What to Know About Quebec’s Act Respecting Health and Social Services Information (AHSSS)

I. Introduction

The Act Respecting Health and Social Services Information (AHSSS) is a major health data regulation governing how health and social services information is collected, used, and shared in Quebec.

The regulation introduces confidentiality obligations, a governance framework, the rights of individuals to control and access their personal health information, and requirements for service providers and researchers who wish to access such data for their operational needs.

Critical provisions of the regulation, such as access rights, penalties for non-compliance, responsibilities for various entities, and how the law is to be enforced, are covered in detail below.

All such details are essential for businesses operating in Quebec's health sector, as compliance with the regulation requires a thorough understanding of the intricacies of the obligations it places on healthcare providers, researchers, and technology suppliers.

Read on to learn how to stay compliant with the AHSSS while leveraging the information resources responsibly.

II. Definitions of Key Terms

A. Confidentiality Incident

Access to information or any other use or communication of information not authorized by law, the loss of information, or any other breach of its protection.

B. Research Project

A process aimed at developing knowledge, in particular for innovation purposes, by means of a structured study or systematic investigation.

C. Technological Product or Service

An equipment, an application, or a service required to collect, keep, use, or communicate information, such as a database or an information system, a telecommunications system, technological infrastructure, software, or a computer component of medical equipment.

D. Service Provider

A natural person who offers services in the field of health and social services within a health and social services body or who provides such a person with technical or administrative support services.

E. Health and Social Services Bodies

Health and social services bodies refer to the following:

• The Ministère de la Santé et des Services sociaux;
• A person or a group referred to in Schedule I or Schedule II of this Act;
• Santé Québec, an institution other than a Santé Québec institution, and the Nunavik Regional Board of Health and Social Services, established under section 530.25 of the Act respecting health services and social services for the Inuit and Naskapi;
• A person or a group not already referred to in this section that enters into an agreement with a health and social services body concerning the provision of health services or social services on behalf of that body;
• Any other person or group determined by government regulation, to the extent determined by the Government.

III. Obligations for Organizations Under the AHSSS

A. Consent Requirements

All information held by a body is confidential and can only be used or communicated in any form after the express consent of the person concerned. Any consent provided by the person related to the use or communication of information must be clear, free, informed, and given for specific purposes.

Any provided consent will only be valid for the period necessary for the intended purpose to be completed. A person holding parental authority or the tutor will give consent for a minor under 14 years old. The consent of a minor of 14 years or older will be given by themselves unless the law requires them to have a parental authority provide their consent.

Other government regulations may determine the various terms on which the person is to consent.

Users have the right to restrict access to their information held by a body by a particular service provider or a service provider belonging to a category of service providers if they do not wish to have access to their information. Such restrictions may be disregarded in specific cases where they may endanger the life or integrity of the person concerned, and it is impossible to gain their consent to lift such restrictions promptly.

Additionally, a person may refuse the following persons access to their current or future information from the moment it becomes available and accessible by a body:

• The person's spouse or close relative, if the access sought is in connection with a grieving process;
• The person's spouse, direct ascendant, or direct descendant, in the case of information related to the cause of the person's death;
• A researcher, if the access sought is to solicit the person's participation in a research project;
• A researcher who is not attached to a body referred to in Schedule I of this law, a public institution, or a private institution under an agreement that operates a hospital center.

The aforementioned will to restrict or refuse future access by a person must be expressed explicitly and in line with government regulations.

At the same time, a person's right to receive health services and social services may not be compromised by the person's decision not to consent to the use or communication of information concerning them held by a body.

Similarly, this Act does not restrict the communication of information held by a body if such information is required by a public protector or by a summons, subpoena, warrant, or order issued by a person or body having the power to compel its communication.

B. Data Minimization Requirements

Any information collected by a body must be strictly limited to what is necessary to fulfill its mission or purpose, exercise its functions, carry out its activities, or implement a program under its management.

Everybody who collects information must inform the person of the following in clear and simple language, both at the time of the initial collection and on subsequent occasions whenever the person requests:

• Name of the body collecting the information, or on whose behalf it is collected;
• Purposes for which the information is collected;
• Means by which the information is collected;
• The person's right to have access to the information or to have it rectified;
• The possibility of restricting or refusing access to the information;
• The period of time during which the information will be kept.

