In Quebec, 2024 is shaping up to be a landmark year for the protection of personal health information.

In preparation for the imminent coming into force of the Act respecting health and social services information ("Law 5"), on July 1, 2024, the Quebec government has published two regulations aimed at clarifying the governance of health and social services information (the "Information") held by organizations in the health and social services sector (the "Organizations"). These regulations, published on June 12, 2024 in Part 2 of the Gazette officielle du Québec, will also come into force on July 1, 2024.

First Regulation

The Regulation respecting the application of certain provisions of the Act respecting health and social services information (in French only) provided for in sections 4, 6, 9, 39, 107, 108 and 110 of Law 5 (the "First Regulation") extends the scope of Organizations that are subject to Law 5. It specifies the consent procedures, the access conditions for a service provider who is not a professional within the meaning of the Professional Code, the content of the register of technological products and services, and describes the information that must be included in confidentiality incident notices and their related register.

Second Regulation

The Regulation respecting the governance of health and social services information (in French only),provided for in section 90 of Law 5 (the "Second Regulation") defines the scope of the rules for the governance of Information held by Organizations subject to Law 5. It establishes the responsibilities that fall on Organizations, and the procedures for keeping and destroying Information, as well as the maintenance and evaluation of technological products or services. It should be noted that certain provisions of Law 5 were not covered by the Second Regulation given that they will not be coming into force on July 1, 2024, but rather at a later date. These include the provisions dealing with the governance rules Organizations will have to implement with regard to the quality of Information, and the standards for categorization, mobility and valorization of Information.

The main provisions of the First Regulation

  • Organization (s. 1): College-level and university-level "educational institutions" are added to the list of Organizations subject to Law 5 if they provide, among other things, health or social services.
  • Consent (ss. 2 to 6): The procedures for obtaining and withdrawing consent from individuals regarding the use and communication of their Information are defined. Consent may be given in writing or verbally, and may be withdrawn in the same manner. The way in which individuals may exercise their rights to restrict or refuse access to their Information is also specified.
  • Conditions to allow access to a service provider who is not a Professional within the meaning of the Professional Code (ss. 7 to 9): The conditions that allow a service provider who is not a professional to access Information held by the Organizations are defined in the First Regulation.

First, these parties are authorized to access the Information if it is necessary to provide health or social services, or to provide technical or administrative support to the person concerned. Before accessing this Information, the concerned parties must meet certain requirements: they must be members of the Organization's personnel, have completed specific training on how to protect personal information in accordance with the regulation and undertake in writing to respect the confidentiality of any information that may come to their knowledge in the course of their duties.

Second, they must obtain the necessary authorizations from the person exercising the highest authority within the Organization.

This authorization may also be granted to:

  • Students or trainees supervised by a health or social services professional, as part of their college or university studies.
  • Volunteers providing invasive care to assist with activities of daily living and administering prescribed medication, as described in articles 39.7 and 39.8 of the Professional Code.
  • An employee of a licensed personnel placement agency or a person who is considered "independent labour", in accordance with the relevant legislation.
  • Content of the technological products and services register (s. 10): Organizations are required to keep a register of technological products and services they use. For each product or service, the register must contain a description of the type of technological product or service, the name of the supplier if applicable, an indication of whether it is certified by the Minister and whether if it uses Information to render a decision based exclusively on automated processing.
  • Content of confidentiality incident notices and of the confidentiality incidents register (ss. 11 to 16): These provisions set out the content that must be included in notices sent to the Minister, Quebec’s privacy regulator (the Commission d’accès à l’information), and the individuals affected by the incident. It also sets out similar requirements for the information needing to be provided in the Organization’s register of confidentiality incidents.

The main provisions of the Second Regulation:

  • Training (ss. 1 and 2): Organizations must provide their employees (including members of their personnel, professionals, students and trainees) with an initial training regarding the protection of Information recognized by the Minister. They must also ensure that everyone’s knowledge of Information protection is kept up to date on an annual basis. This obligation also applies to volunteers providing invasive care to assist with activities of daily living and the administration of prescribed medication, as described in sections 39.7 and 39.8 of the Professional Code, as well as to employees of a licensed personnel placement agency or to persons who are considered “independent labour ”, in accordance with the relevant legislation.
  • Consent (s. 3): Organizations must keep proof of any consent received in accordance with Law 5.
  • Duty to manage Information and individuals (ss. 5 to 7 and 9): Organizations will need to review the relevance of the categories of individuals identified in their information governance policy. They will also have to assess the compliance of logging mechanisms and monitor access, use and communication of Information held on a monthly basis. Until Section 103 of Law 5 comes into force, Organizations must not only assess the compliance of logging mechanisms but also ensure the compliance of the register of communications. Additionally, the Organizations are required to review this register as needed.
  • Creation of a governance committee (s. 8): ): All Organizations, except a few, will be required to set up a committee on the governance of Iinformation to support the person exercising the highest authority within the Organization in the exercise of their person’s responsibilities.
  • Storage and destruction of Information (ss. 10 to 14): Organizations must ensure the protection of Information by controlling access to the premises where Information is kept and complying with restrictions or refusals of access to Information. They must also destroy the Information in a secure and documented manner and must retain proof of such destruction. If the Information is destroyed by an external service provider, there must be a detailed contract in place with the service provider to ensure that destruction procedures are followed and confidentiality obligations met.
  • Appointment of individuals with new duties (ss. 4 and 16): Organizations will be required to appoint persons responsible for ensuring that individuals who have given notice of a restriction on access to their Information are adequately informed of the potential consequences and risks associated with the restricted exercise of this right. Organizations shall also appoint a person responsible for ensuring that technological standards applicable to the technological products or services are met and that the Information is secure.
  • Maintenance and assessment of technological products or services (ss. 15 and 17): Organizations must take action to prevent or reduce the potential impacts of a technological product if it becomes non-compliant or its service is no longer available and evaluate the products or services used in accordance with applicable standards.

Key takeaways

To summarize, these regulatory measures represent a significant step forward in strengthening personal information protection in Quebec's health and social services sector.

By reinforcing the governance structures of Organizations, and clarifying the protocols for accessing and storing health and social services information, the Quebec government seeks to ensure that data is managed in a more secure and transparent way, thereby enhancing the protection of all citizens.