BILL NO. 64
(as introduced)
1st Session, 61st General Assembly
Nova Scotia
58 Elizabeth II, 2009
Personal Health Information Act
The Honourable Maureen MacDonald
Minister of Health
1st Session, 61st General Assembly
Nova Scotia
58 Elizabeth II, 2009
The Honourable Maureen MacDonald
Minister of Health
First Reading: November 4, 2009
Second Reading:
Third Reading:
![[home]](../../../images/n-home.gif)
![[bills]](../../../images/n-top.gif)
Be it enacted by the Governor and Assembly as follows:
1 This Act may be cited as the Personal Health Information Act.
2 The purpose of this Act is to govern the collection, use, disclosure, retention and destruction of personal health information in a manner that recognizes both the right of individuals to protect their personal health information and the need of custodians to collect, use and disclose personal health information to provide, support and manage health care.
(a) "agent", in relation to a custodian, means a person who, with the authorization of the custodian, acts for or on behalf of the custodian in respect of personal health information for the purposes of the custodian, and not the agent's purposes, whether or not the agent has the authority to bind the custodian, is paid by the custodian or is being remunerated by the custodian, and includes, but is not limited to, an employee of a custodian or a volunteer who deals with personal health information, a custodian's insurer or a lawyer retained by the custodian's insurer;
(b) "capacity" means the ability to understand information that is relevant to the making of a decision related to the collection, use or disclosure of personal health information and the ability to appreciate the reasonably foreseeable consequences of a decision or lack of a decision;
(c) "collect", in relation to personal health information, means to gather, acquire, receive, gain access to or obtain the information by any means from any source;
(d) "Common Client Registry" means a Provincial database that is a master index for
(ii) all non-residents who have received insured services in the Province;
(f) "custodian" means an individual or organization described below who has custody or control of personal health information as a result of or in connection with performing the person's or organization's powers or duties:
(ii) the Minister and the Department,
(iii) the Minister of Health Promotion and Protection and the Department of Health Promotion and Protection,
(iv) the Chief Medical Examiner pursuant to the Fatality Investigations Act,
(v) a district health authority pursuant to the Health Authorities Act,
(vi) the IWK Health Centre pursuant to the Izaak Walton Killam Health Centre Act,
(vii) the Review Board pursuant to the Involuntary Psychiatric Treatment Act,
(viii) a pharmacy licensed under the Pharmacy Act,
(ix) a continuing-care facility licensed by the Department under the Homes for Special Care Act or a continuing-care facility approved by the Department,
(xi) any other individual or organization or class of individual or class of organization as prescribed by regulation as a custodian;
(h) "Department" means the Department of Health;
(i) "disclose", in relation to personal health information in the custody or under the control of a custodian or a person, means to make the information available or to release it to another custodian or to another person, but does not include to use the information;
(j) "domestic partnership" means a domestic partnership as defined in the Vital Statistics Act;
(k) "health card number" means a unique identification number assigned by the Department to individuals insured under the Health Services and Insurance Act;
(l) "health care" means an observation, examination, assessment, care, service or procedure in relation to an individual that is carried out, provided or undertaken for one of the following health-related purposes:
(ii) the prevention of disease or injury,
(iii) the promotion and protection of health,
(v) the compounding, dispensing or selling of a drug, health-care aid, device, product, equipment or other item to an individual or for the use of an individual, under a prescription, or
(vi) a program or service designated as a health-care service in the regulations;
(n) "individual", in relation to personal health information, means the individual, whether living or deceased, with respect to whom the information was or is being collected or created;
(o) "information practices", in relation to a custodian or a prescribed entity, means the policies of the custodian or a prescribed entity for actions in relation to personal health information, including
(ii) the administrative, technical and physical safeguards and practices that the custodian maintains with respect to the information;
(q) "Minister" means the Minister of Health;
(r) "person" includes a partnership, association or other entity;
(s) "personal health information" means identifying information about an individual, whether living or deceased, and in both recorded and unrecorded forms, if the information
(ii) relates to the application, assessment, eligibility and provision of health care to the individual, including the identification of a person as a provider of health care to the individual,
(iii) relates to payments or eligibility for health care in respect of the individual,
(iv) relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance,
(v) is the individual's registration information, including the individual's health card number, or
(u) "prescribed" means prescribed by the regulations;
(v) "Privacy Review Officer" means the Privacy Review Officer under the Privacy Review Officer Act;
(w) "proceeding" means a proceeding held before, in or under the rules of a court, a tribunal, a commission, a justice of the peace, a regulated health profession body, an arbitrator or a mediator;
(x) "record" means a record of information in any form or in any medium, whether in written, printed, photographic or electronic form or otherwise, but does not include a computer program or other mechanism that can produce a record;
(y) "regulated health professional" means a health professional who is governed by legislation in the Province specific to his or her profession and who provides health care;
(z) "regulated health profession body" means a body with the statutory authority for the discipline of a regulated health professional;
(aa) "resident" means a resident as defined in the Health Services and Insurance Act;
(ab) "spouse" means, with respect to any person, a person who is cohabiting with that person in a conjugal relationship as married spouse, registered domestic partner or common-law partner;
(ac) "use", in relation to personal health information in the custody or under the control of a custodian or a person, means to handle or deal with the information, but does not include to disclose the information.
4 Unless specifically provided otherwise in this Act or the regulations, this Act applies to
(a) the collection of personal health information by a custodian on or after the coming into force of this Act;
(b) the use or disclosure of personal health information, on or after the coming into force of this Act, by
(ii) a person who is not a custodian and to whom a custodian disclosed the information, even if the person received the information before the coming into force of this Act; and
5 (1) Unless specifically provided otherwise in this Act, this Act does not apply to an individual or organization that collects, uses or discloses personal health information for purposes other than health care and the planning and management of the health system, including
(c) a regulated health-profession body;
(d) a regulated health professional who does not provide health care; or
(e) any other prescribed individual or organization or class of individual or organization.
(2) Except as prescribed, a person described in subclause 3(f)(i) is not a custodian in respect of personal health information that the person collects, uses or discloses while performing the person's powers or duties when an agent of a custodian.
6 (1) Where this Act or the regulations are in conflict with another Act or regulation enacted before or after the coming into force of this Act, this Act and the regulations prevail unless the other Act or regulation more completely protects the privacy of the personal health information.
(2) For the purpose of this Section, there is no conflict unless it is not possible to comply with both this Act and the regulations and the other Act or regulation.
(3) Notwithstanding subsection (1), where
(a) access to a record of personal health information is prohibited or restricted by;
(b) a right of access to a record of personal health information is provided in; or
(c) a requirement to disclose personal health information is imposed upon,
a custodian in a prescribed Act or regulation made under an Act, that Act or regulation prevails over this Act and the regulations.
7 (1) Subject to subsection (2), the Freedom of Information and Protection of Privacy Act does not apply to personal health information collected by a custodian or in the custody or under the control of a custodian unless this Act specifies otherwise.
(2) Sections 12, 13, clause 15(1)(b), and Section 21 of the Freedom of Information and Protection of Privacy Act apply in respect of records of personal health information in the custody or under the control of a custodian that is a public body within the meaning of that Act.
(3) This Act does not limit a person's right of access under Section 5 of the Freedom of Information and Protection of Privacy Act to a record of personal health information if all the types of information referred to in clause 3(s) are reasonably severed from the record.
(4) This Act does not apply to a collection, use or disclosure of personal health information, a request for access or a review made under the Freedom of Information and Protection of Privacy Act before this Section comes into force, and the Freedom of Information and Protection of Privacy Act continues to apply to the collection, use, disclosure, request or review.