Additionally, anybody who collects information from the person using technology that includes technology that allows for the person to be identified, located, or profiled must inform the person of the following:

• Use of such technology;
• Means available allow for activating the functions that identify, locate, or profile a person.

C. Data Retention Requirements

A body cannot keep any information beyond the time required to achieve the purpose for which it was collected or used, subject to the Archives Act and the Professional Code.

A separate government regulation may determine the minimum period for which the body can hold the information it collects, which may vary depending on the category of information or bodies concerned. However, the regulation must extend the preservation period for any information gained under the Youth Protection Act.

D. Use Of Information Within A Body

Information held by a body can be used within the body by any person belonging to the category of persons identified in the information governance policy adopted by the body, where the information is necessary for the purpose for which it was collected. However, it may be used by such persons for another purpose if:

• It is used for purposes consistent with the purposes for which it was collected;
• It is clearly used for the benefit of the person concerned;
• Its use is necessary for the application of an Act in Québec.

Information held by a body may be used within the body, by a service provider or a researcher for the purpose for which it may have access it, provided they belong to the category of persons identified in the body's information governance policy.

Information held by the Ministère de la Santé et des Services sociaux, an institution, the Nunavik Regional Board of Health and Social Services, or a body may be used within that body by a person who belongs to a category of persons identified in the body's information governance policy where such access is necessary for the exercise of the body's function related to the organization or the assessment of health services and social services.

A body that uses such information to render a decision based on automated processing must inform the person accordingly, no later than when it informs the person of the decision.

Additionally, it must also inform the person, on request, about:

• The information used to render the decision;
• The reasons and the principal factors and parameters that led to the decision;
• The right of the person concerned to have the information used to render the decision rectified.

The person concerned must be allowed to submit the observations to a member of the body's personnel or a professional practicing their profession within the body in a position to review the decision.

E. Data Protection Officer Requirements

A body is responsible for protecting the information it holds. Consequently, the body must take security measures to protect the information that is considered sensitive, the purpose for which it will be used, the quantity and distribution of the information, and the medium of its storage. It must also ensure the information is up-to-date, accurate, and complete.

The person of the highest authority within the body must ensure that this Act is implemented and complied with within the body. They may delegate these responsibilities to the board of directors or any one of its senior officers.

A body can agree with another body in which that body assumes all or part of its obligations. A copy of such an agreement must be sent to the Minister and the Commission d'accès à l'information.

The title and contact information of the person in charge of protecting information within the body will be sent to the Minister and the Commission d'accès à l'information, while also being published on the body's website.

Information Governance Policy

A body must adopt a governance policy for the information it holds. This policy must set out:

• The roles and responsibilities of the members of the body's personnel and the professionals practicing their profession within the body;
• The categories of persons who may use the information in the exercise of their functions;
• The logging mechanisms and the security measures for ensuring the protection of the information that the body puts in place;
• The terms and conditions under which the information may be communicated;
• An update schedule for the technological products or services the body uses;
• A procedure for processing confidentiality incidents;
• A procedure for processing complaints regarding the protection of the information;
• A description of the training and awareness activities offered by the body to its personnel members and the professionals practicing their profession within the body.

The body must make the policy known to its members and professionals practicing the profession within the body by publishing this policy on its website.

Confidentiality Incident

A body that believes a confidentiality incident involving the information it holds has occurred or there is a risk of such an occurrence must take reasonable steps to reduce such a risk and to prevent new incidents of the same nature. If the incident poses a risk of serious injury,  the body must promptly notify the Minister, the Commission d'accès à l'information, and the person to whom the information belongs. It must also contact any person or group of persons who can aid it in reducing the risk without the consent of the person or group of persons.

However, the person whose information is at risk need not be informed if such a notification could hamper the investigation being conducted by a person or group that is responsible by law

for the prevention, detection, or repression of crime or statutory offenses. The body can determine whether the confidentiality incident poses a risk of serious harm by assessing the risk of the injury to the person concerned, the sensitivity of the information, and the anticipated consequences of its use.

A government regulation can determine the content and terms of the notices to be provided per this Act.

A body must keep a register of all such confidentiality incidents, with the Government being free to determine the content of this register.

