The Act back to main




Personal Health Information Privacy and Access Act (.pdf version)
Regulations (.pdf version)



PART 1
INTERPRETATION, PURPOSES AND APPLICATION

Definitions
1
The following definitions apply in this Act.

“agent” , in relation to a custodian, means an individual or organization that acts for or on behalf of the custodian in respect of personal health information for the purposes of the custodian and not for the agent’s own purposes, whether or not employed by the custodian or being remunerated. (mandataire)

“Commissioner” means the Access to Information and Privacy Commissioner appointed under the Right to Information and Protection of Privacy Act or any person performing the duties and exercising the powers of the Access to Information and Privacy Commissioner under that Act. (commissaire)

“common-law partner” , in relation to any person, means a person who, not being the spouse of that person, is residing with that person and who has cohabited continuously in a conjugal relationship with that person for at least 2 years. (conjoint de fait)

“custodian” means an individual or organization that collects, maintains or uses personal health information for the purpose of providing or assisting in the provision of health care or treatment or the planning and management of the health care system or delivering a government program or service and includes
(a) public bodies,
(b) health care providers,
(c) the Minister,
(d) the following organizations or agencies:
(i) Ambulance New Brunswick Inc.,
(ii) the New Brunswick Health Council,
(iii) FacilicorpNB Ltd.,
(iv) regional health authorities,
(v) the Workplace Health, Safety and Compensation Commission, and
(vi) the Canadian Blood Services,
(e) information managers,
(f) researchers conducting a research project approved in accordance with this Act,
(g) health care facilities,
(h) a laboratory or a specimen collection centre,
(i) nursing homes and operators as those terms are defined in the Nursing Homes Act, and
(j) a person designated in the regulations as a custodian.

“data matching” means the creation of identifying information by combining identifying information or de-identified personal health information or other information from 2 or more electronic data bases or 2 or more electronic records. (appariement de données)

“de-identified” , when referring to personal health information, means personal health information from which all identifying information has been removed. (anonymisé)

“health care” means any observation, examination, assessment, care, service or procedure that is carried out or provided for a health-related purpose and
(a) to diagnose, treat or maintain an individual’s physical or mental condition,
(b) to prevent disease or injury or to promote health, or
(c) as part of rehabilitative or palliative care,
and includes
(d) the compounding of a drug, for the use of an individual, pursuant to a prescription,
(e) the dispensing or selling of a drug, a device, equipment or any other item to an individual, or for the use of an individual, pursuant to a prescription, and
(f) a health care service prescribed by regulation. (soins de santé)

“health care facility” means
(a) a hospital,
(b) a community health centre,
(c) a medical clinic,
(d) a pharmacy, and
(e) any other facility in which health care is provided and that is designated in the regulations. (établissement de soins de santé)

“health care provider” means a person who is registered or licensed to provide health care under an Act of the Legislature or who is a member of a class of persons designated as a health care provider in the regulations. (fournisseur de soins de santé)

“identifying information” means information that identifies an individual or for which it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify an individual. (renseignements identificatoires)

“information manager” means an individual or organization that on behalf of a custodian
(a) processes, stores, retrieves, archives or disposes of personal health information,
(b) de-identifies or otherwise transforms personal health information, or
(c) provides information management or information technology services. (gestionnaire de l’information)

“information practices” , in relation to a custodian, means the policy of the custodian governing actions in relation to personal health information, including
(a) when, how and the purposes for which the custodian routinely collects, uses, modifies, discloses, retains or disposes of personal health information, and
(b) the administrative, technical and physical safeguards and practices that the custodian maintains with respect to the information. (pratiques relatives aux renseignements)

“Minister” means the Minister of Health. (ministre)

“personal health information” means identifying information about an individual in oral or recorded form if the information
(a) relates to the individual’s physical or mental health, family history or health care history, including genetic information about the individual,
(b) is the individual’s registration information, including the Medicare number of the individual,
(c) relates to the provision of health care to the individual,
(d) relates to information about payments or eligibility for health care in respect of the individual, or eligibility for coverage for health care in respect of the individual,
(e) relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any body part or bodily substance,
(f) identifies the individual’s substitute decision-maker, or
(g) identifies an individual’s health care provider. (renseignements personnels sur la santé)

“pharmacy” means a shop, store or place of business holding a valid certificate of accreditation under the Pharmacy Act. (pharmacie)

“public body” means a public body as defined in the Right to Information and Protection of Privacy Act. (organisme public)

“record” means a record containing information in any form, including information that is oral, written, photographed, recorded or stored in any manner, on any storage medium or by graphic, electronic, mechanical or any other means, but does not include electronic software or any mechanism that produces records. (document)

“registration information” means information about an individual that is collected for the purpose of registering the individual for the provision of health care, and includes a health care number, hospital record number and any other identifier assigned to an individual. (renseignements d’inscription)

“research” means a systematic investigation designed to develop or establish principles, facts or general knowledge, or any combination of them, and includes the development, testing and evaluation of research. (recherche)

“spouse” in relation to any person, means a person who is married to and residing with that person. (conjoint)

“substitute decision-maker” , in relation to an individual, means, unless the context requires otherwise, a person who is authorized under this Act to give, withhold or to withdraw consent on behalf and in the place of the individual with respect to the collection, use or disclosure of the individual’s personal health information. (mandataire spécial)

“use” means to handle or deal with information and includes reproducing the information, but does not include disclosing the information. (utiliser)

2009, c.53, s.1.

Purposes
2
The purposes of this Act are
(a) to provide individuals with a right to examine and receive a copy of their personal health information maintained by a custodian, subject to the limited and specific exceptions set out in this Act,
(b) to provide individuals with the right to request the correction of or amendment to their personal health information maintained by a custodian, subject to the limited and specific exceptions set out in this Act,
(c) to establish a set of rules for custodians regarding the collection, use, disclosure, retention and secure destruction of personal health information that protects the confidentiality of personal health information and the privacy of the individual to whom the personal health information relates,
(d) to facilitate the effective provision of care and planning and management of the health care system,
(e) to establish mechanisms to ensure the accountability of persons having custody or control of personal health information and to safeguard the security and integrity of the personal health information in their custody or control,
(f) to establish mechanisms to safeguard the security and integrity of personal health information by those persons having custody or control of that information,
(g) to provide for an independent review and resolution of complaints made in respect to personal health information, and
(h) to provide effective remedies for contraventions of this Act.

Application
3
(1) This Act applies
(a) to personal health information that is collected, used or disclosed by a custodian or that is in the custody or control of a custodian, and
(b) to personal health information that was collected before the coming into force of this Act and that is prescribed by regulation.

3(2) Unless otherwise specifically provided in this Act, this Act does not apply to
(a) anonymous or statistical information that does not, either by itself or when combined with other information available to the holder of the information, permit individuals to be identified,
(b) an individual’s personal health information if
(i) one hundred years have passed since the record containing the information was created, or
(ii) fifty years have passed since the death of the individual,
(c) an individual or organization that collects, maintains or uses personal health information for purposes other than health care or treatment and the planning and management of the health care system, including
(i) employers,
(ii) insurance companies,
(iii) regulatory bodies of health care providers,
(iv) licensed or registered health care providers who do not provide health care, or
(v) any other individual or organization prescribed by regulation,
(d) a note made by or for, or a communication or draft decision of, a person who is acting in a judicial or quasi-judicial capacity,
(e) a constituency record of a Minister of the Crown, and
(f) information in a court record, a record of a judge, a judicial administration record or a record relating to support services provided to a judge or to a court official.

3(3) Unless otherwise specifically provided in this Act, this Act
(a) does not affect the law of evidence,
(b) does not restrict information that is otherwise available by law to a party to legal proceedings,
(c) does not affect any information that would disclose privileged communications,
(d) does not affect the power of a court or tribunal to compel a witness to testify or to compel the production of documents,
(e) does not interfere with the activities of a body with statutory responsibility for the discipline of health care providers,
(f) does not affect a court order that prohibits a person from making information public or from publishing information,
(g) is in addition to and does not replace existing procedures for access to records or information normally available to the public, and
(h) does not prohibit the transfer, storage or disposition of a record in accordance with another Act of the Legislature or the Parliament of Canada.

Conflict with another Act
4
(1) Unless otherwise provided in the regulations, if a provision of this Act is in conflict with a provision of another Act of the Legislature, this Act prevails.

4(2) Unless otherwise provided in this Act or the regulations, this Act does not apply to a record created or information held by a person under or for the purpose of the provisions of the following Acts of the Legislature, notwithstanding that the information would otherwise be considered to be personal health information or the person would otherwise be considered to be a custodian within the meaning of this Act:
(a) the Family Services Act; and
(b) any Act of the Legislature or any provision of an Act of the Legislature prescribed by regulation.

4(3) For greater certainty, the provisions of the Mental Health Act prevail over this Act.

4(4) For the purpose of this section, a conflict shall not exist unless it is impossible to comply with both this Act and another Act of the Legislature.

2009, c.53, s.2.

Application of the Medical Consent of Minors Act
5
The Medical Consent of Minors Act applies for the purpose of providing the consent of the person to the collection, use or disclosure of personal health information or for the refusal or withdrawal of the person’s consent.

Right to Information and Protection of Privacy Act
6
(1) The Right to Information and Protection of Privacy Act does not apply to personal health information in the custody or under the control of a custodian unless this Act specifies otherwise.

6(2) If a request is made under section 7 that contains information to which the Right to Information and Protection of Privacy Act applies, the part of the request that relates to that information is deemed to be a request under section 8 of the Right to Information and Protection of Privacy Act and that Act applies to that part of the request as if it had been made under section 8 of that Act.

6(3) If a request is made under section 15 to correct information to which the Right to Information and Protection of Privacy Act applies, the request is deemed to be a request under section 40 of the Right to Information and Protection of Privacy Act and that Act applies to the request as if it had been made under section 40 of that Act.

6(4) Subsection (2) or (3) does not apply if the custodian that receives the request is not a public body.

