent.
23(2) An individual may be capable of consenting to the collection,
use or disclosure of personal health information at one time, but
incapable of consenting at another time.
23(3) An individual is presumed to be capable of consenting to the
collection, use or disclosure of personal health information.
23(4) A custodian may rely on the presumption under subsection (3),
unless the custodian has reasonable grounds to believe that the individual
is incapable of consenting to the collection, use or disclosure of
personal health information.
Determination of incapacity
24 A custodian that determines that an individual is incapable of consenting
to the collection, use or disclosure of personal health information
under this Act shall do so in accordance with the requirements and
restrictions, if any, prescribed by regulation.
Substitute decision-maker and the exercise
of rights by a personal representative
25(1) If an individual is incapable of consenting to the collection,
use or disclosure of personal health information by a custodian, the
following persons may, on the individual’s behalf and in the
place of the individual, act as a substitute decision-maker for that
individual by giving, withholding or withdrawing the consent:
(a) a person who has been authorized, in writing,
by the individual to provide consent;
(b) a committee of the person appointed for the individual
under the Infirm Persons Act, if the giving, withholding or withdrawing the consent relates to
the powers and duties of the committee of the person;
(c) the individual’s attorney for personal care appointed
in accordance with the Infirm Persons
Act or the individual’s attorney appointed under a power
of attorney respecting property, if the giving, withholding or withdrawing
of consent relates to the powers and duties of the attorney;
(d) the individual’s spouse or common-law
partner;
(e) the individual’s adult child;
(f) the individual’s parent or guardian;
(g) the individual’s adult sibling;
(h) the individual’s adult grandchild;
(i) the individual’s adult uncle or aunt;
(j) the individual’s adult nephew or niece;
(k) any other adult next of kin of the individual;
(l) the individual’s health care provider;
and
(m) the Public Trustee.
25(2) A person referred to in subsection (1) may consent only if the
person
(a) is capable of consenting to the collection, use or disclosure
of personal health information by a custodian,
(b) is willing to assume the responsibility of making a
decision on whether or not to consent.
25(3) A person referred to in a paragraph of subsection (1) may assume
the responsibility of making a decision only if no other person described
in an earlier paragraph meets the requirements of subsection (2).
25(4) If an individual is deceased, any right or power conferred on
an individual by this Act may be exercised by the individual’s
personal representative if the exercise of the right or power relates
to the administration of the individual’s estate.
Factors to consider for consent
26 A person who consents under this Act or any other Act of the Legislature
on behalf of and in the place of an individual to the collection,
use or disclosure of personal health information by a custodian, or
who withholds or withdraws a consent, shall take into consideration
(a) any written instruction provided by the individual
in a power of attorney for personal care or other power of attorney,
(b) the wishes, values and beliefs that,
(i) if the individual is capable, the
person knows the individual holds and believes the individual would
want reflected in decisions made concerning the individual’s
personal health information, or
(ii) if the individual is incapable or
deceased, the person knows the individual held when capable or alive
and believes the individual would have wanted reflected in decisions
made concerning the individual’s personal health information,
(c) whether the benefits that the person expects
from the collection, use or disclosure of the information outweigh
the risk of negative consequences occurring as a result of the collection,
use or disclosure,
(d) whether the purpose for which the collection, use or
disclosure is sought can be accomplished without the collection, use
or disclosure, and
(e) whether the collection, use or disclosure is necessary
to satisfy any legal obligation.
PART 4
COLLECTION, USE AND DISCLOSURE OF PERSONAL
HEALTH INFORMATION
Division A
Restrictions on the collection of information
General duties of custodians
27(1) A custodian may collect personal health information relating
to an individual if
(a) the custodian has the individual’s consent under
this Act and the collection, to the best of the custodian’s
knowledge, is necessary for a lawful purpose, or
(b) the collection is permitted or required by this Act.
27(2) Despite paragraph (1)(a), a custodian may collect personal health information relating to
an individual without that individual’s consent if the individual
is incapable of providing consent and
(a) consent can not be obtained because
(i) there is no substitute decision-maker
who can provide consent in a timely manner, or
(ii) the individual has been admitted
to a psychiatric facility as an involuntary patient under the Mental Health Act, or
(b) the collection is necessary for the provision of health
care to the individual.
Source of information
28 A custodian shall collect personal health information directly from
the individual to whom the information relates except if
(a) the individual has authorized another method of collection,
(b) collection of the information directly from
the individual could reasonably be expected to endanger the health
or safety of the individual or another person,
(c) collection of the information is in the interest of
the individual and time or circumstances do not permit collection
directly from the individual,
(d) collection of the information directly from the individual
could reasonably be expected to result in the collection of inaccurate
information,
(e) the custodian collects the information from a person
who is not a custodian for the purpose of carrying out a research
project that has been approved by a research review body under section 43,
(f) another method is authorized or required by a court
order, an Act of the Legislature or the Parliament of Canada or a
treaty, agreement or arrangement made under an Act of the Legislature
or the Parliament of Canada,
(g) the individual is unable to provide the information
and a substitute decision-maker is acting on behalf of and in the
place of the individual,
(h) the information is to be collected for the purpose of
assembling a family or genetic history and the information collected
will be used in the context of providing a health service to the individual,
(i) the information is collected for the purpose
of
(i) determining the individual’s
eligibility to participate in a health care program or to receive
a benefit, product or health care service from a custodian and the
information is collected in the course of processing an application
made by or for the individual who is the subject of the information,
or
(ii) verifying the eligibility of an individual
who is participating in a health care program or receiving a benefit,
product or health care service from a custodian to participate in
the program or to receive the benefit, product or service,
(j) the custodian is a regional health authority, the board
of directors or management personnel of a regional health authority
or any member of any administrative or advisory committee established
in accordance with the by-laws of a regional health authority and
is collecting the information for a purpose authorized by law that
relates to
(i) the investigation of a breach of an
agreement or a contravention or an alleged contravention of the laws
of the Province or of Canada,
(ii) the conduct of a proceeding or a
possible proceeding, or
(iii) a function of the custodian under
this Act,
(k) paragraph (j) also applies to a custodian who is a Minister of the Crown for
the purposes set out in that paragraph when engaged in a function
related to the delivery or administration of health care in the Province,
(l) the custodian collects information for the purpose
of analysis or compiling statistical information respecting the management,
evaluation or monitoring of the allocation of resources to, or planning
for all or part of, the health care system, including the delivery
of services, and the person from whom the information is collected
has in place practices and procedures to protect the privacy of the
individual whose personal health information it receives and to maintain
the confidentiality of the information, or
(m) the custodian is the Minister and is collecting personal
health information from another custodian for the purposes of creating
or maintaining an electronic health record.
