R-22.1, r. 2 - Regulation respecting the governance of health and social services information

Occurrences0
Full text
Updated to 1 October 2024
This document has official status.
chapter R-22.1, r. 2
Regulation respecting the governance of health and social services information
Act respecting health and social services information
(chapter R-22.1, s. 90, 1st par., 2nd par., subpars. 1, 2 and 4).
CHAPTER I
RESPONSIBILITIES OF BODIES
M.O. 2024-010, c. I.
1. A body must ensure that the members of its personnel and the professionals practising their profession within the body, including students and trainees, receive training regarding the protection of information recognized by the Minister as soon as they begin working or practising their profession within the body.
The obligation set out in the first paragraph also applies in respect of the following persons who exercise their functions within the body:
(1)  volunteers exercising the activities described in sections 39.7 and 39.8 of the Professional Code (chapter C-26);
(2)  employees provided by a personnel placement agency subject to the requirement to hold a personnel placement agency licence pursuant to section 92.5 of the Act respecting labour standards (chapter N-1.1) or persons who are independent labour referred to in section 338.2 of the Act respecting health services and social services (chapter S-4.2).
M.O. 2024-010, ss. 1 and 18.
2. A body must see to it that the members of its personnel and the professionals practising their profession within the body, including students and trainees, and the persons referred to in the second paragraph of section 1, undergo refresher training regarding the protection of information on an annual basis.
The refresher training concerns, in particular,
(1)  the roles and responsibilities of the members of the body’s personnel and of the professionals practising their profession within the body, including students and trainees, with regard to the information held by the body;
(2)  the rules and terms for keeping, destroying and anonymizing information;
(3)  the security measures for ensuring the protection of information put in place by the body, in particular to minimize the risk of a confidentiality incident;
(4)  the procedure for processing confidentiality incidents; and
(5)  the safe use of the body’s technological products or services.
M.O. 2024-010, s. 2.
3. A body must keep proof of any consent it receives in accordance with section 6 of the Act respecting health and social services information (chapter R-22.1).
M.O. 2024-010, s. 3.
4. A body must identify, among the members of its personnel and the professionals practising their profession within the body, a person in charge of ensuring that the person who makes a notice of restriction under section 3 of the Regulation respecting the application of certain provisions of the Act respecting health and social services information (chapter R-22.1, r. 1) has been adequately informed, in clear and simple language, of the potential consequences and risks associated with exercising the right of restriction.
The service provider who received the notice may forward the information referred to in the first paragraph to the person who makes the notice of restriction. Failing that, the person in charge or any person they designate may contact and provide the information to the person who makes the notice.
M.O. 2024-010, s. 4.
5. A body must take the necessary measures to ensure that the information it holds remains usable despite any incident affecting the medium on which it is stored.
M.O. 2024-010, s. 5.
6. At least once a year, a body must
(1)  analyze the relevance of the categories of persons identified in the body’s information governance policy adopted under section 105 of the Act respecting health and social services information (chapter R-22.1) and, where applicable, review those categories; and
(2)  assess the compliance of logging mechanisms, where applicable, and of the register of communications referred to in section 265 of the Act, as well as the effectiveness of the security measures put in place by the body to ensure the protection of the information that the body holds and, where necessary, review the register and those measures.
M.O. 2024-010, ss. 6 and 19.
7. A body must, on a monthly basis, analyze accesses to the information it holds and all other uses and communications of that information, in particular to detect situations that do not comply with applicable standards and, where applicable, to take the appropriate measures.
Despite the first paragraph, a body referred to in Schedule II to the Act respecting health and social services information (chapter R-22.1) has an obligation to conduct such an analysis at least once a year.
M.O. 2024-010, s. 7.
8. A body, other than a body referred to in Schedule II to the Act respecting health and social services information (chapter R-22.1), must set up a committee on the governance of information responsible for supporting the person exercising the highest authority within the body in the exercise of the person’s responsibilities under the Act respecting health and social services information.
The committee is under the responsibility of the person exercising the highest authority within the body. The committee is composed of the person in charge of the protection of information, the person designated under section 16 of this Regulation, and any other person whose expertise is required, including, where applicable, the person responsible for document management.
M.O. 2024-010, s. 8.
9. A body must ensure that records containing information it holds are kept in a manner that ensures their integrity.
In addition, information entered or recorded on the same medium must be entered or recorded in a uniform manner so as to facilitate its use or communication.