8 Except as otherwise specifically provided in this Act, this Act does not
(a) affect the law of evidence or limit the information otherwise available by law to a party to a proceeding;
(b) affect the power of a court or tribunal to compel a witness to testify or to compel the production of documents;
(c) affect anything in connection with a subrogated claim or a potential subrogated claim;
(d) interfere with the activities of a regulated health profession body;
(e) affect a court order that prohibits a person from making information public or from publishing information; or
(f) prohibit the transfer, storage or disposition of a record in accordance with another Act or an Act of the Parliament of Canada.
9 (1) In addition to the matters referred to in clause 3(s), personal health information includes identifying information about an individual that is not personal health information but that is contained in a record that contains personal health information about the individual within the meaning of that clause.
(2) Notwithstanding subsection (1), personal health information does not include identifying information contained in a record that is in the custody or under the control of a custodian if
(a) the identifying information contained in the record relates primarily to an employee or agent of the custodian; and
(b) the record is created or maintained primarily for a purpose other than the provision of health care or assistance in providing health care to the employee or agent.
10 (1) A provision of this Act that applies to the collection, use or disclosure of personal health information about an individual by a custodian with the consent of the individual, whatever the nature of the consent, does not affect the collection, use or disclosure that this Act permits or requires the custodian to make of the information without the consent of the individual.
(2) A provision of this Act that permits a custodian to disclose personal health information about an individual without the consent of the individual
(a) does not require the custodian to disclose it unless required to do so by law;
(b) does not relieve the custodian from a legal requirement to disclose the information; and
(c) does not prevent the custodian from obtaining the individual's consent for the disclosure or giving notice to the individual of the disclosure.
11 A custodian shall not collect, use or disclose personal health information about an individual unless
(a) it has the individual's consent under this Act and the collection, use or disclosure is reasonably necessary for a lawful purpose; or
(b) the collection, use or disclosure is permitted or required by this Act.
12 Unless this Act requires express consent or makes exception to the requirement for consent, knowledgeable implied consent may be accepted as consent for the collection, use and disclosure of personal health information.
13 Where this Act requires knowledgeable implied consent or express consent of an individual for the collection, use or disclosure of personal health information by a custodian, the consent must
(a) be a consent of the individual;
(c) relate to the specific information at issue; and
14 A consent to the collection, use or disclosure of personal health information about an individual is knowledgeable if it is reasonable in the circumstances for the custodian to believe that the individual knows
(a) the purpose of the collection, use or disclosure, as the case may be; and
(b) that the individual may give or withhold consent.
15 (1) Unless it is not reasonable in the circumstances, it is reasonable to believe that an individual knows the purpose of the collection, use or disclosure of personal health information about the individual by a custodian if the custodian
(a) makes readily available a notice describing the purpose in a manner that the purpose is likely to come to the individual's attention; or
(b) explains the purposes to the individual.
(2) A custodian cannot rely on the belief pursuant to subsection (1) if the custodian should have known that the individual
(a) has a limited ability to read or understand the language in which the notice is presented; or
(b) has a disability or condition that impairs the individual's ability to read or understand the notice.
(3) A custodian shall make reasonable efforts to assist an individual referred to in subsection (2) with the individual's understanding of the purpose of the collection, use and disclosure of the individual's personal health information.
16 Where express consent is required, the consent may be written or oral.
17 (1) An individual may limit or revoke his or her consent to the collection of personal health information or to the use or disclosure of personal health information in the custody or control of a custodian.
(2) An individual who wishes to limit or revoke consent pursuant to subsection (1) shall provide notice to the custodian.
(3) A consent may be limited or revoked at any time, but no limitation or revocation has retroactive effect.
(4) A custodian shall take reasonable steps to comply with a limitation or revocation of consent after receiving the notice.
(5) The custodian shall inform the individual of the consequences of limiting or revoking consent in the specific circumstances.
(6) Where the disclosing custodian does not have the consent of the individual to disclose all the personal health information about the individual that it considers reasonably necessary for that purpose, the disclosing custodian shall notify the custodian to whom it disclosed the information of that fact.
(7) This Section does not apply to personal health information that a custodian is required by law to collect, use or disclose.
18 Any capable individual, regardless of age, may consent to the collection, use or disclosure of personal health information.
19 An individual may have the capacity at a particular time to consent to the collection, use or disclosure of some parts of personal health information, but be incapable of consenting at another time.
20 Where an individual is deemed to have the capacity to consent to the collection, use and disclosure of personal health information, this capacity to consent includes disclosure to a parent, guardian or substitute decision-maker where applicable.
21 Unless otherwise stated, only capable individuals may consent or withdraw consent for the purpose of this Act.
22 (1) For the purpose of this Act, consent to the collection, use and disclosure of personal health information may be given or refused on behalf of an individual by a substitute decision-maker if the individual lacks the capacity to make the decision.
(2) The substitute decision-maker shall be chosen from the following in descending order:
(a) a person who is authorized by or required by law to act on behalf of the individual;
(b) the individual's guardian appointed by a court of competent jurisdiction;
(c) the spouse, if the spouse is cohabiting with the individual in a conjugal relationship;
(d) an adult child of the individual;
(e) a parent of the individual;
(f) a person who stands in loco parentis to the individual;
(g) an adult sibling of the individual;
(h) a grandparent of the individual;
(i) an adult grandchild of the individual;
(j) an adult aunt or uncle of the individual;
(k) an adult niece or nephew of the individual;
(l) any other adult next of kin of the individual;
(3) Where a person in a category in subsection (2) fulfils the criteria for a substitute decision-maker as set out in subsection (5) but refuses consent on the individual's behalf, the consent of a person in a subsequent category is not valid.
(4) Where two or more persons who are not described in the same clause of subsection (2) claim the authority to give or refuse consent under that subsection, the one under the clause occurring first in that subsection prevails.
(5) A person referred to in clauses (2)(b) to (g) shall not exercise the authority given by that subsection unless the person
(a) has been in personal contact with the individual throughout the preceding twelve-month period or has been granted a court order to shorten or waive the twelve-month period;
(b) is willing to assume the responsibility for consenting or refusing consent;
(c) knows of no person of a higher category who is able and willing to make the decision; and
(d) makes a statement in writing certifying the person's relationship to the individual and the facts and beliefs set out in clauses (a) to (c).
23 In making any decision, a substitute decision-maker shall
(a) follow any prior capable expressed wishes of the individual, unless circumstances exist that would have caused the individual to set out different instructions had the circumstances been known based on what the delegate knows of the values and beliefs of the individual and from any other written or oral instructions;
(b) in the absence of instructions, act according to what the substitute decision-maker believes the wishes of the individual would be based on what the substitute decision-maker knows of the values and beliefs of the individual and from any other written or oral instructions; and
(c) where the substitute decision-maker does not know the wishes, values and beliefs of the individual, make the decision that the delegate believes would be in the best interests of the individual.
24 Whoever seeks a person's consent on an individual's behalf is entitled to rely on that person's statement in writing as to the person's relationship with the individual and as to the facts and beliefs mentioned in clauses 22(5)(a) to (c), unless it is not reasonable to believe the statement.
25 A custodian shall not collect, use or disclose personal health information if other information will serve the purpose of the collection, use or disclosure.
26 (1) The collection, use and disclosure of personal health information must be limited to the minimum amount of personal health information necessary to achieve the purpose for which it is collected, used and disclosed.
(2) For greater certainty, in respect of the use of personal health information by a custodian, the custodian shall limit the use of personal health information in its custody or under its control to those of its employees who need to know the information to carry out the purpose for which the information was collected or a purpose authorized under this Act.
27 Sections 25 and 26 apply in circumstances where the custodian is authorized to collect, use and disclose personal health information
(a) with knowledgeable implied consent;
(c) without consent unless the individual objects.