Scope of collection
29 Unless a custodian is required to do so by law, the custodian shall
not collect
(a) personal health information if other information will
serve the same purpose as the personal health information, or
(b) more personal health information than is reasonably
necessary to meet the purpose for which the information is collection.
De-identified information
30 A custodian may collect personal health information that has been
de-identified for any purpose.
Notice of collection practices
31(1) A custodian who collects personal health information directly
from the individual to whom the information relates shall, before
it is collected or as soon as practicable afterwards, take reasonable
steps to inform the individual
(a) of the purpose for which the information is being collected,
and
(b) if the custodian is not a health care provider, how
to contact an officer or employee of the custodian who can answer
the individual’s questions about the collection.
31(2) A custodian need not comply with subsection (1) if the custodian
has recently provided the individual with the information referred
to in that subsection about the collection of the same or similar
personal health information for the same or a related purpose.
Division B
Restrictions on the use of information
General duties of custodians
32(1) A custodian shall not use personal health information except
as authorized under this Division.
32(2) Every use by a custodian of personal health information shall
be limited to the minimum amount of information necessary to accomplish
the purpose for which it is used.
32(3) A custodian shall limit the use of personal health information
it maintains to those employees and agents of the custodian who need
to know the information to carry out the purpose for which the information
was collected or received or to carry out any of the permitted uses
authorized under section 34.
De-identified information
33 A custodian may use personal health information that has been de-identified
for any purpose.
Permitted uses
34(1) A custodian may use personal health information in its custody
or under its control for one or more of the following purposes:
(a) for the purpose for which the information was
collected or created and for all the functions reasonably necessary
for carrying out that purpose, unless the individual expressly instructs
otherwise;
(b) another use to which the individual who is the subject
of the information consents;
(c) if the use of the information is authorized by this
Act or by an Act of the Legislature or an Act of the Parliament of
Canada;
(d) to prevent or reduce a risk of significant harm to the
health or safety of the public or a group of people, the disclosure
of which is clearly in the public interest;
(e) if the custodian is a public body, for planning or delivering
programs or services that the custodian provides or that the custodian
funds in whole or in part, allocating resources to any of those programs
or services, evaluating or monitoring any of them or detecting, monitoring
or preventing fraud or any unauthorized receipt of services or benefits
related to any of them;
(f) for the purpose of risk management, error management
or for the purpose of activities to improve or maintain the quality
of care or to improve or maintain the quality of any related programs
or services of the custodian;
(g) for educating agents of the custodian to provide health
care;
(h) for the purpose of disposing of the information or de-identifying
the information;
(i) for the purpose of seeking the individual’s consent,
or the consent of the individual’s substitute decision-maker,
when the personal health information used by the custodian for this
purpose is limited to the name and contact information of the individual
and the name and contact information of the substitute decision-maker,
if applicable;
(j) for the purpose of a proceeding or contemplated proceeding
in which the custodian or the agent or former agent of the custodian
is, or is expected to be, a party or witness, if the information relates
to or is a matter in issue in the proceeding or contemplated proceeding;
(k) if the custodian is a Minister of the Crown,
for the purpose of recovering health care costs;
(l) for the purpose of obtaining payment for or processing,
monitoring, verifying or reimbursing claims for payment for the provision
of health care or related goods and services;
(m) for a research project approved by a research review
body under section 43;
(n) subject to any requirements and restrictions prescribed
by regulation, if permitted or required by law or by a treaty, agreement
or arrangement made under an Act of the Legislature or the Parliament
of Canada;
(o) if the custodian is a regional health authority, the
board of directors or management personnel of a regional health authority
or any member of any administrative or advisory committee established
in accordance with the by-laws of a regional health authority for
the following functions within the geographic area in which the custodian
has jurisdiction:
(i) planning and resource allocation;
(ii) health system management;
(iii) public health surveillance;
and
(iv) health policy development;
(p) paragraph (o) also applies to a custodian who is a Minister of the Crown
for the purposes set out in that paragraph when engaged in a function
related to the delivery or administration of health care in the Province;
and
(q) to produce de-identified information that does not,
either by itself or in combination with other information in the custody
of or under the control of the custodian, permit an individual to
be identified.
Division C
Restrictions on disclosure of information
General duties of custodians
35(1) A custodian shall not disclose personal health information except
as authorized under this Division.
35(2) Every disclosure by a custodian of personal health information
shall be limited to the minimum amount of information necessary to
accomplish the purpose for which it is used.
35(3) A custodian shall limit the disclosure of personal health information
it maintains to those employees and agents of the custodian who need
to know the information to carry out the purpose for which the information
was collected or received or to carry out a purpose authorized under
section 37.
De-identified information
36 A custodian may disclose personal health information that has been
de-identified for any purpose.
Disclosure for health related purposes
37(1) Subject to subsection (2), the custodian may disclose an individual’s
personal health information if
(a) the individual or his or her substitute decision-maker
is the recipient of the disclosure, or
(b) the individual or his or her substitute decision-maker
consents to the disclosure.
37(2) A custodian may disclose an individual’s personal health
information without the consent of the individual
(a) to a person who is providing or has provided health
care to the individual, to the extent necessary to provide health
care to the individual, unless the individual has instructed the custodian
not to make the disclosure,
(i) if it is not possible to obtain the
consent of the individual in a timely manner, or
(ii) if the individual has been admitted
to a psychiatric facility as an involuntary patient under the Mental Health Act, or
(b) for the purpose of contacting a relative, friend or
the substitute decision-maker of an individual who is not capable
of giving consent personally.
37(3) If a custodian discloses personal health information relating
to an individual under paragraph (2)(a) and an express request of the individual prevents the custodian
from disclosing all the personal health information that the custodian
considers reasonably necessary to disclose for the provision of health
care to the individual, the custodian shall notify the person to whom
it makes disclosure of that fact.