M.O. 2024-010, s. 9.
CHAPTER II
TERMS FOR KEEPING AND DESTROYING INFORMATION
M.O. 2024-010, c. II.
10. A body must keep the information it holds in a manner that ensures its protection at all times, in particular by taking the necessary measures to control access to the premises where the information is kept.
M.O. 2024-010, s. 10.
11. A body must ensure that the information it holds that is subject to a restriction of access under section 7 of the Act respecting health and social services information (chapter R-22.1) or a refusal of access under section 8 of the Act is kept in a manner that complies with that restriction or refusal.
M.O. 2024-010, s. 11.
12. The destruction of any information held by a body must be done in a secure manner adapted to the sensitivity of the information and the medium on which it is stored, in keeping with generally accepted best practices. The destruction must be irreversible to prevent the reconstitution of the information.
M.O. 2024-010, s. 12.
13. Where the destruction of information held by a body is entrusted to a third person, the body must enter into a contract in writing with the third person for that purpose.
In addition to the elements referred to in the second paragraph of section 77 of the Act respecting health and social services information (chapter R-22.1), the contract must set out
(1)  the procedure for the destruction of the information;
(2)  where applicable, the third person’s obligation to render an account to the body of the destruction of the information; and
(3)  the obligation, for a third person that retains a person or group to perform the contract, to notify the body and ensure that the person or group complies with the other obligations incumbent on the third person under the contract.
For the purposes of subparagraph 3 of the second paragraph, the confidentiality agreement provided for in subparagraph a of subparagraph 3 of the second paragraph of section 77 of the Act respecting health and social services information and the notice provided for in subparagraph c of that subparagraph must be sent to the third person by the person or group.
M.O. 2024-010, s. 13.
14. A body must keep proof of any destruction of information.
M.O. 2024-010, s. 14.
CHAPTER III
MAINTENANCE AND EVALUATION OF TECHNOLOGICAL PRODUCTS OR SERVICES
M.O. 2024-010, c. III.
15. A body must take the necessary measures to avoid or mitigate any potential impact on the exercise of its functions or the carrying on of its activities due to the fact that a technological product it uses no longer complies with its intended use or a technological service it uses is no longer provided.
To that end, the body must, in particular, keep a calendar of the known or expected dates on which such products or services are to be terminated for the purpose of analyzing, in a timely manner, the relevance of maintaining or replacing them.
M.O. 2024-010, s. 15.
16. A body must designate, from among the members of its personnel and the professionals practising their profession within the body, a person in charge of ensuring the application of the standards applicable to the technological products or services the body uses, in particular the special rules defined by the network information officer under section 97 of the Act respecting health and social services information (chapter R-22.1).
That person is also in charge of supervising the implementation and maintenance of the security measures for ensuring the protection of the information contained in those products or services.
M.O. 2024-010, s. 16.
17. At least once every other year, a body must ensure that the products or services it uses undergo an evaluation pertaining to the standards referred to in the first paragraph of section 16 of this Regulation.
However, such an evaluation must be conducted every time a special rule referred to in that paragraph and pertaining to such a product or service is modified.
M.O. 2024-010, s. 17.
CHAPTER IV
TRANSITIONAL AND FINAL
M.O. 2024-010, c. IV.
18. Until 1 December 2024, section 1 of this Regulation must be read by replacing subparagraph 2 of the second paragraph by the following paragraph:
“(2) employees provided by a personnel placement agency subject to the requirement to hold a personnel placement agency licence pursuant to section 92.5 of the Act respecting labour standards (chapter N-1.1) or persons who are independent labour referred to in section 338.2 of the Act respecting health services and social services (chapter S-4.2).”.
M.O. 2024-010, s. 18.
19. Until the coming into force of section 103 of the Act respecting health and social services information (chapter R-22.1), section 6 of this Regulation must be read by replacing subparagraph 2 by the following paragraph:
“(2) assess the compliance of logging mechanisms, where applicable, and of the register of communications referred to in section 265 of the Act, as well as the effectiveness of the security measures put in place by the body to ensure the protection of the information that the body holds and, where necessary, review the register and those measures.”.
M.O. 2024-010, s. 19.
20. (Omitted).
M.O. 2024-010, s. 20.
REFERENCES
M.O. 2024-010, 2024 G.O. 2, 2145