Québec’s new comprehensive health privacy legislation enters into force

On July 1, 2024, most of the provisions in Québec’s new comprehensive health privacy legislation, An act respecting health and social services information and amending various legislative provisions (the Act), came into force. The Act brings Québec in line with other provinces by establishing a regime to protect personal health information, though it also creates many Québec-specific requirements that are more stringent than those in other provinces. In particular, the Act contains more explicit requirements for the use of technology compared to other jurisdictions, which is consistent with Québec lawmakers’ modernized approach to reforming the province’s private sector privacy legislation.

What you need to know

• The Act creates obligations for health and social services bodies (which includes both public and private organizations) to protect health and social services information (HSS information). These obligations include conducting privacy impact assessments, deactivating certain information-collecting technologies by default, maintaining a governance policy, publishing a register of technology used by the body, and reporting confidentiality incidents.
• The Act introduces strict requirements for what must be included in an agreement between a health and social services body and a service provider to whom it communicates HSS information, including audit rights, personnel confidentiality agreements and restrictions on the use of technological products and services.
• Offences under the Act can result in fines up to $100,000 for natural persons and $150,000 in other cases. These fines double and triple for second and subsequent offences.

Health privacy reforms under the new legislation

Scope and application

The majority of the requirements in the Act apply to certain designated “health and social services bodies”, which broadly include public health institutions, including clinics and hospitals, as well as other organizations that provide health and social services like private clinics, pharmacies, private seniors’ residences, palliative care hospices, laboratories, foster homes and families, intermediate resources (such as assisted living environments), funeral services providers and ambulances.

Service providers that enter into agreements with any such bodies to provide health or social services are also considered to be health and social services bodies.

These bodies have obligations to protect HSS information, which is defined as any information that allows a person to be identified, directly or indirectly, and that falls into any of the following categories:

• it concerns the person’s state of physical or mental health and their health determinants, such as their medical or family history;
• it concerns any biological material collected for an assessment or treatment, or any implants, prostheses or other disability aids;
• it concerns the health services or social services provided to the person, including the nature of those services, their results, the location where they were provided and who provided them;
• it was obtained in the exercise of a function under Québec’s Public Health Act; or
• it appears in a file alongside any such information, or it is collected for admission at a health and social services body.

The inclusion of certain social services bodies and information concerning the provision of such social services creates a wider scope than equivalent legislation in other provinces, which include protections for personal health information only.

Legal obligations for health and social services bodies

The Act reflects many of the principles and legal obligations now in force in Québec’s private sector privacy legislation. Significant obligations are summarized below.

• Consent: Whenever a body collects HSS information from an individual, it must inform them in clear and simple language of (i) the purposes and means of collection, (ii) their privacy rights, and (iii) how long the information will be kept. Once collected, information can be used within the body for purposes consistent with the reason for which it was initially collected without obtaining further consent.
• Privacy impact assessments: Bodies must conduct privacy impact assessments for (i) projects involving new technological products or services that involve the handling of HSS information, and (ii) any mandates or contracts involving the communication of HSS information outside Québec.
• Deactivation by default: Bodies that collect HSS information using technology that allows an individual to be identified, located, or profiled must inform the person of the use of such technology. As with Québec’s private-sector privacy requirements, all such technologies must be deactivated by default.
• Governance: Bodies must create and adhere to an internal governance policy governing the management of HSS information and must appoint a person in charge of protecting the information. The policy must include several prescribed items that go beyond statutory requirements in other jurisdictions, including roles and responsibilities of personnel, logging mechanisms and security measures in place, procedures for processing confidentiality incidents and complaints, and descriptions of training and awareness activities for personnel.
• Recordkeeping and publishing: Bodies must monitor and log any access, use or communication of HSS information by any of their personnel. They must also keep a register of every technological product or service it uses to collect, keep, use or communicate HSS information, which must be published on its website or otherwise made available to the public.
• Automated decision-making: Bodies that make use of automated decision-making (ADM) with no human oversight involving HSS information must inform the concerned individual about the use of ADM, and must provide further information about the decision upon request.
• Individual privacy rights: As with most privacy legislation in Canada, the Act gives individuals the right to access and correct their information, and requires bodies to keep HSS information accurate and up-to-date. It also allows individuals to restrict access to HSS information about themselves from particular service providers, researchers, spouses and relatives.
• Safeguards and confidentiality incidents: Bodies are responsible for the HSS information they hold and must employ reasonable security measures to protect it. They are required to report confidentiality incidents to the Commission de l’accès à l’information (CAI) and notify affected individuals if the incident presents a risk of serious injury. They are also required to take reasonable steps to reduce the risk of injury and prevent new incidents from arising, and they must keep a register of confidentiality incidents.

Mandatory provisions for service provider agreements

A distinct feature of the Act is its strict requirement for agreements between health and social service bodies and service providers to whom they communicate HSS information. Under the Act, all such agreements must be in writing, and they must, on “pain of nullity”, obligate service providers to:

• only use the HSS information communicated to them for authorized purposes;
• ensure that the HSS information is protected, and that information governance rules are complied with;
• have all personnel that might handle HSS information sign a confidentiality agreement;
• use only technological products or services that are authorized by the body;
• provide information obtained or produced from the use of HSS information upon request;
• allow the body to audit the service provider’s protection of HSS information;
• immediately notify the body’s privacy officer of any actual or attempted breach of the data protection obligations in the agreement; and
• not retain information once the purposes of the agreement have been fulfilled.

If information is to be communicated outside of Québec, the agreement must include terms to mitigate risks identified in the privacy impact assessment, if applicable.

Enforcement and penalties

The CAI is responsible for overseeing the Act, alongside Québec’s other privacy legislation. As with Québec’s private sector privacy regime, the CAI has inspection, investigation and order-making powers, and the ability to grant a right of appeal before the Court of Québec in certain cases.

The Act also creates offences with penal provisions, which can attract fines of up to $100,000 for natural persons and $150,000 in all other cases, the amounts of which are doubled and tripled for second and third offences. Offences include communicating prohibited information under the Act, attempting to identify a person using de-identified information without authorization, failing to report a confidentiality incident, and collecting, keeping, using, or destroying information.

Takeaways for businesses

Businesses that either directly collect information that can be classified as “health and social services information” or that regularly enter into agreements with health and social services bodies should review and revise their existing health privacy program to ensure compliance with the new requirements.

More specifically, some of these requirements will make compliance with Québec’s regime more onerous than complying with similar health privacy regimes in other provinces. This means that organizations may need to look more closely at the jurisdictional analysis, similar to the comparison between Québec and federal requirements for the collection, use and disclosure of personal information in the private sector. For organizations that are within the scope of the Act, this may entail the need to assess the risks, costs and benefits of bringing their health privacy compliance program in line with the new regime, designing different protocols for Québec, or taking a stance that they are not subject to the Act specifically (or to Québec laws generally) and therefore do not need to alter their existing data management program.

The mandatory provisions for service provider agreements should also be top of mind when preparing, negotiating and entering into contracts, both for service providers and for health and social services bodies. Service providers may want to ensure that their internal privacy and data protection programs will allow them to meet the mandatory contractual provisions even if the Act will not apply to them directly.