37(4) A custodian that is a health care facility may disclose personal
health information relating to an individual who is a patient or resident
of the facility to a person that the facility reasonably believes
is a member of the individual’s immediate family, a relative
or a person with whom the individual has a close personal relationship
if
(a) the facility offers the individual the option, at the
first reasonable opportunity after admission to the facility, to object
to that disclosure and the individual does not do so, and
(b) the disclosure is made in accordance with accepted professional
practice.
37(5) A custodian may disclose personal health
information relating to an individual who is deceased or presumed
to be deceased
(a) for the purpose of identifying the individual,
(b) for the purpose of informing a person whom it
is reasonable to inform in the circumstances of the fact that the
individual is deceased or presumed to be deceased and the circumstances
of the death, if appropriate,
(c) to the personal representative of the deceased for a
purpose related to the administration of the estate,
(d) to a spouse, common-law partner, sibling or descendant
of the individual if the recipient of the information reasonably requires
the information to make decisions about his or her own health care
or the health care of his or her child or if the disclosure is necessary
to provide health care to the recipient, or
(e) for research purposes under section 43 if the information has been de-identified.
37(6) A custodian shall disclose personal health information relating
to an individual without the consent of the individual
(a) if the custodian is a Minister of the Crown or a regional
health authority, for the purpose of recovering health care costs,
(b) to a person conducting an audit or reviewing
an application for accreditation or reviewing an accreditation, if
the audit or review relates to the services provided by the custodian,
(c) to or via an information network designated
in the regulations in which personal health information is recorded
for the purpose of facilitating
(i) the delivery, evaluation or monitoring
of a program that relates to the provision of health care or the payment
for health care,
(ii) review and planning necessary for
the provision of health care or the payment for health care, or
(iii) the creation and maintenance
of an electronic health record established in accordance with the
regulations,
(d) to a custodian designated in the regulations who compiles
or maintains a registry of personal health information for purposes
of facilitating or improving the provision of health care or that
relates to the storage or donation of body parts or bodily substances,
(e) to the chief medical officer of health or other
medical officers if the disclosure is required by another Act of the
Legislature or the Parliament of Canada, and
(f) to a public health authority established under an Act
of the Parliament of Canada, another province or other jurisdiction
if the disclosure is made for a public health purpose.
37(7) If a custodian discloses personal health information under paragraph
(6)(b), the person conducting
the audit or reviewing an application for accreditation or reviewing
an accreditation shall agree in writing
(a) to destroy the information at the earliest possible
opportunity after the audit or review, and
(b) not to disclose the information to any other person,
except as required to accomplish the audit or review or to report
unlawful conduct by the custodian.
Disclosure for health care programs or
other programs
38(1) A custodian may disclose personal health information relating
to an individual without the consent of the individual if the disclosure
is
(a) for the purpose of determining or verifying the eligibility
of the individual to receive health care or related goods, services
or benefits provided under an Act of the Legislature or the Parliament
of Canada and funded in whole or part by the Province or the Government
of Canada,
(b) for the purpose of determining or providing payment
to the custodian for the provision of health care or for processing,
monitoring, verifying or reimbursing claims for payment for the provision
of health care,
(c) to a department or the government of another jurisdiction
or to an agency of that government to the extent necessary to obtain
payment for health care provided to the individual to whom the personal
health information relates,
(d) for the purpose of delivering, evaluating or monitoring
a program of the custodian that relates to the provision of health
care or the payment for health care,
(e) for the purpose of review and planning necessary for
the provision of health care by another custodian,
(f) to an information manager in accordance with this Act,
(g) to a person who requires the personal health
information to carry out an audit for, or to provide legal services,
error management services or risk management services to, the custodian,
(h) to the Canadian Institute for Health Information
or other entity prescribed by regulation for the purpose of compiling
and analyzing statistical information to assist in the management,
evaluation and monitoring of the allocation of resources, health system
planning and delivery of health care services in accordance with the
terms of an agreement between the Canadian Institute for Health Information
or other entity and the Province,
(i) to a potential successor of the custodian for the purpose
of allowing the potential successor to assess or evaluate the operations
of the custodian, on condition that the potential successor first
enters into an agreement with the custodian to keep the information
confidential and secure and not to retain the information any longer
than is necessary for the purpose of the assessment or evaluation,
and
(j) to the successor of the custodian if the custodian transfers
records to the successor as a result of the custodian ceasing to be
a custodian or ceasing to provide health care within the geographic
area in which the successor provides health care and the successor
is a custodian.
38(2) For the purpose of paragraph (1)(j), a custodian who transfers a record of personal health
information to its successor shall make reasonable efforts to give
notice to the individual to whom the information relates before the
transfer or, if this is not possible, as soon as possible after the
transfer, that it has ceased to be a custodian of the information
and identifies its successor.
Disclosure re health and safety
39(1) A custodian may disclose personal health information without
the consent of the individual to whom the information relates if the
custodian reasonably believes that disclosure is required
(a) to prevent or reduce a risk of serious harm to the mental
or physical health or safety of the individual to whom the information
relates or another individual, or
(b) to prevent or reduce a risk of significant harm to the
health or safety of the public or a group of people, the disclosure
of which is clearly in the public interest.
39(2) A custodian may disclose personal health information without
the consent of the individual to whom the information relates to the
superintendent of a correctional facility in which the individual
is lawfully detained or to the administrator of a psychiatric facility
in which the individual is lawfully detained under section 18 of the Mental Health Act to assist the
facility in making a decision respecting
(a) arrangements for the provision of health care to the
individual, or
(b) the placement of the individual into custody or the
detention, release, conditional release, discharge or conditional
discharge of the individual under an Act of the Legislature, of another
province or territory or of the Parliament of Canada.
Disclosure re proceedings
40(1) A custodian shall disclose personal health information without
the consent of the individual to whom the information relates
(a) to a body with statutory responsibility for
the discipline of health care providers or to regulate the quality
or standards of professional services provided by health care providers,
including for the purpose of an investigation by that body, or
(b) for the purpose of complying with a summons,
subpoena, warrant, order or similar requirement issued by a court,
person or entity with jurisdiction to compel the production of personal
health information or for the purpose of complying with the Rules
of Court concerning the production of personal health information
in a proceeding.
