BILL 3: HOW TO RECONCILE HEALTHCARE AND DATA PROTECTION?

Vanessa Deschênes¹ et Victor Fahey²
ROBIC, LLP
¹ Lawyer and Practice leader, ² Articling student

On February 9, 2023, the National Assembly adopted the principle of Bill 3: An Act respecting health and social services information and amending various legislative provisions. The Bill, presented by the Minister of Cybersecurity and Digital Affairs Éric Caire, takes up the main lines of Bill 19[1] which died on the Order Paper during the last parliamentary session.

According to Minister Caire, the objective of the Bill is to modernize the protection of personal health information while ensuring the efficiency of Quebec’s healthcare system[2]. Considering the emergency measures taken during the Covid-19 pandemic to increase data portability by the Ministry of Health, Bill 3 wishes to perpetuate these measures, increase the quality of healthcare data available to organisations and ultimately improve the quality of care offered to patients in the network.

At the beginning of the detailed study in parliamentary committee, this article summarizes what health and social services information (“HSSI“) is according to the Bill, to which actors in the healthcare network this Bill applies and offers a preview of the work in committee in light of the debate in principle and the public consultations on the Bill.

What is an HSSI?

First, Bill 3 defines HSSIs as follows:

“[An HSSI includes] any information that identifies a person, even indirectly, and that meets any of the following characteristics:

1. it relates to that person’s physical or mental health condition and its determinants, including the person’s medical or family history ;

2. it involves any material taken from that person in the course of an assessment or treatment, including biological material, and any implant or any orthotic, prosthetic or other aid that replaces a disability of that person;

3. it relates to the health or social services provided to that person, including the nature of those services, the results of those services, the locations where those services were provided, and the identity of the persons or groups that provided those services;

4. it was obtained in the exercise of a function provided for in the Public Health Act (chapter S-2.2) ;

5. any other characteristic determined by regulation […].

In addition, information allowing the identification of a person, such as his name, date of birth, contact information or health insurance number, is an [HSSI] when it is attached to information referred to in the first paragraph or when it is collected for the purpose of registering, enrolling or admitting the person concerned in an organization in the health and social services sector.

[Notwithstanding the preceding paragraphs], information that relates to a staff member of health and human services agencies … is not an [HSSI] when collected for human resource management purposes.”

[Emphasis added]

Bill 3 therefore adopts a definition more in line with Act 25, unlike the definition proposed in Bill 19. Indeed, any information that directly or indirectly identifies a person, as defined in Bill 3, is akin to the criterion in Act 25 that applies to personal information of identified and identifiable persons.

This nuance in the definition of Bill 3 is important: in particular, it provides greater protection for HSSI processed using artificial intelligence algorithms in the healthcare network. Now, using artificial intelligence, it is possible to re-identify individuals using snippets of data or anonymized data. By applying to indirectly identifying information, Bill 3 further protects patients’ privacy.

The actors involved and their obligations

Stakeholders in Bill 3: Health and Social Services Organizations (HSSOs)

Bill 3 applies to any Health and Social Services Organization (“HSSO”). Section 4 defines an HSSO as including the following:

1. “The Ministry of Health and Human Services;
2. A person or group listed in Schedule I or Schedule II [e.g. the RAMQ, the INSPQ, private professional clinics, seniors’ residences, laboratories, etc.]. […]
3. A person or group not already covered by this section that enters into an agreement with health and human services agencies described in subsection (2) … to provide health or human services on behalf of that agency;
4. Any other person or grouping determined by regulation […]”

However, it should be noted in passing that a person or group referred in point 3 above is considered an HSSO only regarding activities related to the provision of health or social services on behalf of that organization.

In practice, this broad definition of an HSSO means that Bill 3 applies to almost the entire public and private sector of the Quebec healthcare network. Thus, all players in the network will have to comply with the Bill, including telemedicine firms as well as large university hospitals, such as the CHUM or the MUHC.

