What is a CESPs
On March 25, 2020, PHIPA officially changed to include a new authority called Consumer Electronic Service Provider (CESP). A CESPs is an organization that provides electronic services for individuals to access, use, disclose, modify, maintain, or otherwise manage their personal health records. CESPs have also received the authority to use health numbers to verify and individual identity. Regulations will eventually be provided for CESPs to provide more clarity regarding the standards and rules under which they must operate as well as possibly introduce additional purposes services that CESP’s can offer.
Why was it necessary to amend PHIPA
Previously, technological applications providing services directly to the public/patients for managing their own Personal Health Information (PHI) did not have specific legislative authorities under which they could operate. As a result, hospitals, the Ministry of Health, and other health information custodians were forced to create their own rules or fit these types of providers into existing categories under PHIPA, none of which worked perfectly.
What are the impacts to Health Information Custodians
The Health Information Custodian will need to choose whether they want to respond to an individual’s access requests received from CESP’s. Before deciding on whether to accept the offer a Health Information Custodian should consider the following:
· Whether the CESPs is a legitimate company and feels comfortable that the request from the individual is authentic
What are the impacts to CESPs?
· It may soon be clearer what the requirements are for your business if you request PHI on behalf of patients from health care providers, and what your privacy compliance obligations are when it comes to your business
· Keep an eye on this page for updates when the regulations come into force
Full text of the PHIPA amendments can be found here Bill 188
Specific Sections related to Consumer Electronic Service Providers:
Consumer electronic service providers
54.1 (1) In this section,
“consumer electronic service provider” means a person who provides electronic services to individuals at their request, primarily for,
(a) the purpose of allowing those individuals to access, use, disclose, modify, maintain or otherwise manage their records of personal health information, or
(b) such other purposes as may be prescribed.
(2) In providing electronic services to an individual, a consumer electronic service provider shall comply with the prescribed requirements.
(3) Despite section 34, a consumer electronic service provider may, if authorized by the individual who requested the provider’s services, collect and use health numbers in accordance with any prescribed rules in order to verify the identity of an individual or for any other prescribed purpose.
Health information custodians
(4) A health information custodian that provides personal health information to a consumer electronic service provider shall comply with any prescribed requirements or procedures.
Not required to respond through consumer electronic service provider
(5) For greater certainty, a health information custodian that receives an individual’s request for access to their records of personal health information from a consumer electronic service provider is not required to provide the personal health information to the consumer electronic service provider in responding to the request.