28 Sections 25 and 26 do not apply to personal health information that a custodian is required by law to collect.
(b) authorized by the regulations to do so,
shall not collect or use an individual's health card number.
30 (1) A custodian is responsible for personal health information in the custody or control of the custodian and may permit the custodian's agent to collect, use, disclose, retain or dispose of personal health information on the custodian's behalf only if
(a) the custodian is permitted or required to collect, use, disclose, retain or dispose of the information, as the case may be;
(b) the collection, use, disclosure, retention or disposition of the information, as the case may be, is in the course of the agent's duties and not contrary to the limits imposed by the custodian, this Act or another law; and
(c) the prescribed requirements, if any, are met.
(2) Except as permitted or required by law and subject to the exceptions and additional requirements, if any, that are prescribed, an agent of a custodian shall not collect, use, disclose, retain or dispose of personal health information on the custodian's behalf unless the custodian permits the agent to do so in accordance with subsection (1).
(3) An agent of a custodian shall notify the custodian at the first reasonable opportunity if personal health information handled by the agent on behalf of the custodian is stolen, lost or accessed by unauthorized persons.
31 (1) Where a custodian is authorized to use personal health information for a purpose, the custodian may provide the information to an agent who may use it for that purpose on behalf of the custodian.
(2) For the purpose of this Act, the providing of personal health information between a custodian and an agent of the custodian is a use by the custodian, and not a disclosure by the custodian or a collection by the agent.
(3) A custodian shall limit the use of personal health information in its custody or under its control to those of its agents who need to know the information to carry out the purpose for which the information was collected or a purpose authorized under this Act.
32 A custodian may collect personal health information
(a) for a lawful purpose related to the authority of the custodian; or
(b) if it is expressly authorized by an Act of the Province or of the Parliament of Canada.
33 A custodian shall collect personal health information directly from the individual about whom the information is being collected, except in the following circumstances:
(a) the individual authorizes collection from another person;
(b) from the substitute decision-maker if the substitute decision-maker has the authority to act;
(c) the information to be collected is reasonably necessary for providing health care or assisting in providing health care to the individual and it is not reasonably possible to collect, directly from the individual,
(e) for the purpose of assembling a family history if the information collected is to be used in the context of providing health care to the individual from whom the information is being collected;
(f) collection is for any of the following purposes:
(ii) verifying the eligibility of an individual who is participating in a program of, or receiving a benefit, product or health service from, a custodian to participate in the program or to receive the benefit, product or service;
(ii) the conduct of a proceeding or a possible proceeding, or
(i) the custodian is a prescribed entity mentioned in clause 40(1)(j) and the custodian is collecting personal health information from a person who is not a custodian for the purpose of that clause;
(j) the custodian collects the information from a person who is permitted or required by law or by a treaty, agreement or arrangement made under an Act of the Province or of the Parliament of Canada to disclose it to the custodian; or
(k) subject to the requirements and restrictions, if any, that are prescribed, the health information custodian is permitted or required by law or by a treaty, agreement or arrangement made under an Act of the Province or of the Parliament of Canada to collect the information indirectly.
34 Express consent is required for the collection of personal health information for
(a) fund-raising activities; or
(b) market research or marketing any service for a commercial purpose.
35 A custodian may use an individual's personal health information for
(a) for the purpose for which the information was collected or created and for all the functions reasonably necessary for carrying out that purpose;
(b) for a purpose for which this Act, another Act of the Province or of the Parliament of Canada permits or requires a person to disclose it to the custodian; or
(c) for educating agents to provide health care,
unless the individual has expressly instructed the custodian not to make the disclosure.
36 Express consent is required for the use of personal health information for
(a) fund-raising activities; or
(b) market research or marketing any service for a commercial purpose.
37 (1) A custodian may use personal health information about an individual without the individual's consent
(a) for planning or delivering programs or services that the custodian provides or that the custodian funds in whole or in part, allocating resources to any of them and evaluating or monitoring any of them;
(b) for detecting, monitoring or preventing fraud or any unauthorized receipt of services or benefits related to any of them;
(c) for the purpose of risk management, patient safety or for the purpose of activities to improve or maintain the quality of care or to improve or maintain the quality of any related programs or services of the custodian;
(d) for the purpose of disposing of the information or modifying the information in order to conceal the identity of the individual;
(e) for the purpose of seeking the individual's consent, when the personal health information used by the custodian for this purpose is limited to the individual's name and contact information;
(f) for the purpose of a proceeding or a contemplated proceeding in which the custodian or an agent or former agent of the custodian is, or is expected to be, a party or witness, if the information relates to or is a matter in issue in the proceeding or contemplated proceeding;
(g) for the purpose of obtaining payment or processing, monitoring, verifying or reimbursing claims for payment for the provision of health care or related goods and services;
(h) for research conducted by the custodian, in accordance with Sections 54 to 62; or
(i) subject to the requirements and restrictions, if any, that are prescribed, if permitted or required by law or by a treaty, agreement or arrangement made under an Act of the Province or of the Parliament of Canada.
(2) Where subsection (1) authorizes a custodian to use personal health information for a purpose, the custodian may provide the information to an agent of the custodian who may use it for that purpose on behalf of the custodian.
38 (1) Subject to subsection (2), a custodian may disclose personal health information about an individual to a custodian involved in the individual's health care if the disclosure is reasonably necessary for the provision of health care to the individual.
(2) A custodian may not disclose information pursuant to subsection (1) if the individual has expressly instructed the custodian not to make the disclosure pursuant to Section 17.
(3) Where a custodian discloses personal health information about an individual under subsection (1) and an instruction of the individual made under Section 17 prevents the custodian from disclosing all the personal health information that the custodian considers reasonably necessary to disclose for the provision of health care or assisting in the provision of health care to the individual, the custodian shall notify the person to whom it makes the disclosure of that fact.
39 A custodian has the discretion to disclose personal health information about an individual to
(a) family members of the individual; or
(b) to another person if the custodian has a reasonable belief that the person has a close personal relationship with the individual,
if the information is given in general terms and concerns the presence, location, and general condition of the individual on the day on which the information is disclosed and the disclosure is not contrary to the express request of the individual.
40 (1) A custodian may disclose personal health information about an individual without the individual's consent
(a) to another custodian if the custodian disclosing the information has a reasonable expectation that the disclosure will prevent or assist an investigation of fraud, limit abuse in the use of health services or prevent the commission of an offence under an enactment of a province of Canada;
(b) to persons acting on behalf of the individual including
(iii) the administrator of an estate, if the use or disclosure is for the purpose of the estate;
(d) to any person if the custodian believes, on reasonable grounds, that the disclosure will avert or minimize an imminent and significant danger to the health or safety of any person or class of persons;
(e) to an official of a penal or other custodial institution in which the individual is being lawfully detained if the purpose of the disclosure is to allow the provision of health care to the individual and to assist the institution or the facility in making a decision concerning the placement of the individual into custody, detention, release, conditional release, discharge or conditional discharge under existing provincial, territorial, or federal legislation;
(f) to another custodian for the purpose of ensuring quality or standards of care including providing for use or disclosure for risk management purposes, for quality of care committee or similar bodies or for the purpose of ensuring quality or standards of care within the custodian's organization;
(g) to the Department and the Department of Health Promotion and Protection for the purpose of planning and management of the health system;
(h) to the Nova Scotia Prescription Monitoring Board for monitoring prescriptions pursuant to the Prescription Monitoring Act;
(i) to the Canadian Institute for Health Information to assist in the planning and management of the health system in accordance with the terms of an agreement between the Canadian Institute for Health Information and the Province;
(j) to a prescribed entity, for the planning and management of the health system for all or part of the health system, including the delivery of services, if the entity meets the requirements under subsection (2);
(k) from the Province to another provincial or territorial government or the Government of Canada to assist in the planning and management of the health system;
(l) subject to the requirements and restrictions, if any, that are prescribed, if the disclosure is required or permitted by law or a treaty, agreement or arrangement made pursuant to an Act of the Province or the Parliament of Canada;
(m) to another custodian for the purpose of determining or verifying an individual's eligibility for insured services;
(n) subject to the requirements and restrictions, if any, that are prescribed, to a person carrying out an inspection, investigation or similar procedure that is authorized by a warrant or by or under this Act or any other Act of the Province or an Act of the Parliament of Canada for the purpose of complying with the warrant or for the purpose of facilitating the inspection, investigation or similar procedure;
(o) to a proposed litigation guardian or legal representative of the individual for the purpose of having the person appointed as such;
(p) to a litigation guardian or legal representative who is authorized under the Civil Procedure Rules, or by a court order, to commence, defend or continue a proceeding on behalf of the individual or to represent the individual in a proceeding; or
(q) for the purpose of complying with
(ii) a procedural rule that relates to the production of information in a proceeding.
