Quebec HSSI Act: Key Insights for Biopharma Clinical Trials

Written By Diana Andrade

Quebec's new Health and Social Services Information Act (HSSI), effective from July 1, 2024, introduces rigorous regulations for handling health and social services information. For biopharmaceutical companies conducting clinical trials, understanding the intricacies of this act is crucial to ensuring compliance and avoiding significant penalties. This article outlines the key provisions of the HSSI Act, its implications for clinical trials, and how it interacts with PIPEDA and compares to the General Data Protection Regulation (GDPR).

Key Provisions of the HSSI Act

The HSSI Act applies to any entity that collects, holds, or uses health information within Quebec. For biopharma companies, this means that all data collected during clinical trials must comply with the act's stringent requirements, here’s the key provisions of the HSSI Act:

1.       Purpose and Scope

The HSSI Act aims to ensure the confidentiality, integrity, and availability of health information while facilitating its use for purposes directly related to health services, research, and public safety. It applies to all bodies that collect, hold, or use health information within Quebec​.

2.       Use of HSSI

  • Consistency with Purpose: HSSI can be used only for purposes that are consistent with the original purpose of collection, beneficial to the individual concerned, or legally permitted.

  • Automated Decision-Making: If HSSI is used for automated decision-making, individuals must be informed about the use, the decision-making parameters, and their right to contest or rectify the information​.

3.       Communication of HSSI

  • Within Quebec: HSSI can be communicated to service providers when necessary for delivering health or social services, or for educational and training purposes. Providers must ensure the data is retained only as necessary for these purposes.

  • Outside Quebec: Communication outside Quebec is permitted only if a Privacy Impact Assessment (PIA) confirms adequate protection measures. Agreements must be established to mitigate identified risks​.

4.       Protection and Security

  • Responsibility: The body holding HSSI must implement reasonable security measures based on the sensitivity of the information, its intended use, and storage medium.

  • HSSI Protection Officer: Each body must appoint an officer responsible for ensuring compliance with the HSSI Act. This officer's contact information must be publicly available and reported to the Minister of Health and Social Services​.

  • Audit Logging: Bodies must maintain logs of who accessed, used, or communicated HSSI. These logs are reported annually to the Minister​.

  • Privacy by Default: Technological products or services must have the highest level of confidentiality settings by default. This does not apply to browser cookies.

5.       Privacy Impact Assessments (PIA)

Any project involving the collection, retention, use, or destruction of HSSI must undergo a PIA to assess and mitigate privacy risks. This includes developing or overhauling technological products or services​.

6.       Confidentiality Incidents

  • Incident Management: In the event of a confidentiality breach, the body must take measures to mitigate injury and prevent recurrence.

  • Notification: If a breach poses a risk of serious injury, the body must promptly notify the Minister, the Commission d’accès à l’information (CAI), and the affected individuals. A register of incidents must be maintained for five years​.

7.       Destruction and Anonymization of HSSI

  • Destruction: At the end of the retention period, HSSI must be destroyed securely and irreversibly.

  • Anonymization: Information must be anonymized to prevent any possible identification of individuals, following best practices and regulatory standards​.

Penalties for Non-Compliance

The HSSI Act imposes substantial penalties for violations, underscoring the importance of compliance. Natural persons can be fined up to $100,000 per violation, while organizations can face fines up to $150,000 per violation. Fines are doubled for directors and officers, highlighting personal accountability, meaning up to $200,000 for violations committed by these individuals. Fines are doubled for a second offence and tripled for third and subsequent offences. Each day a violation continues is considered a separate offence, potentially multiplying fines significantly. The CAI has the authority to impose administrative penalties and fines, conduct inspections and investigations, and order corrective measures. Organizations are notified before any sanction is imposed and have the opportunity to respond and contest decisions.

Articulation with PIPEDA

The HSSI Act articulates with the federal Personal Information Protection and Electronic Documents Act (PIPEDA) by complementing and enhancing data protection measures specific to health and social services information. PIPEDA applies to private sector organizations across Canada that collect, use, or disclose personal information in the course of commercial activities. The HSSI specifically targets entities within Quebec that handle health and social services information, including public bodies, health care institutions, and private organizations conducting clinical trials. It provides a more detailed and stringent framework for managing health information compared to the broader scope of PIPEDA.

PIPEDA requires organizations to obtain consent for the collection, use, and disclosure of personal information, implement appropriate security measures, and allow individuals to access and correct their data. The HSSI builds on PIPEDA's principles by introducing specific requirements for health information, such as mandatory PIAs, detailed logging of data access, and higher standards for data protection and breach notification. It also emphasizes personal liability for directors and officers, which is not explicitly covered by PIPEDA. PIPEDA allows for the coexistence of provincial privacy laws that provide substantially similar protection. Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Quebec Privacy Act) has been recognized as substantially similar to PIPEDA. The HSSI operates alongside the Quebec Privacy Act and PIPEDA, offering additional protections for health and social services information. Organizations in Quebec must comply with both PIPEDA and HSSI, ensuring that data protection standards are met at both the federal and provincial levels.

Similarities with GDPR

The HSSI Act shares many similarities with the GDPR, particularly in its stringent data protection requirements and the emphasis on individual rights. However, while the fines under HSSI are lower than those under GDPR, the HSSI Act ensures compliance through the implementation of personal liability. By holding directors and officers personally accountable, with fines up to $200,000, the act aims to enforce adherence to data protection standards rigorously.

Conclusion

For biopharma companies conducting clinical trials in Quebec, the HSSI Act mandates rigorous data protection practices, robust security measures, and clear protocols for incident management. Ensuring compliance with these provisions is crucial to avoid substantial penalties and maintain the integrity of clinical trial data.

For more information, you consult HSSI Act here:

https://www.publicationsduquebec.gouv.qc.ca/fileadmin/Fichiers_client/lois_et_reglements/LoisAnnuelles/en/2023/2023C5A.PDF

 

Warm regard,

Diana

 

Diana Andrade
Previous

GDPR Compliance in Clinical Trials: Essential Guide for Sponsors
Next

Updated Guidance on Handling Data Breaches by the Danish Data Protection Authority