40(2) A custodian may disclose personal health information without
the consent of the individual to whom the information relates
(a) for the purpose of a proceeding or contemplated
proceeding in which the custodian is or is expected to be a party
or a witness if the information relates to or is a matter in issue
in the proceeding or contemplated proceeding,
(b) to a committee referred to in the Evidence Act for the purpose of
peer review or quality assurance activities,
(c) to a proposed litigation guardian, committee or legal
representative of the individual for the purpose of having the person
appointed as a litigation guardian, committee or legal representative,
(d) to a litigation guardian, committee or a legal
representative who is authorized under the Rules of Court to commence,
defend or continue a proceeding on behalf of the individual or to
represent the individual in a proceeding, or
(e) for the purpose of laying an information or making an
application for an order if the personal health information relates
to or is a matter in issue in the information or application.
Disclosure for enforcement purposes
41(1) A custodian shall disclose personal health information, including
information relating to a person providing health care, without the
consent of the individual to whom the information relates to a person
carrying out an inspection, investigation or similar procedure that
is authorized by or under this Act, another Act of the Legislature
or the Parliament of Canada for the purpose of facilitating the inspection,
investigation or similar procedure.
41(2) A custodian may disclose personal health information, including
information relating to a person providing health care, without the
consent of the individual to whom the information relates to another
custodian if the custodian disclosing the information has a reasonable
expectation that disclosure will detect or prevent fraud, limit abuse
in the use of health care or prevent the commission of an offence
under an Act of the Legislature or the Parliament of Canada.
Disclosure required by law
42 A custodian shall disclose personal health information without the
consent of the individual who is the subject of the information if
the disclosure is required by another Act of the Legislature or the
Parliament of Canada or by a treaty, agreement or arrangement made
under another Act of the Legislature or the Parliament of Canada.
Disclosure for research purposes
43(1) A custodian may disclose personal health information to a person
conducting a research project only if the project has been approved
under this section.
43(2) An approval may be given by a research review body that meets
the requirements prescribed by regulation.
43(3) An approval may be given under this section only if the research
review body has determined that
(a) the research is of sufficient importance to outweigh
the intrusion into privacy that would result from the disclosure of
the personal health information,
(b) the research purpose cannot reasonably be accomplished
unless the personal health information is provided in a form that
identifies or may identify individuals,
(c) it is unreasonable or impractical for the person proposing
the research to obtain consent from the individuals to whom the information
relates, and
(d) the research project contains
(i) reasonable safeguards to protect the
privacy and security of the personal health information, and
(ii) procedures to destroy the
information or de-identify the information at the earliest opportunity,
consistent with the purposes of the project.
43(4) An approval under this section is conditional on the person proposing
the research project entering into an agreement with the custodian,
in accordance with the regulations,
(a) not to publish the personal health information requested
in a form that could reasonably be expected to identify the individuals
to whom the information relates,
(b) to use the personal health information requested solely
for the purposes of the approved research project, and
(c) to ensure that the research project complies with the
safeguards and procedures described in paragraph (3)(d).
43(5) If a research project will require direct contact with individuals,
a custodian shall not disclose personal health information relating
to those individuals under this section without first obtaining their
consent, but the custodian need not obtain their consent if the information
consists only of the individuals’ names and addresses.
Disclosure of registration information
44(1) The Minister may disclose registration information without the
consent of an individual to whom the information relates
(a) to a public body for the purpose of verifying the accuracy
of registration information held by the public body, or
(b) with the approval of the Lieutenant-Governor in Council,
to a public body on the terms or conditions that the Lieutenant-Governor
in Council may determine.
44(2) With the approval of the Lieutenant-Governor in Council, the
Minister may enter into agreements for the sharing of registration
information without the consent of the individual to whom the information
relates with
(a) the Government of Canada or the government of a province
or territory of Canada, or
(b) a person or body designated in the regulations.
44(3) An agreement made under subsection (2) shall specify that the
party to whom the registration information is disclosed shall use
the information only for the purposes specified in the agreement.
Monitoring health care payments
45(1) A custodian shall, at the request of the Minister, disclose to
the Minister personal health information without the consent of the
individual to whom the information relates for the purpose of monitoring
or verifying claims for payment for health care funded wholly or in
part by the Province.
45(2) The Minister may disclose information collected under subsection
(1) to another person for a purpose set out in that subsection if
the disclosure is reasonably necessary for that purpose.
Maintaining disclosure information
46(1) A custodian that discloses personal health information without
consent for health related purposes, unless otherwise provided in
subsection (2), shall make a note of the following:
(a) the name of the person to whom the custodian discloses
the information;
(b) the date and purpose of the disclosure; and
(c) a description of the information disclosed.
46(2) Subsection (1) does not apply if the custodian discloses personal
health information by permitting access to the information stored
in the information system of the custodian, provided that when the
information is accessed the data base automatically keeps an electronic
log of the following information:
(a) the user identification of the person who accesses the
information;
(b) the date and time the information is accessed; and
(c) a description of the information that is accessed
or that could have been accessed.
Disclosure outside the Province
47 A custodian may disclose personal health information relating to
an individual that is collected in the Province to a person outside
the Province but only in circumstances described in section 37, 38 or 44.
Medicare number
48(1) No person, other than a custodian or a person authorized by the
regulations, may require the production of an individual’s Medicare
number or collect or use an individual’s Medicare number, and
an individual may refuse to provide his or her Medicare number to
any person not so authorized.
48(2) If a custodian or a person authorized by the regulations requests
a Medicare number from an individual, a custodian or authorized person
shall advise the individual of its authority to do so.
Division D
Information practices, policy, procedures
and security
Information practices
49(1) A custodian shall
(a) establish and implement information practices to facilitate
the implementation of, and to ensure compliance with, this Act,
(b) designate a person
(i) to assist in ensuring compliance with
this Act,
(ii) to respond to inquiries about the
custodian’s information practices, and
(iii) to receive complaints from the public
about any alleged contravention of this Act or its regulation by the
custodian,
(c) notify the individual to whom the information relates
and the Commissioner in the manner prescribed by the regulations at
the first reasonable opportunity if personal health information is
(i) stolen,
(ii) lost,
(iii) disposed of, except as permitted
by this Act, or
(iv) disclosed to or accessed by an unauthorized
person, and
(d) promote openness, transparency of policies and procedures
to the public.