PART 2
ACCESS TO PERSONAL HEALTH INFORMATION

Division A
Right to examine or copy personal health information

Right to examine or copy personal health information
7
(1) Subject to this Act, an individual has a right, on request, to examine or receive a copy of his or her personal health information maintained by a custodian.

7(2) A request made under this section shall
(a) be made to the custodian that the individual believes has custody and control of the personal health information, and
(b) contain sufficient detail to permit the custodian to identify and locate the record with reasonable efforts.

7(3) A custodian may require a request to be in writing.

Duty to assist an individual
8
If a request under section 7 does not contain sufficient detail to permit the custodian to identify and locate the record containing the personal health information with reasonable efforts, the custodian shall offer assistance to the person who made the request to reformulate the request to comply with that section.

Application of the Official Languages Act
9
A custodian to whom the Official Languages Act applies shall, if an individual’s record containing personal health information is not available in the individual’s official language of choice, accommodate the individual’s official language needs by
(a) providing the individual with access to a physician or other health care provider to assist the individual in interpreting his or her record, or
(b) translating or causing to be translated the relevant provisions of the individual’s record for the purpose of a unilingual physician treating the individual if the record is in an official language the physician cannot understand.

Custodian’s response
10
(1) A custodian shall respond to a request made under section 7 as promptly as required in the circumstances, but no later than 30 days after receiving it, unless the time limit for responding is extended under subsection (6) or (7) or the request is transferred to another custodian under section 11.

10(2) The failure of a custodian to respond to a request within the 30-day period is to be treated as a decision to refuse to permit the personal health information to be examined or copied.

10(3) In responding to a request, a custodian shall do one of the following:
(a) make the personal health information available for examination and provide a copy, if requested, to the individual;
(b) inform the individual in writing if the information does not exist or cannot be found; or
(c) inform the individual in writing that the request is refused, in whole or in part, for a specified reason described in section 14, and advise the individual of the right to make a complaint about the refusal under Part 6.

10(4) A custodian shall, on request, provide assistance to an individual in reviewing the individual’s personal health information.

10(5) If a request is made for personal health information that a custodian maintains in electronic form, the custodian shall produce a record of the information for the individual in a form usable by the individual if it can be produced using the custodian’s normal computer hardware and software and technical expertise.

10(6) The custodian may extend the time for responding to a request for up to an additional 30 days if
(a) the individual making the request does not give enough detail to enable the custodian to identify a requested record,
(b) the individual making the request does not respond to a request for clarification by the custodian as soon as practicable,
(c) the relevant provisions of the individual’s record are being translated for a unilingual physician treating the individual if the record is in an official language the physician cannot understand,
(d) a large number of records is requested or must be searched or responding within the time period set out in subsection (1) would interfere unreasonably with the operations of the custodian,
(e) time is needed to notify and receive representations from a third party or to consult with another custodian before permitting the personal health information to be examined or copied, or
(f) the individual requests records that relate to a proceeding commenced by a Notice of Action or a Notice of Application.

10(7) In any case referred to in subsection (6), the custodian may, if approved by the Commissioner, extend the time limit for responding to a request for a period longer than 30 days.

10(8) If the time limit for responding to a request is extended under subsection (6) or (7), the custodian shall send a written notice to the applicant setting out
(a) the reason for the extension,
(b) when a response can be expected, and
(c) if the time limit is extended without the approval of the Commissioner, that the person may file a complaint with the Commissioner about the extension.

Transferring a request to another custodian
11
(1) Within 10 days after receiving a request under section 7, a custodian may transfer a request to another custodian if
(a) the personal health information is maintained by the other custodian, or
(b) the other custodian was the first to collect the personal health information.

11(2) If a request under section 7 is transferred under this section,
(a) the custodian who transferred the request shall notify the individual making the request of the transfer in writing as soon as possible, and
(b) the custodian to which the request is transferred shall respond to the request within 30 days after receiving it, unless the time for responding to the request is extended under subsection 10(6).

Custodian shall take precautions about release
12
A custodian shall
(a) not permit personal health information to be examined or copied without being satisfied as to the identity of the individual making the request, and
(b) take reasonable steps to ensure that any personal health information intended for an individual is received only by that individual.

Fees
13
(1) A custodian shall permit an individual to examine a record free of charge and may, in accordance with the regulations, require an individual to pay to the custodian a fair and reasonable fee for search, preparation, copying and delivery services.

13(2) The custodian may, in accordance with the regulations, if any, waive the payment of all or part of a fee.

13(3) The search, preparation, copying and delivery fees referred to in subsection (1) must not exceed the greater of the following:
(a) the amount provided for in the regulations; and
(b) the actual costs of the services provided.

Reasons for refusing request
14
(1) A custodian is not required to permit an individual to examine or copy his or her personal health information under this Part
(a) if knowledge of the information could reasonably be expected to endanger the health or safety of the individual or another person,
(b) if disclosure of the information would reveal personal health information about another person who has not consented to the disclosure,
(c) if disclosure of the information could reasonably be expected to identify a third party, other than another custodian, who supplied the information in confidence under circumstances in which confidentiality was reasonably expected,
(d) if the information was compiled and is used solely
(i) for the purpose of review by a committee established to study or evaluate the health care practices of a health care facility,
(ii) for the purpose of a body with statutory responsibility for the discipline of health care providers or to regulate the quality or standards of professional services provided by health care providers, or
(iii) for the purposes of risk management, error management or for the purpose of activities to improve or maintain the quality of care or to improve or maintain the quality of any related programs or services of the custodian,
(e) if the information was compiled principally in anticipation of, or for use in, a civil, criminal or quasi-judicial proceeding to which the custodian is or may be a party or is protected by privilege,
(f) if the information is protected by privilege,
(g) if another Act of the Legislature or the Parliament of Canada or a court order prohibits disclosure of the personal health information to the individual,
(h) if the personal health information was collected for purposes of an investigation conducted pursuant to an Act of the Legislature, or
(i) for any reason prescribed by regulation.

14(2) A custodian may consult with a health care provider who has been involved in an individual’s care, or another health care provider, before deciding to refuse to permit personal health information to be examined or copied under paragraph (1)(a).

14(3) A custodian who refuses to permit personal health information to be examined or copied under subsection (1) shall, to the extent possible, sever the personal health information that cannot be examined or copied and permit the individual to examine and receive a copy of the remainder of the information.

Division B
Correction of personal health information

Right to request a correction
15
(1) For purposes of accuracy or completeness, an individual may make a request to correct any personal health information that the individual may examine and copy under this Part.

15(2) A request shall be in writing.

15(3) Within 30 days after receiving a request under subsection (1), the custodian shall do one of the following:
(a) make the requested correction to the record of the personal health information in a manner that it will be read with and form part of the record or be adequately cross-referenced to it;
(b) inform the individual, in writing, if the personal health information no longer exists or cannot be found;
(c) if the custodian does not maintain the personal health information,
(i) inform the individual making the request that the custodian does not maintain the personal health information;
(ii) provide the individual with the name and address of the custodian who maintains the personal health information, if known; and
(iii) if the custodian who maintains the personal health information is known, transfer the request to that custodian and notify the individual making the request of the transfer;
(d) inform the individual in writing of the custodian’s refusal to correct the record as requested, the reason for the refusal, and the individual’s right to add a statement of disagreement to the record and to make a complaint about the refusal under Part 6.

15(4) The custodian may, if approved by the Commissioner, extend the time limit for responding to a request for a period longer than 30 days.

15(5) A custodian who refuses to make a correction that is requested under this section shall
(a) permit the individual to file a concise statement of disagreement stating the correction requested and the reason for the correction, and
(b) add the statement of disagreement to the record in a manner that it will be read with and form part of the record or be adequately cross-referenced to it.

15(6) If a custodian makes a correction or adds a statement of disagreement under this section, the custodian shall, when practicable, notify any other custodian or person to whom the personal health information has been disclosed about the correction or statement of disagreement.

15(7) A custodian shall make the correction or add the statement of disagreement, if applicable, to any record of the personal health information that the custodian maintains.

15(8) A custodian shall not charge a fee in connection with a request for a correction made under this section.

Division C
Informal Access

Informal access
16
Nothing in this Part prevents a custodian from
(a) granting an individual access to a record of his or her personal health information if the individual makes an oral request for access or makes no request, provided that access is authorized under this Part, and
(b) communicating with the individual about the collection, use or disclosure of the individual’s personal health information.

PART 3
CONSENT RE PERSONAL HEALTH INFORMATION

Division A
General

Elements of consent
17
(1) If this Act or any other Act of the Legislature requires the consent of an individual to the collection, use or disclosure of personal health information by a custodian, the consent
(a) shall be a consent of the individual, if the individual is capable of granting consent, or the consent of a substitute decision-maker,
(b) shall be knowledgeable,
(c) shall be able to be withdrawn or withheld,
(d) shall relate to the personal health information,
(e) shall not be obtained through deception or coercion, and
(f) may be express or implied.

17(2) The consent to the collection, use or disclosure of an individual’s personal health information is knowledgeable if it is reasonable in the circumstances to believe that the individual knows
(a) the purpose of the collection, use or disclosure, as the case may be,
(b) that the individual may give or withhold consent, and
(c) that the information can only be collected used or disclosed without his or her consent in accordance with the provisions of this Act.

17(3) Unless it is not reasonable in the circumstances to make the assumption, a custodian is entitled to assume that an individual knows the purpose of the collection, use or disclosure of the individual’s personal health information by a custodian if the custodian posts or makes readily available a notice describing the purpose where it is likely to come to the individual’s attention or provides the individual with such a notice.

Implied, knowledgeable and continuing consent
18
(1) Unless it is not reasonable in the circumstances to make the assumption, a custodian is entitled to assume that he or she has the individual’s implied consent, and to assume the consent is knowledgeable, to collect or use the individual’s personal health information or to disclose that information to another custodian or person for the purpose of providing health care to that individual.