(a) the entity has in place information practices to protect the privacy of the individuals whose personal health information it receives and to maintain the confidentiality of the information; and
(b) the Privacy Review Officer has approved the information practices, if the custodian makes the disclosure on or after one year after this Section comes into force.
(3) The Privacy Review Officer shall review the practices and procedures of each prescribed entity pursuant to clause (1)(j) every five years from the date of its approval pursuant to clause (2)(b) and advise the custodian whether the entity continues to meet the requirements of subsection (2).
(4) A prescribed entity that is not a custodian is authorized to collect the personal health information that a custodian may disclose to the prescribed entity under clause (1)(j).
(5) Subject to the exceptions and additional requirements, if any, that are prescribed, a prescribed entity that receives personal health information under clause (1)(j) shall not use the information, except for the purposes for which it received the information, and shall not disclose the information, except as required by law.
(6) An agent or former agent who receives personal health information under clauses (1)(n),(o),(p) or (q) or under subsection 37(2) for the purpose of a proceeding or contemplated proceeding may disclose the information to the agent's or former agent's professional advisor for the purpose of providing advice or representation to the agent or former agent, if the advisor is under a professional duty of confidentiality.
41 (1) A custodian may disclose personal health information about an individual to a non-custodian without the individual's consent at the request of any custodian for the purpose of facilitating assessment, care or treatment services for the individual.
(2) All disclosures pursuant to subsection (1) must be requested in writing and authorized by the Minister before any disclosure is made.
42 (1) A custodian may disclose personal health information about an individual who is deceased, or is believed to be deceased
(a) for the purpose of identifying the individual;
(b) for the purpose of informing any person whom it is reasonable to inform, the fact that the individual is deceased or believed to be deceased;
(c) to a spouse, parent, sibling or child of the individual if the recipients of the information reasonably require the information to make decisions about their own health care or the recipient's children's health care and it is not contrary to the express capable wishes of the individual; and
(d) for carrying out the deceased person's wishes for the purpose of tissue or organ donation.
(2) Where an individual is deceased, personal health information may be disclosed to
(a) a family member of the individual; or
(b) to another person if the custodian has a reasonable belief that the person has a close personal relationship with the individual,
if the information relates to circumstances surrounding the death of the individual or to health care recently received by the individual and the disclosure is not contrary to the express capable wishes of the individual.
(3) A custodian may disclose personal health information about a deceased individual if the disclosure is made after the earlier of
(a) one hundred and twenty years after the record containing the information was created; and
(b) fifty years after the death of the individual to whom the personal health information relates,
unless this Act otherwise permits the disclosure without the consent of the individual.
43 (1) A provision of this Act that permits a custodian to disclose personal health information about an individual without the consent of the individual does not prevent the custodian from obtaining the individual's consent for the disclosure.
(2) Subsection (1) does not apply where the custodian is required by law to disclose the personal health information.
44 (1) A disclosure of health information without consent must be documented.
(2) The documentation must include
(a) a description or copy of the personal health information disclosed;
(b) the name of the person or organization to whom the personal health information was disclosed;
(c) the date of the disclosure; and
(d) the authority for the disclosure.
45 Express consent of the individual to whom the information relates is required for the following purposes:
(a) disclosure of personal health information by a custodian to a non-custodian unless required or authorized by law;
(b) disclosure of personal health information by a custodian to another custodian if it is not for the purpose of providing health care unless required or authorized by law;
(c) disclosure of personal health information for fund-raising activities;
(d) disclosure of personal health information for market research or marketing any service for a commercial purpose;
(e) disclosure to the media; and
(f) disclosure to a person or organization for the purpose of research unless provided for in Section 59.
46 (1) A custodian may disclose personal health information about an individual collected in the Province to a person outside the Province but only where
(a) the individual who is the subject of the information consents to the disclosure;
(b) the disclosure is permitted by this Act or the regulations;
(c) the disclosure is to a regulated health professional and the disclosure is to meet the functions of another jurisdiction's prescription monitoring program;
(d) the following conditions are met:
(ii) the information relates to health care provided in the Province to an individual who resides in another province of Canada, and
(iii) the disclosure is made to the government of that other province of Canada;
(f) the disclosure is reasonably necessary for the administration of payments in connection with the provision of health care to the individual or for contractual or legal requirements in that connection.
(2) Where a custodian discloses personal health information about an individual under clause (1)(e) and an express request of the individual who is the subject of the information prevents the custodian from disclosing all the personal health information that the custodian considers reasonably necessary to disclose for the provision of health care to the individual, the custodian shall notify the person to whom it makes disclosure of that fact.
47 (1) A person who is not a custodian is authorized to collect the personal health information that a custodian may disclose to it, but that person does not become a custodian merely by virtue of its collection of the personal health information that the custodian has disclosed to it.
(2) Except as permitted or required by law and subject to the exceptions and additional requirements, if any, that are prescribed, a person who is not a custodian and to whom a custodian discloses personal health information shall not use or disclose the information for any purpose other than
(a) the purpose for which the custodian was authorized to disclose the information under this Act; or
(b) the purpose of carrying out a statutory or legal duty.
(3) Subject to the exceptions and additional requirements, if any, that are prescribed, a person who is not a custodian, and to whom a custodian discloses personal health information, shall not use or disclose more of the information than is reasonably necessary to meet the purpose of the use or disclosure, as the case may be, unless the use or disclosure is required by law.
(4) Except as permitted or required by law and subject to the exceptions and additional requirements, if any, that are prescribed, where a custodian discloses information to another custodian and the information is identifying information of the type described in subsection 9(2) in the custody or under the control of the receiving custodian, the receiving custodian shall not
(a) use or disclose the information for any purpose other than
(ii) the purpose of carrying out a statutory or legal duty; or
(5) The restrictions set out in clauses (4)(a) and (b) apply to a custodian that receives the identifying information described in subsection (4) even if the custodian receives the information before the day that subsection comes into force.
(6) Except as prescribed, this Section does not apply to a public body within the meaning of the Freedom of Information and Protection of Privacy Act that is not a custodian.
48 Notwithstanding any enactment, except the Juries Act and the Elections Act, the Department has the sole authority for deciding who may have access to the information in the health card number database, the Common Client Registry, or any successor client information system related to the health card number.
49 A custodian shall have in place and comply with information practices that meet the requirements of this Act.
50 (1) In this Section, "securely destroyed" means the destruction of a record in such a manner that reconstruction of the record is not reasonably foreseeable in the circumstances.
(2) At the expiry of the relevant retention period, personal health information that is no longer required to fulfil the purposes identified in the retention schedule must be securely destroyed, erased or de-identified.
(3) Subject to Section 51, personal health information may be de-identified and retained for purposes other than the original purposes for which it was collected.
