At the intersection of healthcare tech, data and oversight: Connected Care for Canadians Act

The Minister of Health introduced Bill C-72, the Connected Care for Canadians Act (the Act), on June 6 before the summer recess. The aim of the Act is to promote the accessibility of health information for Canadians and healthcare professionals and prohibit data blocking by health information technology vendors (Vendors), creating an interoperable and secure exchange of electronic health information and increasing cooperation between federal, provincial and territorial governments.

What you need to know

• The purpose of the Act is to promote a person-centered health system by setting interoperability requirements and prohibiting data blocking by Vendors.
• The Act applies to Vendors and the health information technology that they license, sell, or supply as a service. In some cases, this may include parties that haven’t previously been touched by health privacy laws, as well as some healthcare service providers.
• To ensure compliance and enforcement, the Act will allow the government to set up a system to receive complaints, verify compliance and apply administrative monetary penalties for non-compliance.
• Similar to the Personal Information Protection and Electronic Documents Act, the Act will only apply in provinces or territories that do not “have requirements that are substantially similar to or exceed those established under this Act”¹.
• The Act could, if passed, necessitate the renegotiation of contracts between Vendors, service providers and/or healthcare providers to ensure that any health information technology in use meets the Act’s requirements.

The scope of the Act

The Act, if passed, would apply to any “individual, corporation, joint venture, partnership or unincorporated organization or association that licenses or sells health information technology or supplies it as a service‍”². Similarly, health information technology includes a wide range of hardware, software and other designations that concern the use or exchange of electronic health information and related activities. Notably, the definition of “electronic personal health information” captures personal health information regardless of whether it has been de-identified, and the definition of “personal health information” has been broadly drafted as well to include the following information with respect to living or deceased individuals:

• any information concerning the physical or mental health of the individual;
• any information concerning any health service provided to the individual;
• any information concerning the donation by the individual of any body part or bodily substance of the individual or any information derived from the testing or examination of a body part or bodily substance of the individual;
• any information that is collected in the course of providing health services to the individual; or
• any information that is collected incidentally to the provision of health services to the individual.

The definitions are subject to amendment through regulations.

The main requirements of the Act

Interoperability and data blocking

The Act’s main requirements are mainly applicable to Vendors to ensure that the health information technology that they license, sell or supply as a service is interoperable. To be interoperable, the technology must:

• allow the user to access and use all electronic health information easily, completely and securely;
• exchange all electronic health information with other health information technologies (to the extent such access, use or exchange is permitted by law); and
• meet any additional requirements set by regulations.

The Act also includes a prohibition on “data blocking” for Vendors, meaning a practice or act that prevents, discourages or interferes with access to or the use or exchange of electronic health information.

Additional regulatory powers introduced

The Act would allow the government to set up a system to receive complaints, verify compliance and apply administrative monetary penalties for non-compliance. Indeed, much of the underlying substance of the Act is currently left to regulation. As it stands, the Act would allow the government to make regulations regarding:

• standards/specifications for interoperability, and further specification regarding permissible and impermissible instances of data blocking;
• how and when the Minister of Health would be authorized to verify compliance with the Act;
• a system of administrative monetary penalties for contravention of the Act’s main requirements;
• the method of review for the Minister’s decisions on compliance or non-compliance; and
• setting the criteria to determine whether a given province or territory has requirements that are substantially similar to or exceed the Act’s requirements.

Notable implications for service and healthcare providers

If the Act comes into force, we expect further specificity and standards to be set out by regulation. Without defining common standards, it’s difficult to imagine how Vendors will comply with the Act.

Nevertheless, we expect the Act’s application to be broad. Given the Act’s currently proposed broad application, Vendors and health care providers should start considering whether existing processes and contracts are hindering interoperability or are leading to data blocking. In the short term, and in the absence of further regulation and guidance, Vendors should look closely at existing provincial standards to get a better sense of the government’s likely direction.

In addition to monitoring the Act’s progress, Vendors should be considering how they can incorporate interoperability into their products and services by design—whether as part of a new product or service, or during the update cycle. Conforming to data standards and protocols already in place in the provinces will help Vendors meet the requirements of the Act (once finalized) to support a connected, secure and accessible healthcare information system.

When the Act comes into force, there is a high likelihood that existing agreements between Vendors and healthcare service providers, such as public hospitals, may not have been negotiated in a manner consistent with the Act’s requirements—particularly when it comes to requirements regarding permitted uses and disclosures of electronic healthcare information with third parties. For some Vendors, this will be new territory, as existing healthcare data governance legislation may not have applied to their activities.

In the meantime, Vendors and healthcare service providers will continue to monitor the Act’s progress and hope for clear regulation and guidance.