18(2) If a custodian receives personal health information relating to an individual from the individual, the individual’s substitute decision-maker or another custodian for the purpose referred to in subsection (1), the custodian is entitled to assume that he or she has the individual’s continuing implied consent to collect, use or disclose the personal health information for that purpose, unless the custodian that receives the personal health information is aware that the individual has expressly withheld or withdrawn the consent.

Express consent
19
(1) Unless otherwise provided in this Act, express consent of an individual is required in relation to the collection, use or disclosure of his or her personal health information by a custodian, including when the custodian discloses information to
(a) the media,
(b) a person for the purpose of fundraising activities,
(c) a visitor to a health care facility,
(d) a person outside New Brunswick, and
(e) a person for the purpose of research.

19(2) The consent of an individual to the collection, use or disclosure of personal health information by a custodian is express if
(a) the custodian requests the individual to provide the personal health information,
(b) the individual knows the purpose of the collection, use or disclosure of the information, as the case may be, and
(c) the individual grants the custodian permission, the contents of which may be prescribed by regulation, in writing, to collect, use or disclose the information.

19(3) Additional requirements of what constitutes express consent of an individual may be prescribed by regulation.

Conditional consent
20
If an individual places a condition on his or her consent to have a custodian collect, use or disclose the individual’s personal health information, the condition is not effective to the extent that it purports to prohibit or restrict any recording of personal health information by a custodian that is required by law or by established standards of professional practice or institutional practice.

Assumption of validity
21
A custodian who has obtained an individual’s consent to the collection, use or disclosure of the individual’s personal health information or who has received a copy of a document purporting to record the individual’s consent to the collection, use or disclosure of the information is entitled to assume that the consent fulfils the requirements of this Act and the individual has not withdrawn it, unless it is not reasonable in the circumstances to make the assumption.

Refusal to consent or withdrawal of consent
22
(1) An individual may refuse to grant his or her consent or withdraw his or her consent to the collection, use or disclosure of the individual’s personal health information by a custodian except if
(a) it is prohibited by law to withdraw consent,
(b) the collection, use or disclosure is for the purposes of a program to monitor the prescribing, dispensing or use of certain classes of drugs,
(c) the collection, use or disclosure is for the purposes of the creation or maintenance of an electronic health record, or
(d) the collection, use or disclosure is for another purpose provided for in this Act.

22(2) If an individual refuses to grant consent or withdraws his or her consent to the collection, use or disclosure of his or her personal health information under subsection (1), the custodian shall
(a) take reasonable steps to act in accordance with the decision,
(b) inform the individual of the implications of the refusal or withdrawal, and
(c) inform the other custodians, if any, holding the individual’s personal health information of the decision.

22(3) A custodian may refuse to comply with the refusal or withdrawal of an individual’s consent to the collection, use or disclosure of his or her personal health information under subsection (1) if compliance with the individual’s refusal or withdrawal of consent is likely to endanger the health of the individual or the health of another person.

22(4) If the custodian refuses to comply with the refusal or withdrawal of an individual’s consent for the reasons referred to in subsection (3), the custodian shall inform the individual, as soon as possible, of the collection, use or disclosure of his or her personal health information.

Division B
Capacity to consent

Capacity to consent
23
(1) An individual is capable of consenting to the collection, use or disclosure of personal health information if the individual is able
(a) to understand the information that is relevant to deciding whether to consent to the collection, use or disclosure, as the case may be, and
(b) to appreciate the reasonably foreseeable consequences of giving, not giving, withholding or withdrawing the consent.

23(2) An individual may be capable of consenting to the collection, use or disclosure of personal health information at one time, but incapable of consenting at another time.

23(3) An individual is presumed to be capable of consenting to the collection, use or disclosure of personal health information.

23(4) A custodian may rely on the presumption under subsection (3), unless the custodian has reasonable grounds to believe that the individual is incapable of consenting to the collection, use or disclosure of personal health information.

Determination of incapacity
24
A custodian that determines that an individual is incapable of consenting to the collection, use or disclosure of personal health information under this Act shall do so in accordance with the requirements and restrictions, if any, prescribed by regulation.

Substitute decision-maker and the exercise of rights by a personal representative
25
(1) If an individual is incapable of consenting to the collection, use or disclosure of personal health information by a custodian, the following persons may, on the individual’s behalf and in the place of the individual, act as a substitute decision-maker for that individual by giving, withholding or withdrawing the consent:
(a) a person who has been authorized, in writing, by the individual to provide consent;
(b) a committee of the person appointed for the individual under the Infirm Persons Act, if the giving, withholding or withdrawing the consent relates to the powers and duties of the committee of the person;
(c) the individual’s attorney for personal care appointed in accordance with the Infirm Persons Act or the individual’s attorney appointed under a power of attorney respecting property, if the giving, withholding or withdrawing of consent relates to the powers and duties of the attorney;
(d) the individual’s spouse or common-law partner;
(e) the individual’s adult child;
(f) the individual’s parent or guardian;
(g) the individual’s adult sibling;
(h) the individual’s adult grandchild;
(i) the individual’s adult uncle or aunt;
(j) the individual’s adult nephew or niece;
(k) any other adult next of kin of the individual;
(l) the individual’s health care provider; and
(m) the Public Trustee.

25(2) A person referred to in subsection (1) may consent only if the person
(a) is capable of consenting to the collection, use or disclosure of personal health information by a custodian, and
(b) is willing to assume the responsibility of making a decision on whether or not to consent.

25(3) A person referred to in a paragraph of subsection (1) may assume the responsibility of making a decision only if no other person described in an earlier paragraph meets the requirements of subsection (2).

25(4) If an individual is deceased, any right or power conferred on an individual by this Act may be exercised by the individual’s personal representative if the exercise of the right or power relates to the administration of the individual’s estate.

2009, c.53, s.3.

Factors to consider for consent
26
A person who consents under this Act or any other Act of the Legislature on behalf of and in the place of an individual to the collection, use or disclosure of personal health information by a custodian, or who withholds or withdraws a consent, shall take into consideration
(a) any written instruction provided by the individual in a power of attorney for personal care or other power of attorney,
(b) the wishes, values and beliefs that,
(i) if the individual is capable, the person knows the individual holds and believes the individual would want reflected in decisions made concerning the individual’s personal health information, or
(ii) if the individual is incapable or deceased, the person knows the individual held when capable or alive and believes the individual would have wanted reflected in decisions made concerning the individual’s personal health information,
(c) whether the benefits that the person expects from the collection, use or disclosure of the information outweigh the risk of negative consequences occurring as a result of the collection, use or disclosure,
(d) whether the purpose for which the collection, use or disclosure is sought can be accomplished without the collection, use or disclosure, and
(e) whether the collection, use or disclosure is necessary to satisfy any legal obligation.

PART 4
COLLECTION, USE AND DISCLOSURE OF PERSONAL HEALTH INFORMATION

Division A
Restrictions on the collection of information

General duties of custodians
27
(1) A custodian may collect personal health information relating to an individual if
(a) the custodian has the individual’s consent under this Act and the collection, to the best of the custodian’s knowledge, is necessary for a lawful purpose, or
(b) the collection is permitted or required by this Act.

27(2) Despite paragraph (1)(a), a custodian may collect personal health information relating to an individual without that individual’s consent if the individual is incapable of providing consent and
(a) consent can not be obtained because
(i) there is no substitute decision-maker who can provide consent in a timely manner, or
(ii) the individual has been admitted to a psychiatric facility as an involuntary patient under the Mental Health Act, or
(b) the collection is necessary for the provision of health care to the individual.

Source of information
28
A custodian shall collect personal health information directly from the individual to whom the information relates except if
(a) the individual has authorized another method of collection,
(b) collection of the information directly from the individual could reasonably be expected to endanger the health or safety of the individual or another person,
(c) collection of the information is in the interest of the individual and time or circumstances do not permit collection directly from the individual,
(d) collection of the information directly from the individual could reasonably be expected to result in the collection of inaccurate information,
(e) the custodian collects the information from a person who is not a custodian for the purpose of carrying out a research project that has been approved by a research review body under section 43,
(f) another method is authorized or required by a court order, an Act of the Legislature or the Parliament of Canada or a treaty, agreement or arrangement made under an Act of the Legislature or the Parliament of Canada,
(g) the individual is unable to provide the information and a substitute decision-maker is acting on behalf of and in the place of the individual,
(h) the information is to be collected for the purpose of assembling a family or genetic history and the information collected will be used in the context of providing a health service to the individual,
(i) the information is collected for the purpose of
(i) determining the individual’s eligibility to participate in a health care program or to receive a benefit, product or health care service from a custodian and the information is collected in the course of processing an application made by or for the individual who is the subject of the information, or
(ii) verifying the eligibility of an individual who is participating in a health care program or receiving a benefit, product or health care service from a custodian to participate in the program or to receive the benefit, product or service,
(j) the custodian is a regional health authority, the board of directors or management personnel of a regional health authority or any member of any administrative or advisory committee established in accordance with the by-laws of a regional health authority and is collecting the information for a purpose authorized by law that relates to
(i) the investigation of a breach of an agreement or a contravention or an alleged contravention of the laws of the Province or of Canada,
(ii) the conduct of a proceeding or a possible proceeding, or
(iii) a function of the custodian under this Act,
(k) paragraph (j) also applies to a custodian who is a Minister of the Crown for the purposes set out in that paragraph when engaged in a function related to the delivery or administration of health care in the Province,
(l) the custodian collects information for the purpose of analysis or compiling statistical information respecting the management, evaluation or monitoring of the allocation of resources to, or planning for all or part of, the health care system, including the delivery of services, and the person from whom the information is collected has in place practices and procedures to protect the privacy of the individual whose personal health information it receives and to maintain the confidentiality of the information, or
(m) the custodian is the Minister and is collecting personal health information from another custodian for the purposes of creating or maintaining an electronic health record.

Scope of collection
29
Unless a custodian is required to do so by law, the custodian shall not collect
(a) personal health information if other information will serve the same purpose as the personal health information, or
(b) more personal health information than is reasonably necessary to meet the purpose for which the information is collection.