51 (1) Every custodian shall have a written retention schedule for personal health information that includes
(a) all legitimate purposes for retaining the information; and
(b) the retention period and destruction schedules associated with each purpose.
(2) Subsection (1) does not override or modify any requirement in an enactment of the Province or the Parliament of Canada concerning the retention or destruction of records maintained by public bodies.
52 Prior to release of personal health information, including disclosure to the archives of a custodian or to the Public Archives, the custodian shall ensure that the custodian's retention and destruction schedules have been followed.
53 Sections 49 to 52 apply to personal health information in both paper and electronic format.
54 For the purpose of Sections 55 to 62,
(a) "data matching" means the creation of individually identifying health information by combining individually identifying or non-identifying health information or other information from two or more databases without the consent of the individuals who are the subjects of the information;
(b) "impracticable" means a degree of difficulty higher than inconvenience or impracticality but lower than impossibility;
(c) "research" means a systematic investigation designed to develop or establish principles, facts or generalizable knowledge, or any combination of them, and includes the development, testing and evaluation of research;
(d) "research ethics board" means a research ethics board established and operating in conformity with the Tri-Council Policy Statement;
(e) "Tri-Council Policy Statement" means the Tri-Council Policy Statement "Ethical Conduct for Research Involving Humans" adopted in August 1998 by the Medical Research Council of Canada, the Natural Sciences and Engineering Research Council of Canada and the Social Sciences and Humanities Research Council of Canada, and includes any amendments or successor statements.
55 (1) Sections 56 to 62 do not apply to research that exclusively uses statistical, aggregate or de-identified information.
(2) Planning and management of the health system does not constitute research for the purpose of subsection (1).
56 The use and disclosure of personal health information by a custodian is limited to the minimum amount of information necessary to accomplish the research purposes for which it is to be used or disclosed.
57 A custodian may use personal health information for research if the custodian meets the following requirements prior to commencing the research:
(a) prepares a research plan that meets the requirements in Section 61;
(b) submits the research plan to a research ethics board;
(c) receives the approval of the research ethics board; and
(d) prior to the commencement of research, meets any conditions imposed by the research ethics board.
58 A custodian may disclose personal health information about an individual to a researcher if the researcher
(ii) a research plan that meets the requirements of Section 61, and
(iii) a copy of the submission to and decision of a research ethics board that approves the research plan; and
59 A custodian may disclose personal health information about an individual to a researcher without the consent of the subject individual if
(a) the researcher has met the requirements in Section 57;
(b) a research ethics board has determined that the consent of the subject individuals is not required;
(c) the custodian is satisfied that
(ii) the personal health information is limited to that necessary to accomplish the purpose of the research,
(iii) the personal health information is in the most de-identified form possible for the conduct of the research,
(iv) the personal health information will be used in a manner that will ensure its confidentiality, and
60 A custodian may prescribe forms for use by researchers for
(a) an application under clause 58(a)(i);
(b) a research plan under Section 61; and
(c) a disclosure agreement under Section 62.
61 (1) Prior to commencing research, a researcher seeking to conduct research utilizing personal health information shall submit a research plan to a research ethics board.
(2) The research plan must be in writing.
(3) In order to meet the requirements for a custodian under this Act, the research plan must include
(a) a description of the research proposed to be conducted;
(b) a statement regarding the duration of the research;
(c) a description of the personal health information required and the potential sources of the information;
(d) a description as to how the personal information will be used in the research;
(e) where the personal health information will be linked to other information, a description of the other information as well as how the linkage will be conducted;
(f) where the researcher is conducting the research on behalf of or with the support of a person or organization, the name of the person or organization;
(g) the nature and objectives of the research and the public or scientific benefit anticipated as a result of the research;
(h) where consent is not being sought, an explanation as to why seeking consent is impracticable;
(i) an explanation as to why the research cannot reasonably be accomplished without the use of personal health information;
(j) where there is to be data matching, an explanation of why data matching is required;
(k) a description of the reasonably foreseeable risks arising from the use of personal health information and how those risks are to be mitigated;
(l) a statement that the personal health information is to be used in the most de-identified form possible for the conduct of the research;
(m) a description of all individuals who will have access to the information, and
(n) a description of the safeguards that the researcher will impose to protect the confidentiality and security of the personal health information;(o) information as to how and when the personal health information will be destroyed or returned to the custodian;
(p) the funding source of the research;
(q) whether the researcher has applied for the approval of another research ethics board and, if so, the response to or status of the application; and
(r) whether the researcher's interest in the disclosure of the personal health information or the conduct of the research would potentially result in an actual or perceived conflict of interest on the part of the researcher.
62 (1) Where the custodian discloses personal health information to a researcher, the researcher shall enter into an agreement with the custodian to adhere to the requirements in subsection (2).
(2) An agreement referred to in subsection (1) must include the following commitments by the researcher:
(a) to comply with any terms and conditions imposed by a research ethics board;
(b) to comply with any terms and conditions imposed by the custodian;
(c) to use the information only for the purposes outlined in the research plan as approved by a research ethics board;
(d) not to publish the information in a form where it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify an individual;
(e) to allow the custodian to access or inspect the researcher's premises to confirm that the researcher is complying with the terms and conditions of this Act and of the agreement between the custodian and the researcher;
(f) to notify the custodian immediately and in writing if the personal health information is stolen, lost or subject to unauthorized access, use, disclosure, copying or modification;
(g) to notify the custodian immediately and in writing of any known or suspected breach of the agreement between the custodian and the researcher; and
(h) not to attempt to identify or contact the individuals unless the custodian or researcher has obtained prior consent by the individuals.
63 A custodian shall protect the confidentiality of personal health information that is in its custody or under its control and the privacy of the individual who is the subject of that information.
64 A custodian shall implement, maintain, and comply with information practices that meet the requirements of this Act and the regulations and ensure that personal health information in the custodian's custody or under its control is protected against
(a) theft or loss of the information; and
(b) unauthorized access to or use, disclosure, copying or modification of the information.
65 A custodian shall restrict access to an individual's personal health information by an agent or by a health professional who has the right to treat persons at a health care facility operated by the custodian to only that information that the agent or health professional requires to carry out their duties and responsibilities.
66 (1) A custodian shall create and maintain, or have created and maintained, a record of user activity for any electronic information system it uses to maintain personal health information.
(2) A record of user activity may be generated manually or electronically.
(3) Subject to administrative requirements set out in the regulations, a record of user activity related to an individual's personal health information must be available to that individual upon request as soon as possible but no later than thirty days after the custodian has received the request from the individual.
67 (1) A custodian who believes on reasonable grounds that a request for a record of user activity is
(a) frivolous or vexatious; or
(b) part of a pattern of conduct that amounts to an abuse of the right of a request for a record of user activity,
may refuse to grant the request.
(2) When a refusal is made under subsection (1), the custodian shall provide the individual with a notice that sets out the reasons for the refusal and states that the individual is entitled to make a complaint to the custodian or the Privacy Review Officer about the refusal.
68 A custodian who maintains personal health information in electronic form shall implement any additional safeguards for such information required by the regulations.
69 When disclosing personal health information, a custodian may make the disclosure subject to any restrictions or conditions that the disclosing custodian considers advisable to protect the information.
70 (1) A custodian shall designate one or more individuals as a contact person.
(2) The contact person is authorized on behalf of the custodian to
(a) facilitate the custodian's compliance with this Act;
(b) ensure that all agents of the custodian are appropriately informed of their duties under the Act;
(c) respond to inquiries about the custodian's information practices;
(d) respond to requests for access to and correction of records;
(e) receive and process complaints;
(f) facilitate the communications to and the training of the custodian's staff about the custodian's policies and procedures and about this Act; and
(g) develop information to explain the organization's policies and procedures.
