|
Medical Law - Connecting Care Act (CCA). Doxy.Me Inc. v. Ontario Health et al.
In Doxy.Me Inc. v. Ontario Health et al. (Ont Div Ct, 2026) the Ontario Divisional Court dismissed a JR, this brought against "Ontario Health’s refusal to verify that its video service complies with required standards. The result of Ontario Health’s decisions is that Doxy’s physician clients are not entitled to receive payment from the Ontario Health Insurance Plan (“OHIP”) for any services rendered through its videoconferencing platform."
Here the court considers whether privacy standards adopted for use in OHIP-approved medical videoconferencing were ultra vires the Connecting Care Act, 2019:ISSUE #3: IS THE DATA RESIDENCY REQUIREMENT IN THE VVV STANDARD ADOPTED BY ONTARIO HEALTH ULTRA VIRES?
[43] As noted earlier, in 2020, Ontario Health adopted the VVV Standard. This policy contains a data residency requirement, found in section 2.3.14 of the VVV Standard. In order to be verified by Ontario Health as a virtual visit solution it is required to demonstrate that “… all personal health information as defined in PHIPA is held by systems located in Canada”.
Is the Data Residency Requirement Consistent with the Objectives of the CCA?
[44] Doxy submits that the Data Residency Requirement of the VVV Standard bears no connection to the statutory objectives of the Connecting Care Act, 2019, S.O. 2019, c. 5, Sched.1 (the “CCA”). Doxy submits that this requirement is based on the assumption that the patient data located in Canada is more secure than data located in the United States. Given that the U.S. law provides for robust protection for personal health information, as a matter of technical security, data hosted in the United States is at least as secure as data hosted in Canada.
[45] I disagree that the Data Residency Requirement bears no connection to the objective of the CCA.. The preamble to the CCA expresses the Legislature’s intention to create a single provincial agency (now called Ontario Health) that would oversee the development of a “digitally-enabled, publicly funded health care system” that would “put each patient at the centre of a connected care system anchored in the community”.
[46] The objectives of Ontario Health include:3. Developing or adopting standards respecting digital health products and digital health services and the suppliers of such products and services.
4. Certifying products, services and suppliers in accordance with the standards developed or adopted pursuant to paragraph 3: See Ontario Regulation 376/19, s. 1(1). [47] Given the provisions described above, the data residency requirement found in the VVV Standard is consistent with the CCA and its objects and is specifically supported by the intention that the community care system be “anchored in the community”.
Is the Data Residency Requirement Arbitrary or Does It Conflict with the Broader Legislative Context?
[48] Doxy further submits that the Data Residency Requirement conflicts with the broader legislative context in that the PHIPA imposes extensive obligations on the custodians of personal health information but does not impose a data residency requirement that prohibits the storage of personal health information outside of Ontario. Doxy submits that this leads to absurd consequences as highly sensitive personal health information, such as patient diagnostics, treatment plans, and clinical photos, may be stored on servers in the U.S.A., however the Data Residency Requirement under the VVV Standard applies to far less sensitive information retained by virtual care solutions such as call metadata. As a result, less sensitive data is subject to greater restrictions under the VVV Standard than higher sensitive data under the PHIPA.
[49] Doxy further submits that there is no rational basis for the Data Residency Requirement found in the VVV Standard and Regulation 552 on the grounds that the Data Residency Requirement is not logically connected to the protection of personal health information. In this respect, Doxy relies on Dr. Cavoukian’s opinion that identified three rationales for the Data Residency Requirement were misplaced. She stated that these rationales were: 1) a concern that foreign jurisdictions will lack adequate privacy protections; 2) a concern over foreign government surveillance; and 3) a concern that enforcement of Canadian privacy laws would be more difficult for data held outside of Canada.
[50] As stated in Auer, at para. 33:... a vires review does not involve assessing the policy merits of the subordinate legislation to determine whether it is “necessary, wise, or effective in practice”. [51] The grounds advanced by Doxy challenge the necessity, wisdom and effectiveness of the Data Residency Requirement. I agree with the respondents’ view that the PHIPA does not limit Ontario Health’s authority to impose the Data Residency Requirement in the VVV Standard. Although PHIPA is aimed at protecting privacy, the protection of personal health information does not need to be uniform in different contexts. The VVV Standard was specifically designed in part to protect privacy and security. While the VVV Standard may impose stricter standards than PHIPA, it was open to Ontario Health to adopt a VVV Standard that imposes more stringent requirements on the storage of personal health information gathered on a virtual visit than for other visits with a physician. The policy merits of its doing so are not open to challenge.
|