De-identified information
30
A custodian may collect personal health information that has been de-identified for any purpose.

Notice of collection practices
31
(1) A custodian who collects personal health information directly from the individual to whom the information relates shall, before it is collected or as soon as practicable afterwards, take reasonable steps to inform the individual
(a) of the purpose for which the information is being collected, and
(b) if the custodian is not a health care provider, how to contact an officer or employee of the custodian who can answer the individual’s questions about the collection.

31(2) A custodian need not comply with subsection (1) if the custodian has recently provided the individual with the information referred to in that subsection about the collection of the same or similar personal health information for the same or a related purpose.

Division B
Restrictions on the use of information

General duties of custodians
32
(1) A custodian shall not use personal health information except as authorized under this Division.

32(2) Every use by a custodian of personal health information shall be limited to the minimum amount of information necessary to accomplish the purpose for which it is used.

32(3) A custodian shall limit the use of personal health information it maintains to those employees and agents of the custodian who need to know the information to carry out the purpose for which the information was collected or received or to carry out any of the permitted uses authorized under section 34.

De-identified information
33
A custodian may use personal health information that has been de-identified for any purpose.

Permitted uses
34
(1) A custodian may use personal health information in its custody or under its control for one or more of the following purposes:
(a) for the purpose for which the information was collected or created and for all the functions reasonably necessary for carrying out that purpose, unless the individual expressly instructs otherwise;
(b) another use to which the individual who is the subject of the information consents;
(c) if the use of the information is authorized by this Act or by an Act of the Legislature or an Act of the Parliament of Canada;
(d) to prevent or reduce a risk of significant harm to the health or safety of the public or a group of people, the disclosure of which is clearly in the public interest;
(e) if the custodian is a public body, for planning or delivering programs or services that the custodian provides or that the custodian funds in whole or in part, allocating resources to any of those programs or services, evaluating or monitoring any of them or detecting, monitoring or preventing fraud or any unauthorized receipt of services or benefits related to any of them;
(f) for the purpose of risk management, error management or for the purpose of activities to improve or maintain the quality of care or to improve or maintain the quality of any related programs or services of the custodian;
(g) for educating agents of the custodian to provide health care;
(h) for the purpose of disposing of the information or de-identifying the information;
(i) for the purpose of seeking the individual’s consent, or the consent of the individual’s substitute decision-maker, when the personal health information used by the custodian for this purpose is limited to the name and contact information of the individual and the name and contact information of the substitute decision-maker, if applicable;
(j) for the purpose of a proceeding or contemplated proceeding in which the custodian or the agent or former agent of the custodian is, or is expected to be, a party or witness, if the information relates to or is a matter in issue in the proceeding or contemplated proceeding;
(k) if the custodian is a Minister of the Crown, for the purpose of recovering health care costs;
(l) for the purpose of obtaining payment for or processing, monitoring, verifying or reimbursing claims for payment for the provision of health care or related goods and services;
(m) for a research project approved by a research review body under section 43;
(n) subject to any requirements and restrictions prescribed by regulation, if permitted or required by law or by a treaty, agreement or arrangement made under an Act of the Legislature or the Parliament of Canada;
(o) if the custodian is a regional health authority, the board of directors or management personnel of a regional health authority or any member of any administrative or advisory committee established in accordance with the by-laws of a regional health authority for the following functions within the geographic area in which the custodian has jurisdiction:
(i) planning and resource allocation;
(ii) health system management;
(iii) public health surveillance; and
(iv) health policy development;
(p) paragraph (o) also applies to a custodian who is a Minister of the Crown for the purposes set out in that paragraph when engaged in a function related to the delivery or administration of health care in the Province; and
(q) to produce de-identified information that does not, either by itself or in combination with other information in the custody of or under the control of the custodian, permit an individual to be identified.

Division C
Restrictions on disclosure of information

General duties of custodians
35
(1) A custodian shall not disclose personal health information except as authorized under this Division.

35(2) Every disclosure by a custodian of personal health information shall be limited to the minimum amount of information necessary to accomplish the purpose for which it is disclosed.

35(3) A custodian shall limit the disclosure of personal health information it maintains to those employees and agents of the custodian who need to know the information to carry out the purpose for which the information was collected or received or to carry out a purpose authorized under section 37.

2009, c.53, s.4.

De-identified information
36
A custodian may disclose personal health information that has been de-identified for any purpose.

Disclosure for health related purposes
37
(1) Subject to subsection (2), the custodian may disclose an individual’s personal health information if
(a) the individual or his or her substitute decision-maker is the recipient of the disclosure, or
(b) the individual or his or her substitute decision-maker consents to the disclosure.

37(2) A custodian may disclose an individual’s personal health information without the consent of the individual
(a) to a person who is providing or has provided health care to the individual, to the extent necessary to provide health care to the individual, unless the individual has instructed the custodian not to make the disclosure,
(i) if it is not possible to obtain the consent of the individual in a timely manner, or
(ii) if the individual has been admitted to a psychiatric facility as an involuntary patient under the Mental Health Act, or
(b) for the purpose of contacting a relative, friend or the substitute decision-maker of an individual who is not capable of giving consent personally.

37(3) If a custodian discloses personal health information relating to an individual under paragraph (2)(a) and an express request of the individual prevents the custodian from disclosing all the personal health information that the custodian considers reasonably necessary to disclose for the provision of health care to the individual, the custodian shall notify the person to whom it makes disclosure of that fact.

37(4) A custodian that is a health care facility may disclose personal health information relating to an individual who is a patient or resident of the facility to a person that the facility reasonably believes is a member of the individual’s immediate family, a relative or a person with whom the individual has a close personal relationship if
(a) the facility offers the individual the option, at the first reasonable opportunity after admission to the facility, to object to that disclosure and the individual does not do so, and
(b) the disclosure is made in accordance with accepted professional practice.

37(5) A custodian may disclose personal health information relating to an individual who is deceased or presumed to be deceased
(a) for the purpose of identifying the individual,
(b) for the purpose of informing a person whom it is reasonable to inform in the circumstances of the fact that the individual is deceased or presumed to be deceased and the circumstances of the death, if appropriate,
(c) to the personal representative of the deceased for a purpose related to the administration of the estate,
(d) to a spouse, common-law partner, sibling or descendant of the individual if the recipient of the information reasonably requires the information to make decisions about his or her own health care or the health care of his or her child or if the disclosure is necessary to provide health care to the recipient, or
(e) for research purposes under section 43 if the information has been de-identified.

37(6) A custodian shall disclose personal health information relating to an individual without the consent of the individual
(a) if the custodian is a Minister of the Crown or a regional health authority, for the purpose of recovering health care costs,
(b) to a person conducting an audit or reviewing an application for accreditation or reviewing an accreditation, if the audit or review relates to the services provided by the custodian,
(c) to or via an information network designated by the Minister in accordance with the regulations in which personal health information is recorded for the purpose of facilitating
(i) the delivery, evaluation or monitoring of a program that relates to the provision of health care or the payment for health care,
(ii) review and planning necessary for the provision of health care or the payment for health care, or
(iii) the creation and maintenance of an electronic health record established in accordance with the regulations,
(d) to a custodian designated in the regulations who compiles or maintains a registry of personal health information for purposes of facilitating or improving the provision of health care or that relates to the storage or donation of body parts or bodily substances,
(e) to the chief medical officer of health or other medical officers if the disclosure is required by another Act of the Legislature or the Parliament of Canada, and
(f) to a public health authority established under an Act of the Parliament of Canada, another province or other jurisdiction if the disclosure is made for a public health purpose.

37(7) If a custodian discloses personal health information under paragraph (6)(b), the person conducting the audit or reviewing an application for accreditation or reviewing an accreditation shall agree in writing
(a) to destroy the information at the earliest possible opportunity after the audit or review, and
(b) not to disclose the information to any other person, except as required to accomplish the audit or review or to report unlawful conduct by the custodian.

2009, c.53, s.5.

Disclosure for health care programs or other programs
38
(1) A custodian may disclose personal health information relating to an individual without the consent of the individual if the disclosure is
(a) for the purpose of determining or verifying the eligibility of the individual to receive health care or related goods, services or benefits provided under an Act of the Legislature or the Parliament of Canada and funded in whole or part by the Province or the Government of Canada,
(b) for the purpose of determining or providing payment to the custodian for the provision of health care or for processing, monitoring, verifying or reimbursing claims for payment for the provision of health care,
(c) to a department or the government of another jurisdiction or to an agency of that government to the extent necessary to obtain payment for health care provided to the individual to whom the personal health information relates,
(d) for the purpose of delivering, evaluating or monitoring a program of the custodian that relates to the provision of health care or the payment for health care,
(e) for the purpose of review and planning necessary for the provision of health care by another custodian,
(f) to an information manager in accordance with this Act,
(g) to a person who requires the personal health information to carry out an audit for, or to provide legal services, error management services or risk management services to, the custodian,
(h) to the Canadian Institute for Health Information or other entity prescribed by regulation for the purpose of compiling and analyzing statistical information to assist in the management, evaluation and monitoring of the allocation of resources, health system planning and delivery of health care services in accordance with the terms of an agreement between the Canadian Institute for Health Information or other entity and the Province,
(i) to a potential successor of the custodian for the purpose of allowing the potential successor to assess or evaluate the operations of the custodian, on condition that the potential successor first enters into an agreement with the custodian to keep the information confidential and secure and not to retain the information any longer than is necessary for the purpose of the assessment or evaluation, and
(j) to the successor of the custodian if the custodian transfers records to the successor as a result of the custodian ceasing to be a custodian or ceasing to provide health care within the geographic area in which the successor provides health care and the successor is a custodian.

38(2) For the purpose of paragraph (1)(j), a custodian who transfers a record of personal health information to its successor shall make reasonable efforts to give notice to the individual to whom the information relates before the transfer or, if this is not possible, as soon as possible after the transfer, that it has ceased to be a custodian of the information and identifies its successor.