(3) A custodian who is a natural person and who does not designate a contact person under subsection (1), shall perform the functions described in subsection (2).
71 A custodian shall, in a manner that is practical in the circumstances, make available to the public a written statement that
(a) provides a general description of the custodian's information practices;
(ii) the custodian, if the custodian does not have that contact person;
(d) describes how to make a complaint under this Act to the custodian and to the Privacy Review Officer.
72 (1) Subject to the exceptions and additional requirements, if any, that are prescribed in the regulations, a custodian that has custody or control of personal health information about an individual shall notify the individual at the first reasonable opportunity if the custodian believes on a reasonable basis that
(a) the information is stolen, lost or subject to unauthorized access, use, disclosure, copying or modification; and
(b) as a result, there is potential for harm or embarrassment to the individual.
(2) Prior to notification under subsection (1), a custodian may request authorization from the Privacy Review Officer to provide notification to the individual
(a) at a time other than the first reasonable opportunity; or
(b) in a manner other than direct contact with the individual.
73 (1) Where a custodian determines on a reasonable basis that personal health information has been stolen, lost or subject to unauthorized access, use, disclosure, copying or modification, but
(a) it is unlikely that a breach of the personal health information has occurred; or
(b) there is no potential for harm or embarrassment to the individual as a result,
the custodian may decide that notification to the individual pursuant to subsection 72(1) is not required.
(2) Where a custodian makes the decision not to notify an individual pursuant to this Section, the custodian shall notify the Privacy Review Officer as soon as possible.
74 An individual has a right of access to a record of personal health information about the individual that is in the custody or under the control of a custodian.
75 (1) Notwithstanding Section 74, a custodian may refuse to grant access to an individual's personal health information about that individual if it is reasonable to believe that
(a) the record or the information in the record is subject to a legal privilege that restricts disclosure of the record or the information, as the case may be, to the individual;
(b) another Act of the Province or of the Parliament of Canada or a court order prohibits disclosure to the individual of the record or the information in the record in the circumstances;
(c) the information in the record was collected or created primarily in anticipation of or use in a proceeding, and the proceeding, together with all appeals or processes resulting from it, have not been concluded;
(d) the following conditions are met:
(ii) the inspection, investigation or similar procedure, together with all proceedings, appeals or processes resulting from them, have not been concluded;
(f) granting the access could reasonably be expected to result in a risk of serious harm to the mental or physical health of another individual; or
(g) granting the access could reasonably be expected to lead to the identification of a person who provided information in the record to the custodian in circumstances in which confidentiality was reasonably expected.
(2) Notwithstanding subsection (1), an individual has a right of access to that part of a record of personal health information about the individual that can reasonably be severed from the part of the record to which the individual does not have a right of access as a result of clauses (1) (a) to (g).
(3) Notwithstanding subsection (2), where a record is not a record dedicated primarily to personal health information about the individual requesting access, the individual has a right of access only to the portion of personal health information about the individual in the record that can reasonably be severed from the record for the purpose of providing access.
76 Before deciding to refuse to grant an individual access to a record of personal health information under clause 75(1)(e) or (f), a custodian may consult with a health professional who has been involved in the individual's care or another appropriate health professional.
77 Sections 74 and 75 do not apply to a record in the custody or under the control of a custodian acting as an agent of a public body within the meaning of the Freedom of Information and Protection of Privacy Act that is not a custodian, if the individual has the right to request access to the record under this Act.
78 A person may ask to examine the record or ask for a copy of the record, or both, pursuant to Section 74 by
(a) making a request in writing to the custodian that has the custody or control of the record;
(b) specifying the subject-matter of the record requested with sufficient particulars to enable the custodian to identify and locate the record; and
79 Where the request does not contain sufficient detail to enable the custodian to identify and locate the record with reasonable efforts, the custodian shall offer assistance to the person requesting access in reformulating the request to comply with Section 78.
80 A custodian may waive the requirement to make the request in writing if the individual making the request
(a) has a limited ability to read or write English; or
(b) has a disability or condition that impairs the individual's ability to make a request in writing.
81 An individual does not have to provide the reasons or purposes for which they are requesting the information.
82 A custodian shall not make a record of personal health information or a part of it available to an individual or provide a copy of it to an individual without first taking reasonable steps to be satisfied as to the individual's identity and the authority to access the information.
83 (1) Nothing in this Act prevents a custodian from
(a) granting an individual access to a record of personal health information, to which the individual has a right of access, if the individual makes an oral request for access or does not make any request for access under Section 78; or
(b) with respect to a record of personal health information to which an individual has a right of access, communicating with the individual or his or her substitute decision-maker who is authorized to consent on behalf of the individual to the collection, use or disclosure of personal health information about the individual.
(2) Nothing in this Act relieves a custodian from a legal duty to provide, in a manner that is not inconsistent with this Act, personal health information as expeditiously as is necessary for the provision of health care to the individual.
(3) A custodian has the discretion to determine whether to grant informal access.
84 (1) A custodian who believes on reasonable grounds that a request for access
(a) is frivolous or vexatious; or
(b) is part of a pattern of conduct that amounts to an abuse of the right of access,
may refuse to grant the request.
(2) When a refusal is made under subsection (1), the custodian shall provide the individual with a notice that sets out the reasons for the refusal and that states that the individual is entitled to make a complaint about the refusal to the Privacy Review Officer.
85 (1) A custodian that makes a record of personal health information or a part of it available to an individual or provides a copy of it to an individual may charge the individual a fee for that purpose if the custodian first gives the individual an estimate of the fee.
(2) The amount of the fee shall not exceed the prescribed amount or the amount of reasonable cost recovery, if no amount is prescribed.
(3) A custodian has the discretion to determine whether to grant a fee waiver and may waive the payment of all or any part of the fee that an individual is required to pay under that subsection if, in the custodian's opinion, the individual cannot afford the payment or for any other reason it is fair to excuse payment.
86 Notwithstanding Section 85, no fee shall be charged to an individual accessing their own personal health information under this Act from the Department or the Department of Health Promotion and Protection.
87 (1) A custodian who receives a request from an individual for access to or correction of a record of personal health information shall, as soon as possible in the circumstances but no later than thirty days after receiving the request, by written notice to the individual, grant or refuse the individual's request or extend the deadline for replying for a period of not more than thirty days if
(a) replying to the request within thirty days would unreasonably interfere with the activities of the custodian; or
(b) the time required to undertake the consultations necessary to reply to the request within thirty days would make it not reasonably practical to reply within that time.
(2) A custodian that extends the time limit under subsection (1) shall
(a) give the individual written notice of the extension setting out the length of the extension and the reason for the extension; and
(b) grant or refuse the individual's request as soon as possible in the circumstances but no later than the expiry of the time limit as extended.
88 (1) Where a custodian has granted an individual access to a record of the individual's personal health information and the individual believes that the record is not accurate, complete or up-to-date, the individual may request in writing that the custodian correct the record.
(2) Where the individual makes an oral request that the custodian correct the record, nothing in this Act prevents the custodian from making the requested correction.
89 A custodian that does not grant a request for a correction under Section 87 within the time required is deemed to have refused the request.
90 (1) A custodian shall grant a request for a correction under Section 91 if the individual demonstrates, to the satisfaction of the custodian, that the record is not complete, accurate or up-to-date and gives the custodian the information necessary to enable the custodian to correct the record.
(2) Notwithstanding subsection (1), a custodian is not required to correct a record of personal health information if
(a) it consists of a record that was not originally created by the custodian and the custodian does not have sufficient knowledge, expertise and authority to correct the record; or
(b) it consists of a professional opinion or observation that a custodian has made in good faith about the individual.