Destruction Of Information

At the end of the preservation period, the body holding the information must destroy or anonymize it. It must be destroyed so the person concerned cannot be identified, even indirectly. The generally accepted best practices must be deployed in such cases.

IV. Data Subject Rights

The AHSSS provides all individuals the right to access information by the individual and persons related to that person in certain situations.

A. Right to Access

All individuals have the right to be informed of the existence of and access to information related to them held by a body. However, this right is not applicable if a health body determines that such access would seriously harm the individual's health.

B. Right to Know Third-Party Access

All individuals have the right to know which persons or groups have access to their information held by a body, have used the information, or have received communication of it, along with the date and time of the access, use, or communication.

C. Right to Rectification

All individuals have the right to request rectification of the information held on them by the body if they know it has become inaccurate, incomplete, or equivocal, or if it was collected or is kept in contravention of the law.

D. Right to Access Information of Person Being Cared For

A person responsible for the care of another individual has the right to know about the existence of and access to information belonging to that individual, provided such information is necessary for them to exercise their power and responsibilities.

In Case Of Minors

In case of minors under the age of 14, the person with parental authority has the right to be informed of the existence of and have access to any information held by a body related to that minor. They may also request rectifications in such information if it is inaccurate, incomplete, or equivocal, or if it was collected or is kept in contravention of the law.

However, the person with the parental authority may not have such rights to access if the director of youth protection determines such access would harm the minor's health or safety and likely result in the following situations:

• The information was obtained by a director of youth protection under the Youth Protection Act;
• The assessment of the child's situation and living conditions under section 49 of that Act is ongoing;
• The child's situation is or has previously been taken into charge by a director of youth protection.

In case of minors 14 years of age or over, the person with parental authority has the right to be informed of the existence of and have access to any information held by a body related to that minor if the body holding such information deems that it would not pose harm to the minor's health or safety after consultation with that minor. The director of youth protection may also be consulted in such matters.

The person with the parental authority may also request rectifications in such information if it is inaccurate, incomplete, equivocal, or if it was collected or is kept in contravention of the law.

Persons Related to an Incapable Person of Full Age

A person who serves as a legal guardian or caretaker of an incapable person of full age has the right to be informed about the existence of and access to any information, including medical and psychosocial assessment reports, held by a body related to the incapable person, provided that these reports have determined the incapable person to be incapable of caring for themselves and exercising such rights on their own. The person serving as the legal guardian of such an incapable person has the right to request rectification of the information if it is inaccurate, incomplete, or equivocal or if it was collected or is kept in contravention of the law.

Persons Related to a Deceased Person

An heir, successor, liquidator of the succession of a deceased person, or any individual designated by a deceased person as their beneficiary has the right to be informed about the existence of and access to any information held by a body on the deceased person, provided it is necessary for the exercise of a right. Such a person also has the right to request rectification of the information held by the body on the deceased person if it is inaccurate, incomplete, or equivocal, or if it was collected or is kept in contravention of the law.

The spouse or close relative of the deceased person has the right to be informed of the existence of and have access to information related to the person where such information may help them in their grieving process, unless the grieving person has restricted such information or if they have restricted access for that particular spouse or close relative.

Furthermore, any person genetically related to the deceased person has the right to be informed of the existence of and access to any information on that deceased person held by a body, provided that such information is necessary to verify the existence of a genetic or hereditary disease. This right can be exercised even if the deceased person had refused them access to their information concerning the cause of their death.

If the deceased person is a minor under the age of 14, the person with parental authority has the right to be informed of the existence of and have access to any information collected by a body about that minor. However, this does not extend to any information of a psychosocial nature.

Terms Of Exercising Access Rights

A person wishing to exercise their right to access must make a written request for access to rectification to the person in charge of protecting information within the concerned body. They must then prove their identity and capacity, and the fact that they meet the conditions elaborated above.

Then, the person in charge of protecting information must give the applicant written notice of the date they received their request and indicate the timeline for responding to their request and possible review proceedings if necessary.

However, the person must provide such a notice promptly and within 30 days after receiving the request. If they do not, it will be considered a failure to respond to the request in time, leading to review proceedings.

If the person in charge grants the request, they must provide the applicant with the required assistance to understand the requested information.