Disclosure re health and safety
39
(1) A custodian may disclose personal health information without the consent of the individual to whom the information relates if the custodian reasonably believes that disclosure is required
(a) to prevent or reduce a risk of serious harm to the mental or physical health or safety of the individual to whom the information relates or another individual, or
(b) to prevent or reduce a risk of significant harm to the health or safety of the public or a group of people, the disclosure of which is clearly in the public interest.

39(2) A custodian may disclose personal health information without the consent of the individual to whom the information relates to the superintendent of a correctional facility in which the individual is lawfully detained or to the administrator of a psychiatric facility in which the individual is lawfully detained under section 18 of the Mental Health Act to assist the facility in making a decision respecting
(a) arrangements for the provision of health care to the individual, or
(b) the placement of the individual into custody or the detention, release, conditional release, discharge or conditional discharge of the individual under an Act of the Legislature, of another province or territory or of the Parliament of Canada.

Disclosure re proceedings
40
(1) A custodian shall disclose personal health information without the consent of the individual to whom the information relates
(a) to a body with statutory responsibility for the discipline of health care providers or to regulate the quality or standards of professional services provided by health care providers, including for the purpose of an investigation by that body, or
(b) for the purpose of complying with a summons, subpoena, warrant, order or similar requirement issued by a court, person or entity with jurisdiction to compel the production of personal health information or for the purpose of complying with the Rules of Court concerning the production of personal health information in a proceeding.

40(2) A custodian may disclose personal health information without the consent of the individual to whom the information relates
(a) for the purpose of a proceeding or contemplated proceeding in which the custodian is or is expected to be a party or a witness if the information relates to or is a matter in issue in the proceeding or contemplated proceeding,
(b) to a committee referred to in the Evidence Act for the purpose of peer review or quality assurance activities,
(c) to a proposed litigation guardian, committee or legal representative of the individual for the purpose of having the person appointed as a litigation guardian, committee or legal representative,
(d) to a litigation guardian, committee or a legal representative who is authorized under the Rules of Court to commence, defend or continue a proceeding on behalf of the individual or to represent the individual in a proceeding, or
(e) for the purpose of laying an information or making an application for an order if the personal health information relates to or is a matter in issue in the information or application.

Disclosure for enforcement purposes
41
(1) A custodian shall disclose personal health information, including information relating to a person providing health care, without the consent of the individual to whom the information relates to a person carrying out an inspection, investigation or similar procedure that is authorized by or under this Act, another Act of the Legislature or the Parliament of Canada for the purpose of facilitating the inspection, investigation or similar procedure.

41(2) A custodian may disclose personal health information, including information relating to a person providing health care, without the consent of the individual to whom the information relates to another custodian if the custodian disclosing the information has a reasonable expectation that disclosure will detect or prevent fraud, limit abuse in the use of health care or prevent the commission of an offence under an Act of the Legislature or the Parliament of Canada.

Disclosure required by law
42
A custodian shall disclose personal health information without the consent of the individual who is the subject of the information if the disclosure is required by another Act of the Legislature or the Parliament of Canada or by a treaty, agreement or arrangement made under another Act of the Legislature or the Parliament of Canada.

Disclosure for research purposes
43
(1) A custodian may disclose personal health information to a person conducting a research project only if the project has been approved under this section.

43(2) An approval may be given by a research review body that meets the requirements prescribed by regulation.

43(3) An approval may be given under this section only if the research review body has determined that
(a) the research is of sufficient importance to outweigh the intrusion into privacy that would result from the disclosure of the personal health information,
(b) the research purpose cannot reasonably be accomplished unless the personal health information is provided in a form that identifies or may identify individuals,
(c) the individuals to whom the information relates have consented to its use and disclosure or it is unreasonable or impractical for the person proposing the research to obtain consent from the individuals to whom the information relates, and
(d) the research project contains
(i) reasonable safeguards to protect the privacy and security of the personal health information, and
(ii) procedures to destroy the information or de-identify the information at the earliest opportunity, consistent with the purposes of the project.

43(4) An approval under this section is conditional on the person proposing the research project entering into an agreement with the custodian, in accordance with the regulations,
(a) not to publish the personal health information requested in a form that could reasonably be expected to identify the individuals to whom the information relates,
(b) to use the personal health information requested solely for the purposes of the approved research project, and
(c) to ensure that the research project complies with the safeguards and procedures described in paragraph (3)(d).

43(5) If a research project will require direct contact with individuals, a custodian shall not disclose personal health information relating to those individuals under this section without first obtaining their consent, but the custodian need not obtain their consent if the information consists only of the individuals’ names and addresses.

2009, c.53, s.6.

Disclosure of registration information
44
(1) The Minister may disclose registration information without the consent of an individual to whom the information relates
(a) to a public body for the purpose of verifying the accuracy of registration information held by the public body, or
(b) with the approval of the Lieutenant-Governor in Council, to a public body on the terms or conditions that the Lieutenant-Governor in Council may determine.

44(2) With the approval of the Lieutenant-Governor in Council, the Minister may enter into agreements for the sharing of registration information without the consent of the individual to whom the information relates with
(a) the Government of Canada or the government of a province or territory of Canada, or
(b) a person or body designated in the regulations.

44(3) An agreement made under subsection (2) shall specify that the party to whom the registration information is disclosed shall use the information only for the purposes specified in the agreement.

Monitoring health care payments
45
(1) A custodian shall, at the request of the Minister, disclose to the Minister personal health information without the consent of the individual to whom the information relates for the purpose of monitoring or verifying claims for payment for health care funded wholly or in part by the Province.

45(2) The Minister may disclose information collected under subsection (1) to another person for a purpose set out in that subsection if the disclosure is reasonably necessary for that purpose.

Maintaining disclosure information
46
(1) A custodian that discloses personal health information without consent for health related purposes, unless otherwise provided in subsection (2), shall make a note of the following:
(a) the name of the person to whom the custodian discloses the information;
(b) the date and purpose of the disclosure; and
(c) a description of the information disclosed.

46(2) Subsection (1) does not apply if the custodian discloses personal health information by permitting access to the information stored in the information system of the custodian, provided that when the information is accessed the data base automatically keeps an electronic log of the following information:
(a) the user identification of the person who accesses the information;
(b) the date and time the information is accessed; and
(c) a description of the information that is accessed or that could have been accessed.

Disclosure outside the Province
47
A custodian may disclose personal health information relating to an individual that is collected in the Province to a person outside the Province but only in circumstances described in section 37, 38 or 44 or in circumstances described in the regulations.

2009, c.53, s.7.

Medicare number
48
(1) No person may require the production of an individual’s Medicare number or collect or use an individual’s Medicare number except a person that requires its production, collection or use for the following purposes:
(a) for the provision of health care;
(b) to verify the individual’s eligibility to participate in a health care program or receive a health care service; and
(c) for the payment and management of the health care system.

48(2) An individual may refuse to provide his or her Medicare number to any person not authorized to require the production of the individual’s Medicare number or collect or use the individual’s Medicare number.

48(3) If a person requests a Medicare number from an individual, the person shall advise the individual of his or her authority to do so.

2009, c.53, s.8.

Division D
Information practices, policy, procedures and security

Information practices
49
(1) A custodian shall
(a) establish and implement information practices to facilitate the implementation of, and to ensure compliance with, this Act,
(b) designate a person
(i) to assist in ensuring compliance with this Act,
(ii) to respond to inquiries about the custodian’s information practices, and
(iii) to receive complaints from the public about any alleged contravention of this Act or its regulation by the custodian,
(c) notify the individual to whom the information relates and the Commissioner in the manner prescribed by the regulations at the first reasonable opportunity if personal health information is
(i) stolen,
(ii) lost,
(iii) disposed of, except as permitted by this Act, or
(iv) disclosed to or accessed by an unauthorized person, and
(d) promote openness, transparency of policies and procedures to the public.

49(2) Paragraph (1)(c) does not apply if the custodian reasonably believes that the theft, loss, disposition, disclosure or access of personal health information will not
(a) have an adverse impact on the provision of health care or other benefits to the individual to whom the information relates,
(b) have an adverse impact on the mental, physical, economic or social well-being of the individual to whom the information relates, or
(c) lead to the identification of the individual to whom the information relates.

Security safeguards
50
(1) In accordance with any requirements prescribed by the regulations, a custodian shall protect personal health information by adopting information practices that include reasonable administrative, technical and physical safeguards that ensure the confidentiality, security, accuracy and integrity of the information.

50(2) The information practices referred to in subsection (1) shall be based on nationally or jurisdictionally recognized information technology security standards and processes, appropriate for the level of sensitivity of the personal health information to be protected.

50(3) Without limiting subsection (1), a custodian shall
(a) implement controls that limit the persons who may use personal health information maintained by the custodian to those specifically authorized by the custodian to do so,
(b) implement controls to ensure that personal health information maintained by the custodian cannot be used unless
(i) the identity of the person seeking to use the information is verified as a person the custodian has authorized to use it, and
(ii) the proposed use is verified as being authorized under this Act,
(c) if the custodian uses electronic means to request disclosure of personal health information or to respond to requests for disclosure, implement procedures to prevent the interception of the information by unauthorized persons,
(d) when responding to requests for disclosure of personal health information, ensure that the request contains sufficient detail to uniquely identify the individual to whom the information relates, and
(e) ensure agents of the custodian adhere to the safeguards.

50(4) A custodian who maintains personal health information in electronic form shall implement any additional safeguards for the security and protection of the information required by the regulations.

Power to transform personal health information
51
A custodian may strip, encode or otherwise transform personal health information in order to create or produce de-identified information.

Agents and information managers
52
(1) A custodian that retains the services of an agent for the collection, use, disclosure or retention of person health information shall enter into a written agreement with the agent requiring the agent to comply with the custodian’s legal obligations regarding handling of personal health information.

52(2) A custodian may provide personal health information to an information manager for the purpose of processing, storing or destroying the personal health information or providing the custodian with information management or information technology services.