91 Upon granting a request for a correction, the custodian shall
(a) make the requested correction by
(B) where that is not possible, labelling the information as incorrect, severing the incorrect information from the record, storing it separately from the record and maintaining a link in the record that identifies that a correction has been made and enables a person to trace the incorrect information, or
(c) at the request of the individual, give written notice of the requested correction, to the extent reasonably possible, to the persons to whom the custodian has disclosed the information, except if the correction cannot reasonably be expected to have an effect on the ongoing provision of health care or other benefits to the individual.
92 A custodian that believes on reasonable grounds that a request for a correction
(a) is frivolous or vexatious; or
(b) is part of a pattern of conduct that amounts to an abuse of the right of correction,
may refuse to grant the request.
93 A notice of refusal under subsection 75(1) or Section 92 must give the reasons for the refusal and inform the individual that the individual is entitled to
(a) prepare a concise statement of disagreement that sets out the correction that the custodian has refused to make;
(b) require that the custodian attach the statement of disagreement as part of the records that it holds of the individual's personal health information;
(c) disclose the statement of disagreement whenever the custodian discloses information to which the statement relates;
(d) require that the custodian make all reasonable efforts to disclose the statement of disagreement to any person who would have been notified under clause 91(c), if the custodian had granted the requested correction; and
(e) make a complaint about the refusal to the Privacy Review Officer.
94 An individual who believes that a custodian has contravened this Act or the regulations may ask the Privacy Review Officer to conduct a review.
95 (1) Under this Act, the Privacy Review Officer may
(a) monitor how the privacy provisions of this Act are administered and conduct reviews of privacy complaints arising from the privacy provisions;
(b) initiate an investigation of privacy compliance if there are reasonable grounds to believe that a custodian has contravened or is about to contravene the privacy provisions and the subject-matter of the review relates to the contravention;
(c) make recommendations on and mediate privacy complaints;
(d) undertake research matters concerning this Act;
(e) inform the public about this Act; and
(f) on the request of a custodian, provide advice and comments on privacy.
(2) The Privacy Review Officer may only exercise the powers under clauses (1)(a) and (c) after the person who has made the complaint has completed the internal privacy-complaint procedure of the custodian to which the complaint was made.
96 As part of the duties under subsection 4(3) of the Privacy Review Officer Act, the Privacy Review Officer shall
(a) prepare annually a separate estimate of the sums required to be provided by the Legislature for the carrying out of this Act during the fiscal year; and
(b) issue, as part of the annual report, information on the exercise of the functions of the Privacy Review Officer under this Act.
97 (1) To ask for a review pursuant to Section 94, an individual shall file a written request with the Privacy Review Officer within
(a) sixty days after the person asking for the review is notified of the decision of the custodian;
(b) sixty days after the date of the custodian's act or failure to act; or
(c) a longer period allowed by the Privacy Review Officer.
(2) The failure of a custodian to respond in time to a request for access to a record or the correction of a record is to be treated as a decision to refuse access to the record or to correct the record, but the time limit in clause (1)(a) for filing a request for review does not apply.
(3) On receiving a request for a review, the Privacy Review Officer shall forthwith give a copy to
(a) the custodian concerned; and
(b) any other person that the Privacy Review Officer considers appropriate.
98 The Privacy Review Officer may decide not to review the subject-matter of the review for whatever reason the Privacy Review Officer reasonably considers appropriate, including if satisfied that
(a) the custodian has responded adequately to the concerns;
(b) the concerns have been or could be more appropriately dealt with, initially or completely, by means of a procedure, other than a request for a review under this Act;
(c) the length of time that has elapsed between the date when the subject-matter of the review arose and the date the review was requested is such that a review under this Section would likely result in undue prejudice to any person;
(d) the person requesting a review does not have a sufficient personal interest in the subject-matter of the review; or
(e) the request for a review is frivolous or vexatious or is part of a pattern of conduct that amounts to an abuse of the right of review.
99 The Privacy Review Officer may try to settle a matter under review through mediation.
100 Where the Privacy Review Officer is unable to settle a matter within thirty days through mediation, the Privacy Review Officer shall conduct a review.
101 The Privacy Review Officer may conduct a review in private.
102 The following persons are entitled to make representations to the Privacy Review Officer in the course of a review:
(a) the person who applies for the review;
(b) the custodian whose decision or action is the subject of the review; and
(c) any other person the Privacy Review Officer considers appropriate.
103 (1) Where, pursuant to clause 102(c), the Privacy Review Officer considers that a person is an appropriate person to make representations in the course of a review of a decision of a custodian, then, notwithstanding anything contained in this Act, that person
(ii) request a review of the decision of the custodian pursuant to subsection 107(1), and
(iii) written notice of an appeal under subsection 107(2); and
(2) The Privacy Review Officer may decide
(a) whether the representations are to be made orally or in writing; and
(b) whether a person is entitled to be present during a review or to have access to or comment on representations made to the Privacy Review Officer by any other person.
104 (1) Notwithstanding any other Act or any privilege that is available at law, the Privacy Review Officer may, in a review,
(a) require to be produced and examine any record relevant to the matter that is in the custody or under the control of the custodian; and
(b) enter and inspect any premises occupied by the custodian.
(2) A custodian shall comply with a requirement imposed by the Privacy Review Officer pursuant to clause (1)(a) within such time as is prescribed.
(3) Where a custodian does not comply with a requirement imposed by the Privacy Review Officer pursuant to clause (1)(a) within the time limited for so doing in subsection (2), a judge of the Supreme Court of Nova Scotia may, on the application of the Privacy Review Officer, order the custodian to do so.
(4) In an application made pursuant to subsection (3), a judge may give such directions as the judge thinks fit, including ordering which persons are parties to the application, which persons shall be given notice of the application and the manner in which such notice must be given.
(5) An order made pursuant to subsection (3) may contain such provisions and such terms and conditions as the judge thinks fit.
105 (1) On completing a review, the Privacy Review Officer shall
(a) prepare a written report setting out the Privacy Review Officer's recommendations with respect to the matter and the reasons for those recommendations; and
(b) send a copy of the report to the custodian and
(ii) where the matter was initiated by the Privacy Review Officer pursuant to clause 95(1)(b), to the individual whose information was the subject of the review.
(3) In the report, the Privacy Review Officer may make any recommendations with respect to the matter under review that the Privacy Review Officer considers appropriate.
106 (1) Within thirty days after receiving a report of the Privacy Review Officer pursuant to subsection 105(1), the custodian shall
(a) make a decision to follow or not to follow, in whole or in part, the recommendation of the Privacy Review Officer; and
(b) give written notice of the decision in clause (a) to the Privacy Review Officer and the individuals who were sent a copy of the Privacy Review Officer's report or received notice pursuant to subsection 105(2).
(2) Where the custodian makes a decision not to follow the recommendation of the Privacy Review Officer, the custodian shall, in writing, inform the persons who were sent a copy of the report of the right to appeal the decision to the Supreme Court of Nova Scotia within thirty days of making the decision pursuant to clause (1)(a).
(3) Where the custodian does not give notice within the time required by subsection (1), the custodian is deemed to have refused to follow the recommendation of the Privacy Review Officer.
107 (1) Within thirty days after receiving a decision of the custodian pursuant to Section 106, an applicant may appeal that decision to the Supreme Court of Nova Scotia in such form and manner as may be prescribed by the Civil Procedure Rules or by the regulations.
(2) An appeal is deemed not to have been taken pursuant to this Section unless a notice of appeal is given to the custodian by the person taking the appeal.
(3) Where a notice of appeal is given pursuant to subsection (2), the custodian may become a party to the appeal by filing with the prothonotary of the Supreme Court of Nova Scotia a notice stating that the custodian is a party to the appeal.
(4) The Privacy Review Officer is not a party to an appeal.