49(2) Paragraph (1)(c) does
not apply if the custodian reasonably believes that the theft, loss,
disposition, disclosure or access of personal health information will
not
(a) have an adverse impact on the provision of health care
or other benefits to the individual to whom the information relates,
(b) have an adverse impact on the mental, physical,
economic or social well-being of the individual to whom the information
relates, or
(c) lead to the identification of the individual to whom
the information relates.
Security safeguards
50(1) In accordance with any requirements prescribed by the regulations,
a custodian shall protect personal health information by adopting
information practices that include reasonable administrative, technical
and physical safeguards that ensure the confidentiality, security,
accuracy and integrity of the information.
50(2) The information practices referred to in subsection (1) shall
be based on nationally or jurisdictionally recognized information
technology security standards and processes, appropriate for the level
of sensitivity of the personal health information to be protected.
50(3) Without limiting subsection (1), a custodian shall
(a) implement controls that limit the persons who may use
personal health information maintained by the custodian to those specifically
authorized by the custodian to do so,
(b) implement controls to ensure that personal health information
maintained by the custodian cannot be used unless
(i) the identity of the person seeking
to use the information is verified as a person the custodian has authorized
to use it, and
(ii) the proposed use is verified as being
authorized under this Act,
(c) if the custodian uses electronic means to request disclosure
of personal health information or to respond to requests for disclosure,
implement procedures to prevent the interception of the information
by unauthorized persons,
(d) when responding to requests for disclosure of personal
health information, ensure that the request contains sufficient detail
to uniquely identify the individual to whom the information relates,
and
(e) ensure agents of the custodian adhere to the safeguards.
50(4) A custodian who maintains personal health information in electronic
form shall implement any additional safeguards for the security and
protection of the information required by the regulations.
Power to transform personal health information
51 A custodian may strip, encode or otherwise transform personal health
information in order to create or produce de-identified information.
Agents and information managers
52(1) A custodian that retains the services of an agent for the collection,
use, disclosure or retention of person health information shall enter
into a written agreement with the agent requiring the agent to comply
with the custodian’s legal obligations regarding handling of
personal health information.
52(2) A custodian may provide personal health information to an information
manager for the purpose of processing, storing or destroying the personal
health information or providing the custodian with information management
or information technology services.
52(3) A custodian that wishes to provide personal health information
to an information manager shall enter into a written agreement with
the information manager, in accordance with the regulations, that
provides for the protection of the personal health information against
risks such as unauthorized access to or use or disclosure, secure
destruction or alteration of the information.
52(4) An information manager who enters into a written agreement under
subsection (3) shall comply with
(a) the duties imposed on the information manager under
the agreement, and
(b) the same requirements concerning the protection, retention
and secure destruction of personal health information that the custodian
is required to comply with under this Act.
Accuracy of information
53 Before using or disclosing personal health information, a custodian
shall take reasonable steps
(a) to ensure that the information is accurate, up-to-date
and complete, and
(b) to ensure that the disclosure is made to the person
intended and authorized to receive the information.
Ceasing operation as a custodian
54(1) Subject to this section, a custodian does not cease to be a custodian
with respect to a record of personal health information until complete
custody and control of the record passes to another person who is
legally authorized to hold the record.
54(2) If the custodian ceases to operate as a custodian, the custodian
or the custodian’s successor shall
(a) notify the subject of the information about the personal
health information held by the custodian or the custodian’s
successor,
(b) indicate where the person may make a written request
for access to the personal health information, and
(c) the period the personal health information will be retained.
54(3) If a custodian who is an individual dies, the duties and powers
of a custodian under this Act shall be performed by the personal representative
of the deceased as defined in the Devolution of Estates Act until custody and control of the
record of personal health information passes to another person who
is legally authorized to hold the record.
Requirements for retention, storage and
secure destruction of information
55(1) A custodian shall establish and comply with a written policy
for the retention, archival storage, access and secure destruction
of personal health information that
(a) meets any requirements prescribed by regulation or any
requirements contained in any Act of the Legislature,
(b) protects the privacy of the individual to whom the information
relates, and
(c) requires that a custodian who destroys personal health
information to keep a record of the individual whose personal health
information is destroyed, a summary of the contents of the record,
the time period to which the information relates, the method of destruction
and the name of the person responsible for supervising the secure
destruction.
55(2) Unless otherwise provided in the regulations, a public body shall
ensure that personal health information in its custody or under its
control is stored only in Canada and accessed only in Canada, unless
one of the following applies:
(a) if the individual to whom the information relates has
identified the information and has consented, in the manner prescribed
by regulation, to it being stored in or accessed from another jurisdiction;
(b) if the information is stored in or accessed
from another jurisdiction for the purpose of disclosure allowed under
this Act;
(c) if the information was disclosed for the purposes of
(i) a payment to be made to or
by the Province or a public body,
(ii) authorizing, administering, processing,
verifying or cancelling a payment to be made to or by the Province
or a public body, or
(iii) resolving an issue regarding a payment
to be made to or by the Province of or a public body.
55(3) This section does not override or modify any requirement in an
Act of the Legislature or the Parliament of Canada concerning the
retention or secure destruction of records maintained by a public
body.
Privacy impact assessment
56(1) A custodian that is a public body or any other custodian prescribed
by regulation shall conduct a privacy impact assessment in the following
situations:
(a) for the new collection, use or disclosure of personal
health information or any change to the collection, use or disclosure
of personal health information;
(b) for the creation of a personal health information system
or personal health information communication technology or a modification
to a personal health information system or personal health information
communication technology;
(c) subject to section 57, if a custodian performs data matching with personal health information
or with any personal health information held by another custodian
or another person.
56(2) A privacy impact statement shall describe, in the form and manner
required by the Minister, how the proposed administrative practices
and information systems relating to the collection, use and disclosure
of individually identifying health information may affect the privacy
of the individual to whom the information relates.