52(3) A custodian that wishes to provide personal health information to an information manager shall enter into a written agreement with the information manager, in accordance with the regulations, that provides for the protection of the personal health information against risks such as unauthorized access to or use or disclosure, secure destruction or alteration of the information.

52(4) An information manager who enters into a written agreement under subsection (3) shall comply with
(a) the duties imposed on the information manager under the agreement, and
(b) the same requirements concerning the protection, retention and secure destruction of personal health information that the custodian is required to comply with under this Act.

Accuracy of information
53
Before using or disclosing personal health information, a custodian shall take reasonable steps
(a) to ensure that the information is accurate, up-to-date and complete, and
(b) to ensure that the disclosure is made to the person intended and authorized to receive the information.

Ceasing operation as a custodian
54
(1) Subject to this section, a custodian does not cease to be a custodian with respect to a record of personal health information until complete custody and control of the record passes to another person who is legally authorized to hold the record.

54(2) If the custodian ceases to operate as a custodian, the custodian or the custodian’s successor shall
(a) notify the subject of the information about the personal health information held by the custodian or the custodian’s successor,
(b) indicate where the person may make a written request for access to the personal health information, and
(c) the period the personal health information will be retained.

54(3) If a custodian who is an individual dies, the duties and powers of a custodian under this Act shall be performed by the personal representative of the deceased as defined in the Devolution of Estates Act until custody and control of the record of personal health information passes to another person who is legally authorized to hold the record.

Requirements for retention, storage and secure destruction of information
55
(1) A custodian shall establish and comply with a written policy for the retention, archival storage, access and secure destruction of personal health information that
(a) meets any requirements prescribed by regulation or any requirements contained in any Act of the Legislature,
(b) protects the privacy of the individual to whom the information relates, and
(c) requires that a custodian who destroys personal health information to keep a record of the individual whose personal health information is destroyed, a summary of the contents of the record, the time period to which the information relates, the method of destruction and the name of the person responsible for supervising the secure destruction.

55(2) Unless otherwise provided in the regulations, a public body shall ensure that personal health information in its custody or under its control is stored only in Canada and accessed only in Canada, unless one of the following applies:
(a) if the individual to whom the information relates has identified the information and has consented, in the manner prescribed by regulation, to it being stored in another jurisdiction;
(b) if the information is stored in another jurisdiction for the purpose of disclosure allowed under this Act;
(c) if the information was disclosed for the purposes of
(i) a payment to be made to or by the Province or a public body,
(ii) authorizing, administering, processing, verifying or cancelling a payment to be made to or by the Province or a public body, or
(iii) resolving an issue regarding a payment to be made to or by the Province of or a public body.

55(3) This section does not override or modify any requirement in an Act of the Legislature or the Parliament of Canada concerning the retention or secure destruction of records maintained by a public body.

2009, c.53, s.9.

Privacy impact assessment
56
(1) A custodian that is a public body or any other custodian prescribed by regulation shall conduct a privacy impact assessment in the following situations:
(a) for the new collection, use or disclosure of personal health information or any change to the collection, use or disclosure of personal health information;
(b) for the creation of a personal health information system or personal health information communication technology or a modification to a personal health information system or personal health information communication technology;
(c) subject to section 57, if a custodian performs data matching with personal health information or with any personal health information held by another custodian or another person.

56(2) A privacy impact assessment shall describe, in the form and manner as may be prescribed by regulation, how the proposed administrative practices and information systems relating to the collection, use and disclosure of individually identifying health information may affect the privacy of the individual to whom the information relates.

2009, c.53, s.10.

Data matching
57
(1) A custodian shall not, in contravention of this Act,
(a) collect personal health information to be used in data matching, or
(b) use or disclose personal health information to be used in data matching or created through data matching.

57(2) A custodian may perform data matching using personal health information in its custody or control, provided there is authority for the collection, use or disclosure of the personal health information being used for data matching or created as a result of data matching.

57(3) A custodian is not required to conduct a privacy impact assessment if data matching is being done for an authorized purpose and will not result in a use of personal health information that will affect the privacy of the individual to whom the information relates.

2009, c.53, s.11.

PART 5
COMMISSIONER

Oath of Commissioner
58
(1) Before entering on the performance of his or her duties or the exercise of his or her powers or responsibilities under this Act, the Commissioner shall take an oath to faithfully and impartially perform the duties or exercise the powers or responsibilities and not to divulge any information received under this Act except for the purpose of giving effect to this Act.

58(2) The Speaker or the Clerk of the Legislative Assembly shall administer the oath referred to in subsection (1).

Staff
59
(1) The Commissioner may appoint the assistants and employees as the Commissioner considers necessary for the efficient carrying out of the Commissioner’s duties and powers under this Act.

59(2) Before performing any duties or exercising powers under this Act, a person appointed under subsection (1) shall take an oath, administered by the Commissioner, that the person will not divulge any information that is received under this Act, except for the purpose of giving effect to, and in compliance with, this Act.

59(3) The Public Service Superannuation Act applies to all persons appointed by the Commissioner under subsection (1).

59(4) All persons appointed under subsection (1) may participate in and receive benefits under any health, life, disability or other insurance plan available to employees within the public service, in accordance with the terms upon which the right to participate and receive benefits may from time to time be extended to the persons employed in the Office of the Commissioner.

Delegation of duties or powers
60
(1) The Commissioner may delegate, in writing, to any person any duty or power of the Commissioner under this Act, except the power of delegation and the power to make a report under this Act.

60(2) Despite subsection (1), if the Commissioner is in a conflict of interest with respect to a matter referred to the Commissioner, the Commissioner may delegate in writing to any person any duty or power with respect to that matter, including the duty to make a report.

60(3) A person purporting to perform a duty or exercise a power of the Commissioner by virtue of a delegation under subsection (1) or (2) shall produce evidence of his or her authority to perform that duty or exercise that power when required to do so.

60(4) The Lieutenant-Governor in Council may prescribe by regulation circumstances that give rise to a conflict of interest for the purposes of subsection (2).

Powers under the Inquiries Act
61 If the Commissioner conducts an investigation under this Act, the Commissioner has all the powers, privileges and immunities conferred on a commissioner under the Inquiries Act.

Right of entry
62
Despite any other Act of the Legislature or any privilege of the law of evidence, in performing duties or exercising powers under this Act, the Commissioner has the right
(a) to enter any office of a custodian and examine and make copies of any record in the custody of the custodian, and
(b) to converse in private with any officer or employee of the custodian.

Duties and powers of the Commissioner
63
In addition to the Commissioner’s duties and powers under Part 6 respecting complaints, the Commissioner may
(a) monitor how this Act is administered,
(b) conduct investigations to monitor compliance with this Act,
(c) review privacy impact assessments that have been conducted by a custodian that is a public body,
(d) inform the public about this Act,
(e) promote best practices and provide advice to custodians,
(f) make recommendations with regard to this Act, and
(g) review any matter referred to the Commissioner by the Executive Council.

Commissioner’s report
64
The Commissioner shall report annually to the Legislative Assembly on the performance or his or her duties or the exercise of his or her powers under this Act.

Protection from legal action
65
(1) No proceedings lie against the Commissioner or any person appointed by the Commissioner under this Act for anything he or she may do, report or say in the course of the performance of a duty or the intended performance of a duty under this Act or the exercise of a power or intended exercise of a power under this Act, unless it is shown that he or she acted in bad faith.

65(2) The Commissioner or any person holding any office or appointment under the Commissioner shall not be called to give evidence in any court or in any proceedings of a judicial nature in respect of anything coming to his or her knowledge in the performance of a duty or the exercise of a power under this Act whether or not that duty or power was within his or her jurisdiction.

PART 6
REVIEW

Referral to Court of Queen’s Bench
66
(1) An individual who made a request under section 7 or section 15 may, in relation to a decision, an act or an omission of a custodian in respect of the request refer, according to the regulations, a matter to a judge of The Court of Queen’s Bench of New Brunswick for review.

66(2) If an individual refers the matter to a judge of The Court of Queen’s Bench of New Brunswick under subsection (1), the individual may not file a complaint with the Commissioner under section 68 and the Commissioner may not act in the matter.

66(3) A matter referred to a judge of The Court of Queen’s Bench of New Brunswick under subsection (1) shall be filed within 30 days after the date the decision of the custodian was made.

Decision of the Court of Queen’s Bench
67
(1) If a matter is referred to a judge of The Court of Queen’s Bench of New Brunswick under subsection 66(1), the judge shall hold a hearing and,
(a) if the custodian denied a request to examine or copy personal health information in whole or in part, may order the custodian to grant the request in whole or in part,
(b) if the custodian failed to reply to a request to examine or copy personal health information, may order the custodian to reply to the request or deny the request,
(c) if the custodian denied a request for the correction of personal health information, in whole or in part, may order the custodian to grant the request in whole or in part, or
(d) may make any other order that is, in the opinion of the judge, necessary.

67(2) A copy of the decision of the judge of The Court of Queen’s Bench of New Brunswick shall be sent to the individual who referred the matter for review and to the custodian.

67(3) No appeal lies from the decision of the judge of The Court of Queen’s Bench of New Brunswick under subsection (1).

Complaint filed with the Commissioner
68
(1) An individual who made a request under section 7 or section 15 may make a complaint to the Commissioner if the individual
(a) is not satisfied with a decision, an act or an omission of the custodian in relation to the request, or
(b) is not satisfied with a decision of a custodian under subsection 10(2).

68(2) Without limiting paragraph (1)(a), an individual may make a complaint to the Commissioner alleging that a custodian
(a) has collected, used or disclosed his or her personal health information contrary to this Act, or
(b) has failed to protect his or her personal health information in a secure manner as required by this Act.

68(3) Subject to section 75, if an individual has filed a complaint with the Commissioner under subsection (1), the individual may not refer the matter under subsection 66(1) to a judge of The Court of Queen’s Bench of New Brunswick for review.

68(4) Subject to subsection (6), a complaint to the Commissioner under subsection (1) shall be in writing and filed within 60 days after the date the individual was notified of the decision of the custodian or the date of the act or the omission of the custodian, as the case may be.