Similarly, if they refuse the request, they must indicate the detailed provisions of the law that led to the refusal, provide a written explanation, and ensure the applicant receives it.

Finally, the person in charge must keep records and documentation necessary for as long as required to enable the applicant to exhaust all their options for recourse under the law.

V. Regulatory Authority

The Commission d'accès à l'information is responsible for overseeing the enforcement of this Act.

The chair and vice-chair are responsible for the oversight division, with members assigned to that Division of the Commission. The members of the Commission cannot act alone on behalf of the Commission to exercise the powers provided for in the Act.

The Commission can agree with a person or a group authorized by law to conduct investigations on protecting personal information.

A. Inspection

In exercising its oversight functions, the Commission can authorize a person to act as an inspector to verify compliance with this Act. In the exercise of its inspection functions, the inspector may:

• Enter, at any reasonable time, any premises where a body carries on its activities;
• Use any computer, equipment, or other thing that is on the premises to access information contained in a device, system, or information asset or to inspect, examine, process, copy, or print out such information;
• Take photographs of the premises and equipment;
• Require the persons present to provide any information relating to the application of this Act that is necessary for the discharge of inspection functions.

An inspector may be accompanied by a person with special expertise or ask the body to have an expert assessment conducted, with the results being forwarded to them if such an assessment is necessary. The body will assume expenses accrued during such assessments.

Inspectors must be able to identify themselves and produce a certificate of authority when requested.

B. Penal Investigation

The Commission can designate a person to conduct a penal investigation in any matter related to the application of this Act. Any such person must be able to identify themselves or produce a certificate of authority when requested.

C. Administrative Investigation

The Commission can conduct an administrative investigation or designate a person to carry out this investigation in matters related to the protection of information and the practices of the body concerning such information.

It is forbidden to take reprisal against a person if that person has filed a complaint with the Commission or cooperated in the investigation. Any threats to take such a reprisal are also forbidden.

The Commission may require a person or group of persons subject to this Act or not to file any information or document enabling the verification of compliance with this Act. The person or group of persons will then have to comply within a stipulated time period, regardless of whether they've submitted such information before.

In the aftermath of a confidentiality incident, the Commission may order a person or group of persons to protect the rights granted by this Act and order the information involved to be returned to the body or destroyed.

The investigations of the Commission are non-advisory investigations. Once an investigation is completed, the body can submit observations, with the Commission recommending or ordering measures to protect information.

However, any order issued by the Commission's oversight division is enforceable.

A person affected by the investigation may contest the orders issued by the Commission's oversight division before a judge of the Court of Quebec.

Such a proceeding would not suspend the execution of the order. However, on a motion heard and judged urgently, the judge may order otherwise owing to the urgency of the matter and the risk of serious injury.

VI. Recourses

A. General Provisions

The chair and vice-chair exercise the functions and powers of the Commission d'accès à l'information.

The parties involved in the proceedings must ensure that their actions, pleadings, and means of proof are proportionate in terms of cost and time to the nature and complexity of the matter.

B. Application to the Commission

A person whose request for access or rectification has been refused by the person in charge of protecting information may apply to the Commission to review the decision. They may also request a review related to the mode of access to information.

The request for review must be made within 30 days of receiving the decision or expiry of the time granted by the person in charge of protecting information for responding to the request for access or rectification.

All such applications must be made in writing and state the reasons for which the decision should be reviewed. The Commission should forward the notice of the application to the body.

However, the Commission authorizes the body to disregard obviously abusive requests because of their systematic nature and could interfere with the body's activities.

Likewise, the Commission may refuse to examine a matter if it believes it is frivolous and made in bad faith.

Members of the Commission may lend assistance in drafting the application for review to every interested person who requires it. Once the Commission receives an application, it may direct a person it designates to facilitate an agreement if the case allows for it. If no such agreement is possible, it will begin examination of the application, with the parties being given the chance to submit their observations.

The rules of the procedures will be made by the Commission, which will include provisions to ensure the accessibility of the Commission and the quality and promptness of the decision-making process. The regulation specifying such details will be submitted to the Government for approval.

The Commission may use technological means available to both parties and intensively require the parties to use such means. In certain cases, it may require a person to appear at a hearing or examination even if an agreement has been reached between the parties.