HSSOs’ Obligations:

Bill 3, like Bill 19 before it, assigns responsibilities to each HSSO for protecting HSSI. At the outset, the Bill requires every HSSO to maintain the confidentiality of HSSI and to disclose it only in circumstances prescribed by law[3] . In addition, each HSSO may only collect the HSSI necessary to carry out its functions, activities or program[4] .

Before collecting any HSSI, the agency shall in clear and simple terms inform the individual of :

“(1) the name of the agency collecting the information or for whom it is collected;

(2) the purposes for which the information is collected;

(3) the means by which the information is collected;

(4) the right to access and correct the information;

(5) the possibility of restricting or refusing access to the information pursuant to section 7 or 8 and the manner in which the person may express his or her wishes to that effect;

(6) the length of time the information is retained;”

The fifth item in this list is an addition to Bill 3 and refers to a central theme of the Bill, consent. According to the Bill, any individual may refuse to have their HSSI transferred, disclosed or otherwise made available, including by their spouse or by a researcher for research purposes[5] . By requiring HSSOs to inform healthcare network users of this right to refuse, Bill 3 enhances the control that these users have over their information and data.

Upcoming work in committee:

Use of HSSI for non-consensual research purposes:

In its last version, much was written about Bill 19 as it allowed researchers to access HSSI without the consent of the individuals concerned, despite a rigorous process described in the Bill to govern such access. In the latest version of the Bill, this possibility still exists[6] and Minister Caire’s intent is to keep it within the Bill[7] . However, in Bill 3, its regulatory process is more clearly laid out:  

1. A user’s right to opt-out of disclosure, if exercised, entirely prevents use for research purposes without consent[8] .
2. The researcher must write a report detailing their activities and complete a privacy impact assessment[9]
3. This report must be approved by the appropriate HSSO.

Through this process, the Minister wishes to reconcile the protection of HSSI with ensuring an innovative health system[10] .

Data portability: the watchword for parliamentary committee work?

Prior to the Committee on Public Finances’ study of the Bill, several actors in the healthcare network participated in the public consultations on the Bill. During these consultations, the Minister reiterated that data portability, i.e. the ease with which data can be shared between different actors in the network, was an important issue for his Bill.

To this end, on January 31, 2023, the Minister mentioned that he was considering amendments to sections 65, 72 and 82 of Bill 3 to increase the degree of data mobility in the healthcare network[11] . These sections allow HSSOs to communicate HSSI to others only in situations provided by law[12], and under strict conditions[13]. In practice, an amendment to any or all of these sections would make it easier for HSSOs to disclose HSSI while protecting it. It remains to be seen whether this openness will translate into a concrete amendment process in committee.

Conclusion:

In conclusion, Bill 3 follows the broad lines of Bill 19, but clarifies several points, such as the definition of an HSSI, the responsibilities of organizations, the use of HSSIs for research purposes, and the importance of data portability within the healthcare system. As the parliamentary committee begins its detailed study of the Bill, it will be interesting to see how Bill 3 will reconcile the efficiency of the healthcare network with data protection and privacy.

If you have any questions about Bill 3 and its impact on your organization, don’t hesitate to consult our specialized professionals in our Data Protection, Privacy and Cybersecurity sector!

---

[1] See our previous article on Bill 19: “Bill 19: A Small Revolution in Medical Data,” available here.

[2] Address by Minister Caire on the principle, 11:30 a.m.

[3] Bill 3, s. 5

[4] Bill 3, s. 13

[5] Bill 3, s. 7 and 8.

[6] Bill 3, s. 39-40

[7] Debate on the adoption of the principle, 11 a.m.

[8] Bill 3, s. 39.

[9] Bill 3, s. 40.

[10] Public consultations January 31, 2023, 11:30 a.m.

[11] Public consultations, January 31, 2023, 10:00 a.m.

[12] Bill 3, s. 65

[13] Bill 3, s. 72, 82