Act respecting the sharing of certain health information (Quebec)
An Act respecting the sharing of certain health information, CQLR, c P-9.0001(the “Quebec Act”) is Quebec’s most relevant legislation regarding the collection, use, and disclosure of health information involved in the delivery of healthcare services in the Province of Quebec. Quebec’s Act aims to establish information assets allowing the sharing of health information considered essential to primary care services and the continuum of care, in order to improve the quality and security of health services and social services, and access to those services, and further serves to improve the quality, efficiency and performance of the Quebec health system by allowing the management and controlled use of health and social information. While the focus will be on the Quebec Act for the purposes of the information found on this page, Quebec’s Act respecting Access to documents held by public bodies and the Protection of personal information, CQLR, c. A-2.1 also extends to health and social institutions and Quebec’s Act Respecting the Protection of Personal Information in the Private Sector, CQLR, c P-39.1, which establishes rules for the collection, use and disclosure of personal information in the private sector.
Customers are always in control of how they manage and access their content stored on AWS. AWS does not have knowledge of what customers are uploading onto its network, including whether or not that data is deemed subject to the Quebec Act, and customers are responsible for ensuring their own compliance with the Quebec Act. AWS customers can design and implement an AWS environment, and use AWS services in a manner that satisfies their obligations under the Quebec Act.
The AWS Canada (Central) Region is currently available for multiple services, including Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3), and Amazon Relational Database Service (Amazon RDS). For a complete list of AWS Regions and services, visit the Global Infrastructure page. Canada Region pricing is available on the detail page of each service, which can be found through our products & services page.
What is PIPEDA and what is the Quebec Act? What is the relationship between these laws?
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal law that applies to the collection, use, and disclosure of personal information in the course of commercial activities in all Canadian provinces. Certain Canadian provinces have also adopted their own general privacy laws for both the public and private sector, as well as privacy laws specific to personal health information. Quebec’s Act respecting the sharing of certain health information, CQLR, c P-9.0001(Quebec Act) is privacy legislation in Quebec, that aims to establish information assets allowing the sharing of health information considered essential to primary care services and the continuum of care, in order to improve the quality and security of health services and social services, and access to those services, and further serves to improve the quality, efficiency and performance of the Quebec health system by allowing the management and controlled use of health and social information. The Quebec Act applies to any persons or partnerships who host, operate or use an information asset (as defined herein) including, but not limited to, private physician offices, pharmacies, specialized medical centers, health and social service providers, and others as further set out in section 4 of the Quebec Act. “Information asset” is defined under the Quebec Act as “any database, information system, telecommunications system, technological infrastructure or combination of such, or any computer component of specialized or ultra-specialized medical equipment”.
Whether, and the extent to which, an AWS customer is subject to PIPEDA, the Quebec Act, or any other Canadian provincial privacy requirements may vary depending on the customer’s business.
Other organizations may be subject to PIPEDA or other provincial privacy laws as well. For more information about PIPEDA, please visit the AWS website here.
Customers should consult their own legal advisors to understand the privacy laws to which they are subject.
How can customers comply with the Quebec Act on AWS?
AWS customers can design and implement an AWS environment, and use AWS services in a manner that satisfies their obligations under the Quebec Act.
Customers that are subject to the Quebec Act may have to comply with requirements relating to the management, collection, access, use, disclosure and protection of health information. AWS gives customers control over how their content is stored or processed when using AWS services, including control over how that content is secured and who can access that content. AWS provides services that customers can configure and use to aid in the security of health information they store on AWS, and it is the responsibility of the customer to architect a solution that meets applicable privacy requirements.
Note that there is no officially recognized “certification” for Quebec Act compliance in the same way that an entity might be SOC, PCI, or FedRAMP certified or authorized. Instead, AWS offers its customers considerable information regarding the policies, processes, and controls established and operated by AWS. AWS provides workbooks, whitepapers, and best practice guides on our AWS Compliance Resources page and customers have on-demand access to AWS third-party audit reports in AWS Artifact.
Does AWS access health information that customers put on AWS?
Customers are always in control of how they manage and access their content stored on AWS. AWS provides an advanced set of access, encryption, and logging features to help customers manage their access and content. AWS does not access or disclose customer content unless at the direction of the customer, or if necessary to comply with the law or a legally valid and binding order of a governmental or regulatory body having jurisdiction. Unless AWS is legally prohibited from doing so or there is a clear indication of illegal conduct in connection with the use of AWS services, AWS notifies customers before disclosing customer content so they can seek protection from disclosure. For more information, visit our Data Privacy FAQ.
Does the Quebec Act prohibit an AWS customer from having data in transit or at rest outside of Quebec or outside of Canada?
Customers should consult their own legal advisors when seeking to comply with privacy laws. The Quebec Act may require applicable persons to put certain measures in place to protect health information in their custody or control such as administrative, technical and physical safeguards. Health information that is to be stored, accessed, used, or disclosed outside of Quebec or Canada may be subject to certain obligations under the Quebec Act prior to such storage, access, use or disclosure outside of Quebec or Canada. It is the responsibility of each customer to determine whether transferring and storing data outside of Quebec or outside of Canada satisfies their security and privacy obligations under the Quebec Act.
AWS customers should consider whether PIPEDA or the laws of any other Canadian provinces may apply, and review such laws for any data residency limitations. AWS customers choose the region(s) in which their content will be stored. AWS will not move or replicate customer content outside of the customer’s chosen region(s) without the customer’s consent.
Does the Quebec Act require that health information be encrypted?
Under the Quebec Act, there is no specific requirement to encrypt health information. However, entities subject to the Quebec Act are required to take steps to safeguard health information and it is the responsibility of each customer to determine whether encryption is appropriate to satisfy its security obligations. AWS recommends that health information always be encrypted at rest and in transit as a best practice.
How can customers get information to complete a Privacy Impact Assessment in connection with using AWS?
AWS makes available a wide range of materials to help customers understand the AWS environment and security controls. AWS provides customers with on-demand access to third-party audit reports (such as our SOC 1 and SOC 2 reports) in AWS Artifact. AWS also provides workbooks, whitepapers, and best practices on our AWS Compliance Resources page about how to run workloads on AWS in a secure manner.
How do customers implement auditing of their environment on AWS?
As part of the Shared Responsibility Model, customers should consider implementing auditing and logging across their AWS environment in a manner sufficient to meet their compliance requirements. AWS offers services that make scalable logging and log analytics architectures simpler to implement. AWS also has a variety of partners in the AWS Marketplace that provide security logging solutions. Refer to this AWS Security-Logging Capabilities page for more information on how to implement logging on AWS.
Can you provide examples of other healthcare organizations in Canada utilizing AWS?