68(5) The Commissioner may extend the period of time referred to in subsection (4).

68(6) If the custodian fails to respond in time to a request to examine or copy a record, the failure is to be treated as a decision to refuse the request, in which case a complaint shall be filed with the Commissioner within 120 days following the request for information.

68(7) As soon as practicable after receiving a complaint, the Commissioner shall notify the custodian of the complaint and provide the custodian with a copy of the complaint.

Investigation
69
(1) On receiving a complaint the Commissioner shall, in accordance with this Act and the power, authority, privileges, rights and duties vested in the Commissioner under the Right to Information and Protection of Privacy Act, investigate the matter referred to the Commissioner or shall take steps to resolve the complaint informally under subsection (2).

69(2) The Commissioner may take any steps the Commissioner considers appropriate to resolve a complaint informally to the satisfaction of the parties and in a manner consistent with the purposes of this Act.

69(3) If the Commissioner cannot resolve a complaint within 45 days of the commencement of the informal resolution process referred to in subsection (2), the Commissioner shall review the decision of the custodian and shall prepare the report referred to in section 73.

Refusal to investigate
70
(1) The Commissioner may, in his or her discretion, refuse to or cease to investigate a matter in any of the following circumstances:
(a) the complaint is trivial, frivolous, vexatious or not made in good faith;
(b) having regard to all the circumstances of the case, further investigation is unnecessary;
(c) the time period within which the complaint could be made is expired; or
(d) the person who made the complaint does not have a sufficient personal interest in the matter.

70(2) If the Commissioner refuses to investigate a complaint, the Commissioner shall, in writing, inform the individual who made the complaint and the custodian of his or her decision not to investigate the decision of the custodian or to cease an investigation in relation to a matter and the reasons for the Commissioner’s decision.

Production of records
71
(1) With the exception of Executive Council confidences and any document that contains information that is subject to solicitor-client privilege, the Commissioner may require any record in the custody or under the control of a custodian that the Commissioner considers relevant to an investigation to be produced to the Commissioner and may examine any information in a record, including personal health information.

71(2) The Commissioner may review the records referred to in subsection (1) in private without the presence of any person.

71(3) Despite any other Act of the Legislature or any privilege of the law of evidence, a custodian shall produce to the Commissioner within 14 days after a request by the Commissioner a record or a copy of a record required under this section.

71(4) If a custodian is required to produce a record under this section and it is not practicable to make a copy of it, the custodian may require the Commissioner to examine the original at its site.

Time limit for investigation
72
An investigation shall be completed and a report made under section 73 within 90 days after a complaint is filed, unless the Commissioner
(a) notifies the individual who filed the complaint, the custodian and any other person who has made representations to the Commissioner that the Commissioner is extending that period, and
(b) gives an anticipated date for providing the report.

Report
73
(1) On completing an investigation of a complaint, the Commissioner shall prepare a report containing the Commissioner’s findings about the complaint and
(a) recommend to the custodian to grant in whole or in part the request for personal health information, or
(b) recommend to the custodian to reply to the request or deny the request.

73(2) The Commissioner shall give a copy of the report to the person who filed the complaint and to the custodian concerned.

Complying with the recommendation
74
(1) The custodian, on reviewing the recommendation of the Commissioner, shall make his or her decision and shall notify, in writing, the individual who made the complaint and shall forward to the Commissioner a copy of the decision.

74(2) If the custodian accepts the recommendations in the Commissioner’s report, the custodian shall, within 15 days after receiving the report, comply with the recommendations of the Commissioner or make any other decision that the custodian considers appropriate.

74(3) If the custodian fails to notify the individual under subsection (1) within 15 days after making his or her decision, the failure shall to be treated as a decision not to accept the recommendation of the Commissioner.

Right to appeal
75
(1) If the custodian decides not to accept the recommendations of the Commissioner, the individual who made the complaint may appeal the matter, in accordance with the regulations, to a judge of The Court of Queen’s Bench of New Brunswick.

75(2) The custodian shall notify the individual who made the complaint of the custodian’s decision not to accept the recommendations of the Commissioner, the individual’s right to appeal the decision and the time limit for the appeal.

75(3) Section 66 applies with the necessary modifications in relation to an appeal under subsection (1).

PART 7
GENERAL PROVISIONS

Offences
76
(1) No person shall
(a) collect, use or disclose personal health information in wilful contravention of this Act,
(b) attempt to gain or gain access to personal health information in wilful contravention of this Act,
(c) knowingly make a false or misleading statement to the Commissioner or another person in the performance of the duties or the exercise of the powers of the Commissioner or the other person under this Act or knowingly mislead or attempt to mislead the Commissioner or the other person,
(d) obstruct the Commissioner or another person in performing duties or exercising powers under this Act,
(e) destroy a record or erase information in a record that is subject to this Act, or direct another person to do so, with the intent to evade a request to examine or copy the record,
(f) alter, falsify, conceal or destroy any record or part of any record, or direct another person to do so, with an intent to evade a request to examine or copy the record, or
(g) wilfully fail to comply with an investigation of the Commissioner.

76(2) A person who is an employee of a custodian or information manager who, without the authorization of the custodian or information manager, discloses personal health information in wilful contravention of this Act in circumstances where the custodian or information manager would not be permitted to disclose the information under this Act, commits an offence.

76(3) A custodian or information manager commits an offence if the custodian or information manager
(a) collects, uses, sells or discloses personal health information contrary to this Act,
(b) fails to protect personal health information in a secure manner as required by this Act,
(c) discloses personal health information contrary to this Act with the intent of obtaining a monetary or other material benefit or to confer a benefit on a custodian or other person, or
(d) takes any adverse employment action against an employee because the employee has complied with a request or requirement to produce a record or provide information or evidence to the Commissioner, or a person acting for or under the direction of the Commissioner, under this Act.

76(4) No custodian or information manager shall be found to have contravened paragraph (3)(a) or (b) if the custodian or information manager can establish that he or she took all reasonable steps to prevent the contravention.

76(5) A person who violates or fails to comply with subsection (1), (2), (3) or (4) commits an offence punishable under Part II of the Provincial Offences Procedure Act as a category F offence.

76(6) No prosecution for an offence under this Act shall be commenced after 2 years from the date of the discovery of the alleged offence.

Defence
77
No person commits an offence or is subject to disciplinary action of any kind under any other Act of the Legislature by reason of complying with a request or requirement to produce a record or provide information or evidence to the Commissioner, or a person acting for or under the direction of the Commissioner, under this Act.

Immunity
78
No action lies and no proceeding may be brought against the Province of New Brunswick, a custodian or any person acting for or under the direction of the custodian for damages resulting from
(a) the disclosure of or failure to disclose, in good faith, all or part of a record or information under this Act or any consequences of that disclosure or failure to disclose, or
(b) the failure to give a notice required by this Act if reasonable care is taken to give the required notice.

Regulations
79
(1) The Lieutenant-Governor in Council may make regulations
(a) designating custodians for the purposes of the definition “custodian” in section 1;
(b) prescribing health care services for the purposes of the definition “health care” in section 1;
(c) designating a facility in which health care is provided for the purposes of the definition “health care facility” in section 1;
(d) designating a class of persons as a health care provider for the purposes of the definition “health care provider” in section 1;
(e) prescribing personal health information for the purposes of paragraph 3(1)(b);
(f) prescribing the personal health information to which this Act does apply for the purposes of subsection 3(2);
(f.1) prescribing the individuals or organizations referred to in paragraph 3(2)(c) that collect, maintain or use personal health information for purposes other than health care or treatment and the planning and management of the health care system;
(g) specifying for the purposes of subsection 4(1) the Acts of the Legislature or provisions of the Acts of the Legislature over which this Act does not prevail;
(h) Repealed: 2009, c.53, s.12.
(i) prescribing an Act of the Legislature or any provision of an Act of the Legislature for the purposes of paragraph 4(2)(b);
(j) prescribing the search, preparation, copying and delivery fees referred to in section 13, the amount that the fees cannot exceed and the waiver of the fees;
(k) prescribing for the purposes of paragraph 14(1)(i) a reason for which a custodian is not required to permit an individual to examine or copy his or her personal health information;
(l) prescribing the contents of the permission referred to in paragraph 19(2)(c);
(m) prescribing additional requirements of what constitutes express consent for the purposes of subsection 22(2);
(n) respecting the reasons for which and the method by which an individual may refuse to grant consent or withdraw his or her consent to the collection, use or disclosure of his or her personal health information;
(o) prescribing for the purposes of paragraph 34(1)(n) requirements and restrictions for the use of personal health information if the use is permitted or required by law or by a treaty, agreement or arrangement made under an Act of the Legislature or the Parliament of Canada;
(p) respecting information networks referred to in paragraph 37(6)(c);
(q) respecting the establishment of an electronic health record;
(r) designating a custodian for the purposes of paragraph 37(6)(d);
(s) prescribing an entity for the purposes of paragraph 38(1)(h);
(t) prescribing for the purposes of section 43 the requirements of an approval by a research review body and the agreement the custodian and the person proposing the research project must enter into;
(u) designating for the purposes of paragraph 44(2)(b) a person or body with whom the Minister may enter into agreements for the sharing of registration information without the consent of the individual;
(u.1) describing the circumstances in which a custodian may disclose personal health information relating to an individual that is collected in the Province to a person outside the Province;
(v) authorizing for the purposes of subsection 48(1) persons that may require the production of an individual’s Medicare number or collect or use an individual’s Medicare number;
(w) prescribing the manner of notification under paragraph 49(1)(c);
(x) prescribing the requirements of the information practices referred to in subsection 50(1);
(y) prescribing for the purposes of subsection 50(4) additional safeguards for personal health information maintained in electronic form;
(z) respecting written agreement for the purposes of subsection 52(3);
(aa) prescribing requirements to be contained in the written policy for the retention, archival storage, access and secure destruction of personal health information for the purposes of paragraph 55(1)(a);
(bb) prescribing the manner of consent for the purposes of paragraph 55(2)(a);
(cc) respecting the personal health information in the custody or under the control of a custodian that may be stored outside Canada;
(cc.1) prescribing a custodian that is a public body for the purposes of subsection 56(1);
(cc.2) prescribing the form and manner of a privacy impact assessment;
(dd) prescribing the circumstances that give rise to a conflict of interest under subsection 60(4);
(ee) respecting the referral of a matter under this Act to a judge of The Court of Queen’s Bench of New Brunswick for review;
(ff) respecting an appeal of a matter under this Act to a judge of The Court of Queen’s Bench of New Brunswick.
(gg) adopting by reference, in whole or in part and with such changes as are considered necessary, any code, standard, guideline or similar document and may require compliance with the code, standard or guideline,
(hh) defining any word or expression used in this Act but not defined in this Act;
(ii) prescribing the manner in which a notice or a record shall be given to a person under this Act;
(jj) respecting all other matters necessary to carry out the provisions of this Act.

