New Authority Created under PHIPA: Consumer Electronic Service Providers (CESPs)


What is a CESPs

On March 25, 2020, PHIPA officially changed to include a new authority called Consumer Electronic Service Provider (CESP). A CESPs is an organization that provides electronic services for individuals to access, use, disclose, modify, maintain, or otherwise manage their personal health records. CESPs have also received the authority to use health numbers to verify and individual identity. Regulations will eventually be provided for CESPs to provide more clarity regarding the standards and rules under which they must operate as well as possibly introduce additional purposes services that CESP’s can offer.


Why was it necessary to amend PHIPA

Previously, technological applications providing services directly to the public/patients for managing their own Personal Health Information (PHI) did not have specific legislative authorities under which they could operate. As a result, hospitals, the Ministry of Health, and other health information custodians were forced to create their own rules or fit these types of providers into existing categories under PHIPA, none of which worked perfectly.


What are the impacts to Health Information Custodians

The Health Information Custodian will need to choose whether they want to respond to an individual’s access requests received from CESP’s. Before deciding on whether to accept the offer a Health Information Custodian should consider the following:

· Whether the CESPs is a legitimate company and feels comfortable that the request from the individual is authentic

· Whether the CESP’s privacy policy and terms and conditions explain the flow of information and the purposes for which the CESPs is using the information in clear, understandable language.


What are the impacts to CESPs?

· It may soon be clearer what the requirements are for your business if you request PHI on behalf of patients from health care providers, and what your privacy compliance obligations are when it comes to your business

· Keep an eye on this page for updates when the regulations come into force


Full text of the PHIPA amendments can be found here Bill 188

Specific Sections related to Consumer Electronic Service Providers:

Consumer electronic service providers

54.1 (1) In this section,

“consumer electronic service provider” means a person who provides electronic services to individuals at their request, primarily for,

(a) the purpose of allowing those individuals to access, use, disclose, modify, maintain or otherwise manage their records of personal health information, or

(b) such other purposes as may be prescribed.

Prescribed requirements

(2) In providing electronic services to an individual, a consumer electronic service provider shall comply with the prescribed requirements.

Health number

(3) Despite section 34, a consumer electronic service provider may, if authorized by the individual who requested the provider’s services, collect and use health numbers in accordance with any prescribed rules in order to verify the identity of an individual or for any other prescribed purpose.

Health information custodians

(4) A health information custodian that provides personal health information to a consumer electronic service provider shall comply with any prescribed requirements or procedures.

Not required to respond through consumer electronic service provider

(5) For greater certainty, a health information custodian that receives an individual’s request for access to their records of personal health information from a consumer electronic service provider is not required to provide the personal health information to the consumer electronic service provider in responding to the request.


10 views0 comments