Data matching
57(1) A custodian shall not, in contravention of this Act,
(a) collect personal health information to be used in data
matching, or
(b) use or disclose personal health information to be used
in data matching or created through data matching.
57(2) A custodian may perform data matching using personal health information
in its custody or control, provided there is authority for the collection,
use or disclosure of the personal health information being used for
data matching or created as a result of data matching.
57(3) With the consent of the Minister, a custodian is not required
to conduct a privacy impact assessment if data matching is being done
for an authorized purpose and will not result in a use of personal
health information that will affect the privacy of the individual
to whom the information relates.
PART 5
COMMISSIONER
Oath of Commissioner
58(1) Before entering on the performance of his or her duties or the
exercise of his or her powers or responsibilities under this Act,
the Commissioner shall take an oath to faithfully and impartially
perform the duties or exercise the powers or responsibilities and
not to divulge any information received under this Act except for
the purpose of giving effect to this Act.
58(2) The Speaker or the Clerk of the Legislative Assembly shall administer
the oath referred to in subsection (1).
Staff
59(1) The Commissioner may appoint the assistants and employees as
the Commissioner considers necessary for the efficient carrying out
of the Commissioner’s duties and powers under this Act.
59(2) Before performing any duties or exercising powers under this
Act, a person appointed under subsection (1) shall take an oath, administered
by the Commissioner, that the person will not divulge any information
that is received under this Act, except for the purpose of giving
effect to, and in compliance with, this Act.
59(3) The Public Service Superannuation
Act applies to all persons appointed by the Commissioner under
subsection (1).
59(4) All persons appointed under subsection (1) may participate in
and receive benefits under any health, life, disability or other insurance
plan available to employees within the public service, in accordance
with the terms upon which the right to participate and receive benefits
may from time to time be extended to the persons employed in the Office
of the Commissioner.
Delegation of duties or powers
60(1) The Commissioner may delegate, in writing, to any person any
duty or power of the Commissioner under this Act, except the power
of delegation and the power to make a report under this Act.
60(2) Despite subsection (1), if the Commissioner is in a conflict
of interest with respect to a matter referred to the Commissioner,
the Commissioner may delegate in writing to any person any duty or
power with respect to that matter, including the duty to make a report.
60(3) A person purporting to perform a duty or exercise a power of
the Commissioner by virtue of a delegation under subsection (1) or
(2) shall produce evidence of his or her authority to perform that
duty or exercise that power when required to do so.
60(4) The Lieutenant-Governor in Council may prescribe by regulation
circumstances that give rise to a conflict of interest for the purposes
of subsection (2).
Powers under the Inquiries Act
61 If the Commissioner conducts an investigation under this Act, the
Commissioner has all the powers, privileges and immunities conferred
on a commissioner under the Inquiries
Act.
Right of entry
62 Despite any other Act of the Legislature or any privilege of the
law of evidence, in performing duties or exercising powers under
this Act, the Commissioner has the right
(a) to enter any office of a custodian and examine and make
copies of any record in the custody of the custodian, and
(b) to converse in private with any officer or employee
of the custodian.
Duties and powers of the Commissioner
63 In addition to the Commissioner’s duties and powers under Part
6 respecting complaints, the Commissioner may
(a) monitor how this Act is administered,
(b) conduct investigations to monitor compliance with this
Act,
(c) review privacy impact assessments that have been conducted
by a custodian that is a public body,
(d) inform the public about this Act,
(e) promote best practices and provide advice to custodians,
(f) make recommendations with regard to this Act,
and
(g) review any matter referred to the Commissioner by the
Executive Council.
Commissioner’s report
64 The Commissioner shall report annually to the Legislative Assembly
on the performance or his or her duties or the exercise of his or
her powers under this Act.
Protection from legal action
65(1) No proceedings lie against the Commissioner or any person appointed
by the Commissioner under this Act for anything he or she may do,
report or say in the course of the performance of a duty or the intended
performance of a duty under this Act or the exercise of a power or
intended exercise of a power under this Act, unless it is shown that
he or she acted in bad faith.
65(2) The Commissioner or any person holding any office or appointment
under the Commissioner shall not be called to give evidence in any
court or in any proceedings of a judicial nature in respect of anything
coming to his or her knowledge in the performance of a duty or the
exercise of a power under this Act whether or not that duty or power
was within his or her jurisdiction.
PART 6
REVIEW
Referral to Court of Queen’s Bench
66(1) An individual who made a request under section 7 or section 15 may, in relation to a decision, an act or an omission of
a custodian in respect of the request refer, according to the regulations,
a matter to a judge of The Court of Queen’s Bench of New Brunswick
for review.
66(2) If an individual refers the matter to a judge of The Court of
Queen’s Bench of New Brunswick under subsection (1), the individual
may not file a complaint with the Commissioner under section 68 and the Commissioner may not act in
the matter.
66(3) A matter referred to a judge of The
Court of Queen’s Bench of New Brunswick under subsection (1)
shall be filed within 30 days after the date the decision of the custodian
was made.
Decision of the Court
of Queen’s Bench
67(1) If a matter is referred to a judge of The Court of Queen’s
Bench of New Brunswick under subsection 66(1), the judge shall hold a hearing and,
(a) if the custodian denied a request to examine or copy
personal health information in whole or in part, may order the custodian
to grant the request in whole or in part,
(b) if the custodian failed to reply to a request to examine
or copy personal health information, may order the custodian to reply
to the request or deny the request,
(c) if the custodian denied a request for the correction
of personal health information, in whole or in part, may order the
custodian to grant the request in whole or in part, or
(d) may make any other order that is, in the opinion of
the judge, necessary.
67(2) A copy of the decision of the judge of The Court of Queen’s
Bench of New Brunswick shall be sent to the individual who referred
the matter for review and to the custodian.
67(3) No appeal lies from the decision of the judge of The Court of
Queen’s Bench of New Brunswick under subsection (1).
Complaint filed with the Commissioner
68(1) An individual who made a request under section 7 or section 15 may make a complaint to the Commissioner if the individual
(a) is not satisfied with a decision, an act or
an omission of the custodian in relation to the request, or
(b) is not satisfied with a decision of a custodian
under subsection 10(2).
