Health Information Regulations

Regulation

Registration: R-089-2015
Source: Unofficial consolidation PDF (justice.gov.nt.ca)
Under: Health Information Act

This is an unofficial reading copy parsed from the Department of Justice consolidation PDF above — itself an office consolidation, not an official statement of the law. The authoritative text is in the Revised Statutes of the Northwest Territories, 1988 and the annual Statutes volumes.

s.1 amended by R-073-2016,s.2 in force Aug. 1, 2016 (SI-008-2016)
s.3 amended by R-039-2017,s.2 in force April 1, 2017
s.20 amended by Health Information Act

Cites

Cited by

None.

Contents

1. 1 2. 2 3. 3 4. 4 5. 5 6. 6 7. 7 8. 8 9. 9 10. 10 11. 11 12. 12 13. 13 14. 14 15. 15 16. 16 17. 17 18. 18 19. 19 20. 20 SCHEDULE ANNEXE

The Commissioner, on the recommendation of the Minister, under section 195 of the Health Information Act and every enabling power, makes the Health Information Regulations.

General

(1) For the purposes of paragraph (d) of the definition "health information custodian" in subsection 1(1) of the Act, the following organizations, responsible under the Hospital Insurance and Health and Social Services Administration Act for the management, control and operation of one or more facilities from which health services are provided, are prescribed as health information custodians:

(a) Hay River Health and Social Services Authority;

(b) Northwest Territories Health and Social Services Authority;

(2) The chief executive officer of each organization listed in subsection (1) is prescribed, for the purposes of paragraph 7(b) of the Act, as the person responsible, on behalf of the organization, for the exercise of powers and performance of duties and other functions of that organization under the Act and the regulations. R-073-2016,s.2.

The following are health services for the purposes of the definition "health service" in subsection 1(1) of the Act:

(a) addiction services including addiction treatment, counselling and detoxification;

(b) organ and tissue donation and transplantation;

For the purpose of subsection 13(2) of the Act, an information management agreement between a public custodian and any branch or division of the Government of the Northwest Territories responsible for government-wide information technology services, information management services or information system services, is not required. R-039-2017,s.2.

(1) In this section,

"relative" means a relative as defined in subsection 47(1) of the Act; (parent)

"tissue" means tissue as defined in section 1 of the Human Tissue Donation Act. (tissu)

(2) The following are prescribed under subsection 25(1) as individuals who may exercise a right or power of another individual under this Act:

(a) if the individual is deceased, the exercise of the right or power relates to the transplantation of tissue of the deceased and the right or power is exercised for the purpose of facilitating that transplantation, a person who may consent to the transplantation of tissue under section 5 of the Human Tissue Donation Act;

(b) if the individual is deceased and the exercise of the right or power does not relate to the administration of the deceased’s estate, a relative of the deceased or an adult person with whom the deceased had a close personal relationship.

(1) The following are persons or organizations to which personal health information may be disclosed under section 61 of the Act:

(a) Northwest Territories Bureau of Statistics;

(b) Canadian Institute for Health Information.

(2) For the purposes of section 61 of the Act, an information sharing agreement referred to in that section must contain a provision prohibiting the disclosure of identifiable personal health information without the consent of the individual whose information is to be disclosed.

(3) For the purposes of paragraph 61(3)(a) of the Act, consent is only required if the statistical information to be disclosed may reasonably be considered identifiable personal health information and, in that case, an information sharing agreement may only authorize disclosure of that information if the public custodian obtains the consent of the affected individuals prior to disclosure.

(1) For the purposes of section 63 of the Act, a public custodian is prescribed as a health information custodian who must disclose personal health information to designated electronic health information systems.

(2) For the purposes of section 63 of the Act

(a) the document "Health Information Act - Designated Electronic Health Information Systems", published by the Department of Health and Social Services, as amended from time to time, is adopted; and

(b) the electronic health information systems listed in the document adopted under paragraph (a) are designated.

(3) Disclosure to electronic health information systems required under section 63 of the Act must occur as those systems become available to a public custodian or an agent of a public custodian.

(1) In this section, "Tri-Council Policy Statement" means the Canadian Institutes of Health Research, Natural Sciences and Engineering Research Council of Canada, and Social Sciences and Humanities Research Council of Canada, Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans, December 2010.

(2) The Tri-Council Policy Statement, as amended from time to time, is adopted for the purposes of this section.

(3) A research ethics committee designated under section 68 of the Act shall operate in conformity with the Tri-Council Policy Statement.

Record of Activity

(1) In this section, "record of activity" means a report prepared by a health information custodian in respect of an individual’s personal health information, containing

(a) a list of users who accessed an individual’s information through an electronic health information system over a given period of time;

(b) the dates and times the information was accessed; and

(2) If an individual requests a record of activity from a health information custodian, the health information custodian shall process the request in accordance with Part 5 of the Act.

(3) The rules and procedures governing access requests set out in the Act apply equally to a request for a record of activity.

Fees for Individuals

(1) An individual who makes an access request under section 96 of the Act shall pay a fee to a health information custodian in accordance with this section if the health information custodian estimates that the costs associated with providing access will be greater than $100.

(2) For each activity associated with providing access and described in Column 2 of the table set out in Part 1 of the Schedule, the fee payable for that activity is the corresponding amount set out in Column 3 of that table.

(3) There is no fee for the following:

(a) access of personal health information through a patient portal;

(b) if the information is held by a public custodian, examination of personal health information at a health facility during regular business hours under subsection 103(2) of the Act.

10.