79(2) A regulation under subsection (1) may be made to apply to particular classes of custodians or persons or to particular classes of personal health information.

2009, c.53, s.12.

PART 8
REVIEW AND COMMENCEMENT

Review of this Act
80
Within 4 years after this Act comes into force, the Minister shall undertake a comprehensive review of the operation of the Act and shall, within one year after the review is undertaken or within such further time as the Legislative Assembly may allow, submit a report on the review to the Assembly.

Commencement
81
This Act or any provision of it comes into force on a day or days to be fixed by proclamation.

N.B. This Act was proclaimed and came into force September 1, 2010.
N.B. This Act is consolidated to March 26, 2012.

NEW BRUNSWICK
REGULATION 2010-112
under the
Personal Health Information
Privacy and Access Act
(O.C. 2010-271)
Filed August 23, 2010


Under section 79 of the Personal Health Information Privacy and Access Act, the Lieutenant-Governor in Council makes the following Regulation:

Citation
1
This Regulation may be cited as the General Regulation - Personal Health Information Privacy and Access Act.

Definitions
2
The following definitions apply in this Regulation.

“Act” means the Personal Health Information Privacy and Access Act. (Loi)

“electronic health record” means an electronic record of an individual’s personal health information that is accessible from interoperable systems within an information network. (dossier électronique de santé)

“information network” means an information network designated by the Minister under paragraph 37(6)(c) of the Act. (réseau d’information )

“Tri-Council Policy Statement” means the Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans, 2nd Edition (December 2008), as amended from time to time. (Énoncé de politique des trois Conseils)

GENERAL

Designation of custodians
3
The following persons are designated as custodians for the purpose of the definition “custodian” in section 1 of the Act:
(a) a school or school district;
(b) a coroner appointed under the Coroners Act; and
(c) a successor who obtains custody of records containing personal health information held by a custodian.

Designation of health care facilities
4
A facility located within a building or premises, including a private residence or a provincial jail, in or from which health care is provided by a health care provider is designated as a health care facility for the purposes of the definition “health care facility” in section 1 of the Act.

Designation of health care providers
5
The following classes of persons are designated for the purpose of the definition “health care provider” in section 1 of the Act:
(a) social workers registered under the New Brunswick Association of Social Workers Act, 1988; and
(b) New Brunswick members of the Canadian Health Information Management Association.

Personal health information prescribed
6
Personal health information collected by an individual or organization for the purpose of providing or assisting in the provision of health care or treatment or the planning and management of the health care system or delivering a government program or service is prescribed for the purposes of paragraph 3(1)(b) of the Act.

Individuals or organizations to which the Act does not apply
7
The Act does not apply to the following individuals or organizations:
(a) the New Brunswick Insurance Board;
(b) the New Brunswick Human Rights Commission;
(c) the Labour and Employment Board established under the Labour and Employment Board Act;
(d) the Designation Appeal Board established under the Post-Secondary Student Financial Assistance Act;
(e) the Premier’s Council on the Status of Disabled Persons;
(f) a review board appointed under section 30 of the Mental Health Act;
(g) the Mental Health Services Advisory Committee established under the Mental Health Services Act;
(h) a tribunal appointed under section 7.5 of the Mental Health Act;
(i) a person, service or organization designated as psychiatric patient advocate services under the Mental Health Act;
(j) a review board established by the Restigouche Hospital Center Inc.; and
(k) the Appeals Tribunal established under the Workplace Health, Safety and Compensation Commission Act.

Acts to which the Act does not apply
8
The following Acts of the Legislature are prescribed for the purpose of paragraph 4(2)(b) of the Act:
(a) the Archives Act; and
(b) the Family Income Security Act.

FEES

Search and preparation fees
9
(1) An individual shall pay a search and preparation fee to a custodian if the custodian estimates that search and preparation related to the individual’s request to examine or receive a copy of the individual’s personal health information takes more than 2 hours.

9(2) The fee payable for search and preparation shall be $15 for each half-hour beyond the first 2 hours of search and preparation related to the individual’s request.

Copying fees
10
An individual shall pay the following copying fees to the custodian when the individual makes a request to examine or receive a copy of the individual’s personal health information:
(a) if the information in relation to the request is stored or recorded in printed form and able to be copied using a photocopier or computer printer, 25 cents for each page copied;
(b) if the information in relation to the request is not able to be copied using a photocopier or computer printer, the actual cost of providing copies of the request.

Computer programming and data processing fees
11
If a custodian requires the use of computer programming or incurs data processing costs in responding to a request to examine or receive a copy of an individual’s personal health information, the individual shall pay to the custodian
(a) ten dollars for each 15 minutes of internal programming or data processing; or
(b) the actual cost of external programming or data processing incurred by the custodian.

Mail and courier delivery
12
(1) No fee shall be payable by an individual to a custodian for mailing a request to examine or receive a copy of his or her personal health information by regular mail.

12(2) If courier delivery costs are necessary in responding to a request to examine or receive a copy of an individual’s personal heath information, the custodian may charge to the individual the actual cost of the courier delivery.

Waiver of fees
13
A custodian may waive all or part of the fees payable under this Regulation if the custodian is satisfied that payment would impose an unreasonable financial hardship on the individual.

INFORMATION NETWORKS AND ELECTRONIC HEALTH RECORDS

Information networks
14
(1) Before designating an information network, the Minister, in writing, shall
(a) identify the type or nature of personal health information to be contained in the information network,
(b) identify the source, including other information networks, from which the personal health information may be collected in or by the information network,
(c) identify one or more of the purposes referred to in subparagraphs 37(6)(c)(i), (ii) and (iii) of the Act for which the information network is established,
(d) identify the purpose for which personal health information is recorded in or by the information network,
(e) identify the purpose for which personal health information may be disclosed by or from the information network,
(f) identify to whom personal health information contained in the information network may be disclosed, and
(g) identify and impose on the custodian limits or conditions on the collection, storage, use or disclosure of personal health information contained in or disclosed from an information network that are, in the opinion of the Minister, required for the privacy and security of the personal health information.

14(2) The information referred to in subsection (1) may be published on the Internet or disseminated in such other manner as the Minister considers appropriate.

Electronic health record
15
An electronic health record, once created by the Minister, is established for each individual and compiled within an information network designated by the Minister for the purpose referred to in subparagraph 37(6)(c)(iii) of the Act.

MISCELLANEOUS

Registry of personal health information
16
The following custodians are designated for the purpose of compiling or maintaining a registry of personal health information under paragraph 37(6)(d) of the Act:
(a) the Minister;
(b) a regional health authority;
(c) FacilicorpNB Ltd.;
(d) Ambulance New Brunswick Inc.; and
(e) the Canadian Blood Services.

Research review body
17
For the purposes of subsection 43(2) of the Act, a research review body shall be established and operated in conformity with the Tri-Council Policy Statement.

Disclosure outside the Province
18
A custodian may, under section 47 of the Act, disclose personal health information relating to an individual that is collected in the Province to a person outside the Province in circumstances described in section 43 of the Act.

Breach of privacy
19
(1) If a breach of privacy referred to in subparagraph 49(1)(c)(i), (ii) or (iii) of the Act occurs, the custodian of the personal health information shall, at the first reasonable opportunity, give notice to
(a) the person to whom the information relates in person, by telephone or in writing, and
(b) the Commissioner.

19(2) When giving notice under subsection (1), the custodian shall provide the following information:
(a) the name of the custodian;
(b) the name and contact information of the person designated by the custodian to respond to inquiries about the custodian’s information practices;
(c) a description of the nature of the breach of privacy;
(d) the date and location of the breach of privacy; and
(e) the date the breach of privacy came to the attention of the custodian.

Security requirements
20
(1) A custodian shall establish and comply with a written policy and procedures with respect to information practices for the protection of personal health information containing the following requirements:
(a) measures to protect the security of personal health information during its collection, use, disclosure, storage and destruction;
(b) measures, for example by the use of passwords and encryption, to ensure that removable media used to record, transport or transfer personal health information is appropriately protected when in use;
(c) measures to ensure that removable media used to record personal health information is stored securely when not in use;
(d) measures to ensure that personal health information is maintained in a designated area and is subject to appropriate security safeguards;
(e) measures that limit physical access to designated areas containing personal health information to authorized persons;
(f) procedures that provide for the recording of security breaches; and
(g) corrective procedures to address security breaches.

20(2) A custodian shall keep a record of all security breaches by recording the security breaches and corrective procedures taken to diminish the likelihood of future breaches.

Information managers
21
A written agreement for the provision of personal health information between a custodian and information manager referred to in subsection 52(3) of the Act shall describe
(a) the services to be provided to the custodian, and
(b) the administrative, technical and physical safeguards employed by the information manager relating to the confidentiality, security, accuracy and integrity of the personal health information.

Personal health information stored outside Canada
22
Information managers providing a public body with information management or information technology services may store personal health information in their custody or in their control outside Canada.

Commencement
23
This Regulation comes into force on September 1, 2010.

N.B. This Regulation is consolidated to August 23, 2010.