The Government of Newfoundland and Labrador announced, on 27 September 2017, the release of its updated statutory review report ('the Report') on the Personal Health Information Act 2011 ('the PHIA'), following the closure of the statutory review of the PHIA. The Report summarises the submissions received from interested individuals on amending the PHIA, including those related to privacy impact assessments ('PIAs'), the assignment of custodianship of medical files, ensuring the confidentiality of patient information, and penalties for violations of the PHIA.

In particular, the Report suggests that the PHIA fails to adequately anticipate the situation where custodians could have 'joint custodianship' over patient files, owing to their shared control over such information, and suggests that such a situation be precluded under the PHIA. Moreover, with regard to PIAs, the Report opines that the requirement 'to take steps that are reasonable in the circumstances' to ensure the security of personal health information under Section 15(1) of the PHIA should be expanded upon, to introduce Section 13(2) of the PHIA specifying the procedure for undertaking PIAs and the requirements for including the results of PIAs into an organisation's decision-making processes, and to be submitted to the Office of the Information and Privacy Commmissioner of Newfoundland and Labrador ('OIPC').

Lastly, the Report includes recommendations that Section 15 of the PHIA be amended to ensure that data breaches of personal health information are reported to the OIPC if individuals are notified that personal health information about them has been compromised, unless such notification could reasonably be expected to result in a risk of serious harm to the mental or physical health or safety of the individual who is the subject of the information or another individual.

You can read the press release here and the Report here.