An estimate of fees and disbursements prepared under subsection 104(2) of the Act must address all applicable fees set out in Part 1 of the Schedule.

11.

(1) For the purposes of paragraph 104(4)(d), an invoice under subsection 104(3) of the Act must be given to an applicant, along with the custodian’s written response required under subsection 101(1) of the Act, within 10 days after the health information custodian receives the applicant’s confirmation under paragraph 104(2)(b) of the Act to proceed with the access request.

(2) The amount of an invoice provided under subsection 104(3) of the Act must not exceed the amount set out in a corresponding estimate provided under subsection 104(2) of the Act.

(3) If the actual cost of providing access is less than the amount paid in accordance with an invoice provided under subsection 104(3) of the Act, the health information custodian shall refund the overpayment.

Fees for Researchers

12.

(1) If, under subsection 80(2) of the Act, an agreement between a health information custodian and a researcher requires the payment of fees and disbursements, those fees and disbursements shall be paid in accordance with this section.

(2) For each activity associated with providing access and described in Column 2 of the table set out in Part 2 of the Schedule, the fee payable for that activity is the corresponding amount set out in Column 3 of that table.

(3) Access to records under an agreement between a health information custodian and a researcher is subject to the payment of applicable fees and disbursements.

Safeguards

13.

(1) The administrative, technical and physical safeguards required under section 85 of the Act must include

(a) measures to protect personal health information through an assessment of re-identification risk and the application of de-identification procedures as required;

(b) measures to protect network infrastructure from interruption and unauthorized access and use;

(d) measures to prevent and respond to problems involving hardware and software that might threaten the security, confidentiality or integrity of personal health information;

(e) measures to protect hardware and software from unauthorized access and use;

(f) measures to protect personal health information stored and transported on removable media;

(g) a requirement that personal health information be maintained in a designated area subject to appropriate security safeguards;

(h) a requirement that access to personal health information be monitored on an ongoing basis for the purpose of ensuring that only authorized access is occurring;

(i) procedures that provide for the recording, reporting and investigation of security and privacy breaches; and

(j) procedures that provide for effective prevention of, response to and remediation of security and privacy breaches.

(2) For the purposes of section 85 of the Act, measures to maintain safeguards must be proportionate to any threat to the security, confidentiality or integrity of personal health information.

(3) A health information custodian shall review its compliance with and the effectiveness of its administrative, technical and physical safeguards on an annual basis.

Breaches

14.

A health information custodian shall

(a) take reasonable steps following a security or privacy breach to investigate the breach and to ensure that a breach does not occur again;

(b) keep a record of any security or privacy breach and any corrective measures taken as a result; and

(c) take reasonable disciplinary measures against an agent who fails to comply with a provision of the Act, these regulations or any standard, policy, procedure or safeguard relating to the Act or these regulations, having regard for

(i) the nature of the breach,

(ii) whether the breach was intentional or not, and

(iii) whether the agent has previously committed a breach.

15.

(1) For the purposes of section 87 of the Act and subject to subsection (2), a health information custodian shall give notice to

(a) the Information and Privacy Commissioner; and

(b) law enforcement officials

(i) if personal health information is lost or stolen, or

(ii) if, through fraud or identity theft, personal health information is disclosed, altered, destroyed or otherwise disposed of.

(2) A health information custodian is not required to give notice to the Information and Privacy Commissioner of an incident involving the loss or unauthorised use, destruction or alteration of personal health information if the loss, use, destruction or alteration does not present a reasonable risk of harm to the affected individual.

Calculation of Time

16.

(1) The time referred to in subsections 101(1), 104(1), (2) and (4), 105(2), 107(2), 120(1), 122(1) and (2), 124(2), 129(2), 142(1), 153(2), 156(1) and (2) and 159(3), 160(1) and (2) and 161(1) and (2) of the Act begins to run,

(a) if the request, information, decision, report or notice is delivered in person or by telephone, on the day it is delivered;

(b) if the request, information, decision, report or notice is sent by fax, email or other electronic transmission, on the day it is sent; and

(2) A request, information, decision, report or notice sent by mail is deemed to have been received 10 days after the day it was sent.

17.

(1) The time referred to in subsections 104(5) and 122(3) of the Act begin to run,

(a) if the request, estimate or invoice is delivered in person or by telephone, on the day it is delivered;

(b) if the request, estimate or invoice is sent by fax, email or other electronic transmission, on the day it is sent; and

(2) A request, estimate or invoice sent by mail is deemed to have been received 10 days after the day it was sent.

18.

For the purposes of subsections 103(1) and (2) of the Act, a response is given and time begins to run on the day on which a response is sent to the applicant.

19.

For the purposes of subsections 105(1), 107(1), 124(1) and section 158 of the Act, a request is made or notice is given and time begins to run on the day on which a request or notice of decision is sent to the Information and Privacy Commissioner.

20.

These regulations come into force on the day the Health Information Act, S.N.W.T. 2014, c.2, comes into force.

SCHEDULE

FEES

Part Fees for Individuals

Column 1 Column 2 Item Activity

1 Printing or copying

2 Provision of electronic copies

3 Shipping by regular mail or courier

4 Computer programming/Data processing

5 Supervision of applicant’s examination of information not held by a public custodian

ANNEXE

DROITS

Partie Droits exigibles pour

Colonne 1 Colonne 2 No Activités

1 Imprimer et copier

2 Fournir des copies électroniques

3 Expédier par poste régulière ou par service messagerie

4 Programmation informatique/Traitement des données

5 Surveillance du demandeur qui examine des renseignements qui ne sont pas conservés par un dépositaire public Part Fees for Researchers