68(2) Without limiting paragraph (1)(a), an individual may make a complaint to the Commissioner
alleging that a custodian
(a) has collected, used or disclosed his or her personal
health information contrary to this Act, or
(b) has failed to protect his or her personal health information
in a secure manner as required by this Act.
68(3) Subject to section 75, if an
individual has filed a complaint with the Commissioner under subsection
(1), the individual may not refer the matter under subsection 66(1) to a judge of The Court of Queen’s
Bench of New Brunswick for review.
68(4) Subject to subsection (6), a complaint to the Commissioner under
subsection (1) shall be in writing and filed within 60 days after
the date the individual was notified of the decision of the custodian
or the date of the act or the omission of the custodian, as the case
may be.
68(5) The Commissioner may extend the period
of time referred to in subsection (4).
68(6) If the custodian fails to respond in time to a request to examine
or copy a record, the failure is to be treated as a decision to refuse
the request, in which case a complaint shall be filed with the Commissioner
within 120 days following the request for information.
68(7) As soon as practicable after receiving a complaint, the Commissioner
shall notify the custodian of the complaint and provide the custodian
with a copy of the complaint.
Investigation
69(1) On receiving a complaint the Commissioner shall, in accordance
with this Act and the power, authority, privileges, rights and duties
vested in the Commissioner under the Right to Information and Protection of Privacy Act, investigate
the matter referred to the Commissioner or shall take steps to resolve
the complaint informally under subsection (2).
69(2) The Commissioner may take any steps the Commissioner considers
appropriate to resolve a complaint informally to the satisfaction
of the parties and in a manner consistent with the purposes of this
Act.
69(3) If the Commissioner cannot resolve
a complaint within 45 days of the commencement of the informal resolution
process referred to in subsection (2), the Commissioner shall review
the decision of the custodian and shall prepare the report referred
to in section 73.
Refusal to investigate
70(1) The Commissioner may, in his or her discretion, refuse to or
cease to investigate a matter in any of the following circumstances:
(a) the complaint is trivial, frivolous, vexatious
or not made in good faith;
(b) having regard to all the circumstances of the case,
further investigation is unnecessary;
(c) the time period within which the complaint could be
made is expired; or
(d) the person who made the complaint does not have a sufficient
personal interest in the matter.
70(2) If the Commissioner refuses to investigate a complaint, the Commissioner
shall, in writing, inform the individual who made the complaint and
the custodian of his or her decision not to investigate the decision
of the custodian or to cease an investigation in relation to a matter
and the reasons for the Commissioner’s decision.
Production of records
71(1) With the exception of Executive Council confidences and any document
that contains information that is subject to solicitor-client privilege,
the Commissioner may require any record in the custody or under the
control of a custodian that the Commissioner considers relevant to
an investigation to be produced to the Commissioner and may examine
any information in a record, including personal health information.
71(2) The Commissioner may review the records referred to in subsection
(1) in private without the presence of any person.
71(3) Despite any other Act of the Legislature or any privilege of
the law of evidence, a custodian shall produce to the Commissioner
within 14 days after a request by the Commissioner a record or a copy
of a record required under this section.
71(4) If a custodian is required to produce a record under this section
and it is not practicable to make a copy of it, the custodian may
require the Commissioner to examine the original at its site.
Time limit for investigation
72 An investigation shall be completed and a report made under section 73 within 90 days after a complaint is
filed, unless the Commissioner
(a) notifies the individual who filed the complaint, the
custodian and any other person who has made representations to the
Commissioner that the Commissioner is extending that period, and
(b) gives an anticipated date for providing the
report.
Report
73(1) On completing an investigation of a complaint, the Commissioner
shall prepare a report containing the Commissioner’s findings
about the complaint and
(a) recommend to the custodian to grant in whole or in part
the request for personal health information, or
(b) recommend to the custodian to reply to the request or
deny the request.
73(2) The Commissioner shall give a copy of the report to the person
who filed the complaint and to the custodian concerned.
Complying with the recommendation
74(1) The custodian, on reviewing the recommendation of the Commissioner,
shall make his or her decision and shall notify, in writing, the individual
who made the complaint and shall forward to the Commissioner a copy
of the decision.
74(2) If the custodian accepts the recommendations in the Commissioner’s
report, the custodian shall, within 15 days after receiving the report,
comply with the recommendations of the Commissioner or make any other
decision that the custodian considers appropriate.
74(3) If the custodian fails to notify the individual under subsection
(1) within 15 days after making his or her decision, the failure shall
to be treated as a decision not to accept the recommendation of the
Commissioner.
Right to appeal
75(1) If the custodian decides not to accept the recommendations of
the Commissioner, the individual who made the complaint may appeal
the matter, in accordance with the regulations, to a judge of The
Court of Queen’s Bench of New Brunswick.
75(2) The custodian shall notify the individual who made the complaint
of the custodian’s decision not to accept the recommendations
of the Commissioner, the individual’s right to appeal the decision
and the time limit for the appeal.
75(3) Section 66 applies with the
necessary modifications in relation to an appeal under subsection
(1).
PART 7
GENERAL PROVISIONS
Offences
76(1) No person shall
(a) collect, use or disclose personal health information
in wilful contravention of this Act,
(b) attempt to gain or gain access to personal health information
in wilful contravention of this Act,
(c) knowingly make a false or misleading statement to the
Commissioner or another person in the performance of the duties or
the exercise of the powers of the Commissioner or the other person
under this Act or knowingly mislead or attempt to mislead the Commissioner
or the other person,
(d) obstruct the Commissioner or another person in performing
duties or exercising powers under this Act,
(e) destroy a record or erase information in a record that
is subject to this Act, or direct another person to do so, with the
intent to evade a request to examine or copy the record,
(f) alter, falsify, conceal or destroy any record or part
of any record, or direct another person to do so, with an intent to
evade a request to examine or copy the record, or
(g) wilfully fail to comply with an investigation of the
Commissioner.
76(2) A person who is an employee of a custodian or information manager
who, without the authorization of the custodian or information manager,
discloses personal health information in wilful contravention of this
Act in circumstances where the custodian or information manager would
not be permitted to disclose the information under this Act, commits
an offence.