C. Decision of the Commission

The Commission will render every decision in writing, with reasons behind the decision, and a copy will be forwarded to all parties. The Commission can order a body to give access to rectify information or refrain from doing so.

It must provide its decision within 3 months of receiving the review request unless the chair extends the time limit. The chair may also request that a designated member be removed if they do not deliver a decision within the specified time.

However, the chair must consider the parties' circumstances and interests before making such decisions.

The Commission can rectify any decision containing an error. This rectification can be made as long as the execution of the decision has not begun. It can be made at any time on the motion of one of the parties, unless an appeal has been made.

Once the decision becomes enforceable, a copy of the decision will be filed in the office of the clerk of the Superior Court of the District of Montreal or Quebec by the Commission. Once the decision is filed, the decision has the same force and effect as the judgment of the Superior Court.

The Commission can declare an application for review expired if one year has passed since the last useful proceeding was filed.

D. Appeal a Decision of the Commission

A person who wishes to appeal a decision of the Commission before a judge of the Council of Quebec.

The jurisdiction conferred by this Act on a judge of the Court of Quebec can be exercised only by the judges of that Court appointed by the chief judge.

The appeal can be brought by filing with the Court a notice specifying the questions of law to be examined in the appeal.

The filing of the notice will suspend the execution of the decision of the Commission until the Court's decision is rendered. However, if the appeal is against a decision ordering a body to refrain from doing something, the notice filing does not suspend the execution of that decision.

The notice must be served to the parties and the Commission within 10 days of it being filed in the office of the Court.

The appeal is governed by Articles 351-390 of the Code of Civil Procedure with necessary modifications.

The ultimate decision of the judge of the Court of Quebec cannot be appealed.

VII. Penalties For Non-compliance

Offences & Penalties

Anyone who does the following has committed an offense and is liable to a fine of $1,000 to $10,000 in the case of a natural person and $3,000 to $30,000 in all other cases:

• Keeps or destroys information in contravention of this Act or a regulation made under this Act;
• Refuses to communicate information that they must communicate under this Act or impedes such communication;
• Hinders the delegated manager of government digital data or a person in charge of the protection of information in the performance of their functions;
• Fails to report a confidentiality incident to the Minister or the Commission d'accès à l'information;
• Fails to comply with a condition set out in an authorization or provided for by an agreement.

Anyone who does the following has committed an offense and is liable to a fine of $5,000 to $100,000 in the case of a natural person and $15,000 to $150,000 in all other cases:

• Communicates information that cannot be communicated under this Act;
• Collects, accesses, or otherwise uses information in contravention of this Act;
• Sells or otherwise alienates information held by a body or information communicated to them by a body;
• Identifies or attempts to identify a natural person using de-identified information without the authorization of the body that holds it or using anonymized information;
• Fails to comply with a condition relating to the use of information set out in an authorization or provided for by an agreement;
• Contravenes section 93 or 94 of the Act;
• Holds information without complying with the relevant obligations;
• Impedes the progress of an investigation or inspection of the Commission d'accès à l'information or the hearing of an application by the Commission;
• Fails to comply with a demand;
• Fails to comply with an order of the Commission d'accès à l'information.

This Act's minimum and maximum fines are doubled and tripled for the second, third, or subsequent offenses.

If an offense is committed by a director or officer of a legal person or group of persons, the minimum and maximum fines are doubled to those applicable for natural persons for such an offense.

If the offense continues for more than a day, it will constitute a separate offense for each day it continues. Any person who, by an act or omission, helps an organization commit an offence under this Act is considered to have committed the same offence.

VIII. How Securiti Can Help

Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data+AI. It provides unified data intelligence, controls, and orchestration across hybrid multicloud environments. Some of the world's most prestigious corporations rely on Securiti's Data Command Center for their data security, privacy, governance, and compliance needs.

The Data Command Center comes equipped with several individual modules and solutions that are customized in both ease of use and functionality to ensure compliance with all major obligations an organization may be subject to under the AHSSS. These include DSR automation, consent management, and notice management, among several others.

Furthermore, the centralized dashboard allows for real-time insights into an organization's obligations and compliance activities, thus enabling proactive interventions whenever necessary or convenient.

Request a demo now and learn more about how Securiti can help you comply with nearly all major data protection and privacy regulations from across the world.