This is an official version.
Copyright © 2007: Queen's Printer,
for Health Information Regulations
Under the authority of section 16 of the Centre for Health Information Act, the Lieutenant-Governor in Council makes the following regulations.
Robert C. Thompson
1. Short title
2. Code adopted
3. Policies and procedures
5. Persons bound
7. Privacy impact statement
8. Terms and conditions
9. Disclosure of identifiable personal information
10. Other release of personal information
1. These regulations may be cited as the Centre for Health Information Regulations.
2. The centre shall adopt the Canadian Standards Model Code for the Protection of Personal Information (CAN/CSA Z830-96), including all revisions and amendments to that Code.
Policies and procedures
3. (1) In addition to the requirements of the Code adopted under section 2, the centre shall establish and implement policies and procedures to facilitate the implementation of and ensure compliance with the Centre for Health Information Act, these regulations and the Code, which shall include policies and procedures to
(a) restrict access to personal information by the centre's employees to personal information that the employee needs to know to carry out the purpose for which the personal information was collected or authorized;
(b) protect the confidentiality of personal information that is to be disclosed by the centre to a person in a jurisdiction outside the province, which shall include a written agreement respecting the disclosure of that information;
(c) provide for the proper disposal of records to minimize the risk of unauthorized access to personal information; and
(d) deal with the particular issues associated with the storage of personal information according to the form in which it is kept.
(2) The centre shall, in establishing policies and procedures under this section, consider the degree of sensitivity of the personal information to be protected.
4. (1) The centre shall provide those reasonable administrative, technical and physical safeguards which it considers necessary to protect the privacy, confidentiality and security of personal information which is collected, used, disclosed, stored or disposed of by the centre.
(2) Safeguards referred to in this section shall include
(a) technological systems reasonably considered appropriate to protect the privacy, confidentiality and security of personal information;
(b) reasonable security arrangements to protect personal information against such risks as unauthorized access, collection, use, disclosure or disposal;
(c) the designation of a person in the centre who shall be responsible for
(i) overseeing the privacy, security, and confidentiality of personal information, and
(ii) responding to inquires and receiving complaints from the public;
(d) publishing on the centre's website the internal privacy procedures of the centre, which shall also be available to the public at the centre at reasonable times; and
(e) appropriate safeguards for the disposal of personal information, including shredding of physical documentation and the permanent deletion of electronic files.
5. (1) The centre shall ensure that all employees, agents, persons under contract to perform services for the centre and persons using personal information at the centre are aware of the duties imposed under the Centre for Health Information Act, these regulations and the Code adopted under section 2, and the policies and procedures established by the centre.
(2) The centre's employees, agents, persons under contract to perform services for the centre and persons using personal information at the centre shall comply with
(a) the Centre for Health Information Act, these regulations and the Code adopted under section 2; and
(b) the policies and procedures established by the centre.
6. The centre shall give notice of the collection, use or disclosure of personal information by publishing on its website and in its annual report an exhaustive list of all the databases used in its operations.
Privacy impact statement
7. (1) A privacy impact assessment shall be prepared on all health information systems where the disclosure and storage of personal information is involved, and a privacy impact statement shall be prepared further to the completion of the privacy impact assessment on a case by case basis.
(2) A privacy impact statement prepared under subsection (1) shall be available to the public upon request at reasonable times.
Terms and conditions
8. The terms and conditions for release of personal information under the Acts referred to in paragraph 16(d) of the Centre for Health Information Act shall be specified under agreements concerning the release of the personal information between the centre and the appropriate body acting under that particular Act.
Disclosure of identifiable personal information
9. The centre may disclose identifiable personal information for a research purpose, including statistical research, only where
(a) the research has been approved by a local not-for-profit research ethics board;
(b) the research purpose cannot reasonably be accomplished unless that personal information is provided in individually identifiable form;
(c) any record linkage is
not harmful to the individuals that personal information is about and the benefits
to be derived from the record linkage are clearly in the public interest;
(d) the centre and the person to whom the information is being disclosed have signed a written agreement with specific conditions relating to the following:
(i) security and confidentiality of personal information,
(ii) the removal or destruction of individual identifiers at the earliest reasonable time,
(iii) the prohibition of any subsequent use or disclosure of that personal information in individually identifiable form without the express written authorization of the centre, and
(iv) an agreement to comply with the approved conditions, the Centre for Health Information Act, these regulations and the centre's policies and procedures.
Other release of personal information
10. The centre may disclose personal information to a health information network established by the government of the province or another body in which personal information is recorded for the purpose of facilitating
(a) the delivery, evaluation or monitoring of a program that relates to the provision of health care or payment for health care, or
(b) review and planning that relates to the provision of health care or payment for health care.
11. The minister shall, within 3 years of the coming into force of these regulations, review them to assess whether there is a continued need for the regulations, in whole or in part.
©Earl G. Tucker, Queen's Printer