76(3) A custodian or information manager commits an offence if the
custodian or information manager
(a) collects, uses, sells or discloses personal health information
contrary to this Act,
(b) fails to protect personal health information in a secure
manner as required by this Act,
(c) discloses personal health information contrary to this
Act with the intent of obtaining a monetary or other material benefit
or to confer a benefit on a custodian or other person, or
(d) takes any adverse employment action against an employee
because the employee has complied with a request or requirement to
produce a record or provide information or evidence to the Commissioner,
or a person acting for or under the direction of the Commissioner,
under this Act.
76(4) No custodian or information manager shall be found to have contravened
paragraph (3)(a) or (b) if the custodian or information
manager can establish that he or she took all reasonable steps to
prevent the contravention.
76(5) A person who violates or fails to comply with subsection (1),
(2), (3) or (4) commits an offence punishable under Part II of the Provincial Offences Procedure Act as a category F offence.
76(6) No prosecution for an offence under this Act shall be commenced
after 2 years from the date of the discovery of the alleged offence.
Defence
77 No person commits an offence or is subject to disciplinary action
of any kind under any other Act of the Legislature by reason of complying
with a request or requirement to produce a record or provide information
or evidence to the Commissioner, or a person acting for or under the
direction of the Commissioner, under this Act.
Immunity
78 No action lies and no proceeding may be brought against the Province
of New Brunswick, a custodian or any person acting for or under the
direction of the custodian for damages resulting from
(a) the disclosure of or failure to disclose, in good faith,
all or part of a record or information under this Act or any consequences
of that disclosure or failure to disclose, or
(b) the failure to give a notice required by this Act if
reasonable care is taken to give the required notice.
Regulations
79(1) The Lieutenant-Governor in Council may make regulations
(a) designating custodians for the purposes of the
definition “custodian” in section 1;
(b) prescribing health care services for the purposes of
the definition “health care” in section 1;
(c) designating a facility in which health care is provided
for the purposes of the definition “health care facility”
in section 1;
(d) designating a class of persons as a health care provider
for the purposes of the definition “health care provider”
in section 1;
(e) prescribing personal health information for the purposes
of paragraph 3(1)(b);
(f) prescribing the personal health information to which
this Act does apply and the individuals or organizations referred
to in paragraph 3(2)(c) that collect, maintain or use
personal health information for purposes other than health care or
treatment and the planning and management of the health care system;
(g) specifying for the purposes of subsection 4(1) the Acts of the Legislature or provisions
of the Acts of the Legislature over which this Act does not prevail;
(h) specifying for the purposes of subsection 4(2) the records or information to which
this Act applies;
(i) prescribing an Act of the Legislature or any provision
of an Act of the Legislature for the purposes of paragraph 4(2)(b);
(j) prescribing the search, preparation, copying and delivery
fees referred to in section 13,
the amount that the fees cannot exceed and the waiver of the fees;
(k) prescribing for the purposes of paragraph 14(1)(i) a reason for which a custodian is not required to permit
an individual to examine or copy his or her personal health information;
(l) prescribing the contents of the permission referred
to in paragraph 19(2)(c);
(m) prescribing additional requirements of what constitutes
express consent for the purposes of subsection 22(2);
(n) respecting the reasons for which and the method by which
an individual may refuse to grant consent or withdraw his or her consent
to the collection, use or disclosure of his or her personal health
information;
(o) prescribing for the purposes of paragraph 34(1)(n) requirements and restrictions for the use of personal health
information if the use is permitted or required by law or by a treaty,
agreement or arrangement made under an Act of the Legislature or the
Parliament of Canada;
(p) designating for the purposes of paragraph 37(6)(c) an information network in which personal health information
is recorded;
(q) respecting the establishment of an electronic health
record;
(r) designating a custodian for the purposes of paragraph 37(6)(d);
(s) prescribing an entity for the purposes of paragraph 38(1)(h);
(t) prescribing for the purposes of section 43 the requirements of an approval by
a research review body and the agreement the custodian and the person
proposing the research project must enter into;
(u) designating for the purposes of paragraph 44(2)(b) a person or body with whom the Minister may enter into
agreements for the sharing of registration information without the
consent of the individual;
(v) authorizing for the purposes of subsection 48(1) persons that may require the production
of an individual’s Medicare number or collect or use an individual’s
Medicare number;
(w) prescribing the manner of notification under paragraph 49(1)(c);
(x) prescribing the requirements of the information practices
referred to in subsection 50(1);
(y) prescribing for the purposes of subsection 50(4) additional safeguards for personal
health information maintained in electronic form;
(z) respecting written agreement for the purposes of subsection 52(3);
(aa) prescribing requirements to be contained in the written
policy for the retention, archival storage, access and secure destruction
of personal health information for the purposes of paragraph 55(1)(a);
(bb) prescribing the manner of consent for the purposes of
paragraph 55(2)(a);
(cc) respecting the personal health information in the custody
or under the control of a custodian that may be stored outside Canada
and accessed outside Canada;
(dd) prescribing the circumstances that give rise to a conflict
of interest under subsection 60(4);
(ee) respecting the referral of a matter under
this Act to a judge of The Court of Queen’s Bench of New Brunswick
for review;
(ff) respecting an appeal of a matter under this Act to a
judge of The Court of Queen’s Bench of New Brunswick.
(gg) adopting by reference, in whole or in part
and with such changes as are considered necessary, any code, standard,
guideline or similar document and may require compliance with the
code, standard or guideline,
(hh) defining any word or expression used in this Act but
not defined in this Act;
(ii) prescribing the manner in which a notice or a record
shall be given to a person under this Act;
(jj) respecting all other matters necessary to carry out
the provisions of this Act.
79(2) A regulation under subsection (1) may be made to apply to particular
classes of custodians or persons or to particular classes of personal
health information.
PART 7
REVIEW AND COMMENCEMENT
Review of this Act
80 Within 4 years after this Act comes into force, the Minister shall
undertake a comprehensive review of the operation of the Act and shall,
within one year after the review is undertaken or within such further
time as the Legislative Assembly may allow, submit a report on the
review to the Assembly.
Commencement
81 This
Act or any provision of it comes into force on a day or days to be
fixed by proclamation.