108 (1) On an appeal, the Supreme Court of Nova Scotia may
(a) determine the matter de novo; and
(b) examine any record in camera in order to determine on the merits whether the information in the record may be withheld pursuant to this Act.
(2) Notwithstanding any other Act or any privilege that is available at law, the Supreme Court of Nova Scotia may, on an appeal, examine any record in the custody or under the control of a custodian, and no information may be withheld from the Supreme Court on any grounds.
(3) The Supreme Court of Nova Scotia shall take every reasonable precaution, including, where appropriate, receiving representations ex parte and conducting hearings in camera.
(4) The Supreme Court of Nova Scotia may disclose to the Minister or the Attorney General of Canada information that may relate to the commission of an offence pursuant to another enactment by an officer or employee of a custodian.
(5) Where the Supreme Court of Nova Scotia determines that the custodian has contravened this Act, it shall
(a) order the custodian to give the applicant access to the record or part of it, subject to any conditions that the Supreme Court considers appropriate; or
(b) make any other order that the Supreme Court considers appropriate.
109 No one shall dismiss, suspend, demote, discipline, harass or otherwise disadvantage a person by reason that
(a) the person, acting in good faith and on the basis of reasonable belief, has disclosed to the Privacy Review Officer that any other person has contravened or is about to contravene this Act or the regulations;
(b) the person, acting in good faith and on the basis of reasonable belief, has done or stated an intention of doing anything that is required to be done in order to avoid having any person contravene this Act or the regulations;
(c) the person, acting in good faith and on the basis of reasonable belief, has refused to do or stated an intention of refusing to do anything that is in contravention of this Act or the regulations; or
(d) any person believes that the person will do anything described in clause (a), (b) or (c).
110 (1) No action or other proceeding for damages may be instituted against a custodian or any other person for
(a) anything done, reported or said, both in good faith and reasonably in the circumstances, in the exercise or intended exercise of any of their powers or duties under this Act; or
(b) any alleged neglect or default that was reasonable in the circumstances in the exercise in good faith of any of their powers or duties under this Act.
(2) Notwithstanding subsections 5(2) and (4) of the Proceedings Against the Crown Act, subsection (1) does not relieve the Crown of liability in respect of a tort committed by a person mentioned in subsection (1) to which it would otherwise be subject.
(3) A person who, on behalf of or in the place of an individual, gives or refuses consent to a collection, use or disclosure of personal health information about the individual, makes a request or gives an instruction is not liable for damages for doing so if the person acts reasonably in the circumstances, in good faith and in accordance with this Act and the regulations.
(4) Unless it is not reasonable to do so in the circumstances, a person is entitled to rely on the accuracy of an assertion made by another person, in connection with a collection, use or disclosure of, or access to, the information under this Act, to the effect that the other person is
(a) authorized to request access to a record of personal health information under Section 74; or
(b) entitled under Section 22 to consent to the collection, use or disclosure of personal health information about another individual.
111 A person is guilty of an offence if the person
(a) wilfully collects, uses or discloses health information in contravention of this Act or the regulations;
(b) wilfully gains or attempts to gain access to health information in contravention of this Act or the regulations;
(c) wilfully obtains or attempts to obtain another individual's personal health information by falsely representing that the person is entitled to the information;
(d) fails to protect personal health information in a secure manner as required by this Act;
(e) in connection with the collection, use or disclosure of personal health information or access to a record of personal health information, makes an assertion, knowing that it is untrue, to the effect that the person is a person who is entitled to consent on behalf of another individual;
(f) wilfully disposes of a record of personal health information in contravention of the requirements for protection of personal health information required in this Act or the regulations;
(g) requires production of or collects or uses another person's health card number in contravention of this Act or the regulations;
(h) wilfully alters, falsifies, conceals, destroys or erases any record, or directs another person to do so, with the intent to evade a request for access to the record;
(i) wilfully obstructs, makes a false statement to, or misleads or attempts to mislead the Privacy Review Officer or another person in the performance of the duties, powers or functions of the Privacy Review Officer under this Act;
(j) wilfully obstructs, makes a false statement to, or misleads or attempts to mislead another individual or organization in the performance of the duties, powers or functions of that individual or organization under this Act;
(k) uses individually identifying health information to market any service for a commercial purpose or to solicit money unless the individual who is the subject of the health information has expressly consented to its use for that purpose;
(l) discloses personal health information contrary to this Act with the intent to obtain a monetary or other material benefit or to confer such a benefit on another person; or
(m) breaches the terms and conditions of an agreement entered into with a custodian under this Act.
112 A person who is guilty of an offence under this Act or the regulations is liable on summary conviction
(a) in the case of an individual, to a fine of not more than ten thousand dollars, or imprisonment for six months, or both; and
(b) in the case of a corporation, to a fine of not more than fifty thousand dollars.
113 Where a corporation commits an offence under this Act, every officer, member, employee or other agent of the corporation who authorized the offence, or who had the authority to prevent the offence from being committed but knowingly refrained from doing so, is a party to and guilty of the offence and is liable on conviction to the penalty for the offence, whether or not the corporation has been prosecuted or convicted.
114 Within three years after the coming into force of this Act, the Minister shall
(a) undertake a comprehensive review of the operation of this Act that involves public input; and
(b) within one year after the review is undertaken or within such further time as the House of Assembly may allow, submit a report on the review to the Assembly.
115 (1) The Governor in Council may make regulations
(a) designating a program or service as a health-care service;
(b) designating an individual or organization or a class of individuals or organizations as a custodian;
(c) exempting an individual or organization or a class of individuals or organizations from the application of this Act;
(d) prescribing an individual or organization or a class of individuals or organizations for the purpose of clause 5(1)(e);
(e) prescribing a professional body for the purpose of clause 40(1)(c);
(f) prescribing a prescribed entity for the purpose of clause 40(1)(j);
(g) defining the administrative requirements pursuant to subsection 66(3);
(h) respecting required information practices;
(i) defining safeguards for holding personal health information in an electronic form;
(j) specifying requirements, restrictions or prohibitions with respect to the collection, use or disclosure of any class of personal health information by any person in addition to the requirements, restrictions or prohibitions set out in this Act;
(k) prescribing fees for access to personal health information;
(l) specifying any exceptions or requirements related to a notification of breach;
(m) authorizing an individual or organization or a class of individuals or organizations to collect or use an individual's health card number;
(n) specifying a time limit to comply with a requirement imposed by the Privacy Review Officer pursuant to subsection 104(2);
(o) prescribing Acts or regulations for the purpose of subsection 6(3);
(p) prescribing exceptions or additional requirements for the purpose of subsection 47(2);
(q) defining a word or expression used but not defined in this Act;
(r) further defining a word or expression defined in this Act;
(s) respecting any matter or thing the Governor in Council considers necessary or advisable to carry out effectively the intent and purpose of this Act.
(2) The exercise by the Governor in Council of the authority contained in subsection (1) is regulations within the meaning of the Regulations Act.
116 Clause 4A(2)(g) of Chapter 5 of the Acts of 1993, the Freedom of Information and Protection of Privacy Act, is repealed.
117 Subsection 16(1) of Chapter 4 of the Acts of 2004, the Health Protection Act, is repealed.
118 Subsections 71(1) to (2F) of Chapter 208 of the Revised Statutes, 1989, the Hospitals Act, are repealed.
119 Subsection 82(1) of Chapter 42 of the Acts of 2005, the Involuntary Psychiatric Treatment Act, is amended by striking out "Section 71 of the Hospitals Act" in the first line and substituting "The Personal Health Information Act".
120 (1) Clause 464A(2)(f) of Chapter 18 of the Acts of 1998, the Municipal Government Act, is repealed and the following clause substituted:
(2) Subsection 464A(5) of Chapter 18 is repealed.
121 This Act comes into force on such day as the Governor in Council orders and declares by proclamation.