Quebec has seen major changes to its privacy laws in recent years, the most notable being Law 25 (aka “Bill 64”) which came into force gradually in the private and public sectors from 2022 until last September. But that’s not all, as another key health-related privacy law also came into force in July 2024: the Act respecting health and social services information (the “Quebec Health Information Act,” aka “Law 5”). This new law governs how health and social services information is processed, similarly to other health privacy laws across Canada, such as PHIPA in Ontario, but with some key differences.

Generally speaking, the Quebec Health Information Act applies to public-sector health bodies and some specific private organizations prescribed by law, such as private health facilities or specialized medical centre, who process health and social services information (collectively, “Health Bodies”). Yet, many private-sector organizations are unsure of how this new law applies to them, whether directly by falling within its broad scope of application (see this flowchart for more details), or indirectly by doing business with Health Bodies.

This article will focus on the latter case, i.e., healthcare IT service providers that may not be directly subject to the Quebec Health Information Act but doing business with Health Bodies and therefore feeling the effects of these new requirements indirectly. Here’s a roundup of the threshold questions and key concepts healthcare IT service providers should know about and come to a determination.

1. Do you process “health and social services information”?

Under the Quebec Health Information Act, “health and social services information” is broadly defined and includes: (i) a person’s physical or mental health status and related factors; (ii) any biological materials or items collected during assessments or treatments, such as implants, prosthetics, or orthotics; or (iii) health or social services provided to the person.

If you do business with Health Bodies and process such type of information on their behalf, you may be impacted by the Quebec Health Information Act, either directly for part of your health or social services, and/or indirectly in your contractual negotiations with the Health Bodies. If that’s not the case, you are not concerned by the Quebec Health Information Act but may still need to comply with other applicable privacy laws if you are processing “personal information,” i.e., any information which relates to a natural person and directly or indirectly allows that person to be identified.

2. Do you offer a “technological product or service”?

The Quebec Health Information Act defines a “technological product or service” as any equipment, application, or service used to collect, store, use, or communicate health and social services information. This includes databases, information systems, telecommunications systems, software, and computer components of medical equipment.

Therefore, in line with the above, even though you may not be directly regulated by the Quebec Health Information Act, if you provide “technological product or service” involving health and social services information to Health Bodies, you may be indirectly subject to it, as the latter will impose certain requirements on you in order to use your products or services. In short, healthcare IT service providers should not only consider the types of services offered to Health Bodies and the nature of information processed, but also the technological format of their products and services.

3. How is your technology solution designed?

If you do provide “technological product or service” as described above, here are some of the key considerations you should keep top of mind and you will likely be asked about by any Health Body:

  • Confidentiality by default. Your technology solution should be configurable to the highest level of confidentiality.
  • Accountability documentation. Your technology solution should be supported by a comprehensive privacy impact assessment identifying, among other things, key risks and related mitigation; see this frequently asked questions for more context.
  • Data portability. Your technology solution should allow individuals to receive their computerized information in a structured and commonly used format; see this compliance guide for reference.
  • Regular updates. Your technology solution should be regularly updates as Health Bodies must maintain an update schedule of their technological products or services.
  • Maintenance and evaluations. Your technology solution should take into account obligations stemming from the Regulation respecting the governance of health and social information, such as annual training around the safe of use of technological products or services, evaluation of cyber security and data protection standards at least every two years, or contingency planning in case of unavailability.
  • Certification and other rules. Your technology solution may have to be certified—the certification criteria and process will be outlined in future regulations—and follow information management rules set by the network information officer and approved by the Ministère de la Cybersécurité et du Numérique covering areas such as information security, identity and access management, information categorization, and reporting.

4. Do you transfer data outside of Quebec?

Similarly to the Quebec private-sector and public-sector privacy laws, the Quebec Health Information Act does not prohibit the communication of health and social services information outside of the province of Quebec. However, before the communication can proceed, a number of things need to be considered, such as:

  • A privacy impact assessment must demonstrate that the information will be adequately protected in the receiving jurisdiction; and
  • A data processing agreement or similar contractual agreement must be concluded with the Health Body, including key provisions around security measures, use limitations, breach notification, audits, and the return/destruction of the information.

Quebec’s cross-border data transfer requirements are among the most complicated and stringent in Canada, and will hopefully be clarified by regulatory guidelines in the near future, so you should always consider these issues proactively and rigorously when dealing with Health Body or personal/health information of Quebec residents.

5. Do you comply with Law 25?

Regardless of the Quebec Health Information Act, any healthcare IT service providers doing business in Quebec will inevitably be inquired around its “Law 25 compliance,” more particularly whether its practices surrounding the collection, use, and disclosure of personal information comply with the Act respecting the protection of personal information in the private sector as amended by the Act to modernize legislative provisions respecting the protection of personal information. Even more so when it comes to “medical data,” not defined in the law but automatically considered as “sensitive personal information” and therefore subject to higher standards of security and privacy.

Any non-compliance or partial compliance with Law 25 could raise questions from Health Body and incidentally impact your activities in Quebec, even though you may have arguments around its territorial applicability (i.e., lack of real and substantial connection with Quebec) or material applicability (i.e., health and social services information processed on behalf of Health Body).

Conclusion

Even if most private-sector organizations are not directly subject to the Quebec Health Information Act, its impact is far-reaching, particularly for those offering technology solutions to public-sector health bodies and private health facilities. Healthcare IT service providers should not dismiss or underestimate the Quebec Health Information Act and its implications on their activities.

Given the complexity of this new law, its gradual application by way of regulations (most of which are still in draft), not to mention the fact that the English translation is not always faithful to the French text, our Cyber security and Data Protection Group is committed to help you navigate this new legal framework.