Skip Navigation

Quebec’s Comprehensive Health Information Privacy Law Comes Into Force

July 2, 2024

On July 1, 2024, most of the provisions of Quebec’s Act respecting health and social services information and amending various legislative provisions (Act) entered into force, along with two related regulations. The Act introduces a comprehensive privacy framework for health and social services (HSS) information in Quebec, similar to the health information privacy legislation in other Canadian provinces and territories.

The Act subjects HSS providers and institutions to modernized privacy obligations and to an enforcement regime similar to what is now imposed on private sector enterprises under Quebec’s Act respecting the protection of personal information in the private sector (Quebec Private Sector Act) following the coming into force of Law 25. Importantly, the Act also contains specific obligations that apply when contracting with organizations that act as service providers to Quebec HSS entities, such as medical Software-as-a-Service providers.


The Act was introduced as part of the Government of Quebec’s efforts to improve health service quality by simplifying HSS information flow. As such, the Act repeals the Act respecting the sharing of certain health information and establishes a new legal framework for managing HSS information, which aims to protect HSS information and optimize its use in the healthcare system. The Act also mandates the Minister of Health and Social Services (Minister) to establish a provincial information filing system designed to centralize the records of HSS institutions.

The privacy obligations under the Act apply to a wide swath of public and private sector entities. The HSS bodies designated in Section 4 of the Act (each a Body) include the Ministère de la Santé et des Services sociaux, public health institutions, private health facilities, laboratories, specialized medical centres, centres for assisted procreation, private senior residences, and any other person or group determined by regulation. The Act will also consider HSS professionals as a Body if they offer services within a Body other than a public health institution and maintain records outside of that Body. The Act exempts HSS information held by or on behalf of a Body from the application of the Quebec Private Sector Act.

Defining Health and Social Services Information

Section 2 of the Act introduces the concept of HSS information, which is broadly defined to include any information that allows a person to be directly or indirectly identified, and that has any of the following characteristics: 

  • Concerns the state of a person’s physical or mental health, or health determinants, including a person’s medical or family history
  • Refers to biological or other material taken from the person
  • Concerns the health services or social services provided to the person
  • Was obtained in the exercise of a function under Quebec’s Public Health Act
  • Has any other characteristic prescribed by regulation

Additionally, other personal information such as a name, date of birth, contact information or health insurance number is considered HSS information when it appears with the information referred to above, or is collected for the purpose of registration, enrolment, or admission to a HSS institution. 

Key Obligations Under the Act

The Act introduces numerous obligations on a Body in relation to the protection of HSS information, many of which are similar to the requirements of the Quebec Private Sector Act. At a high level, notable obligations include the following:

  • Safeguards: A Body is responsible for protecting its HSS information through reasonable safeguards.
  • Accuracy: A Body must ensure the information it holds is up to date, accurate and complete, to serve the purposes for which it was collected or used.
  • Consent: At the time of collection, a Body must clearly inform a person, in simple language, of the name of the Body collecting the HSS information, the purpose and means of collection, the period of time the information is kept, an individual’s right to access and correct the information, and the possibility of restricting or refusing access to that information as specified by the Act. 
  • Governance: A Body must put in place a privacy governance policy implementing its obligations under the Act that addresses, among other things, the categories of persons who may use HSS information, the security measures used to protect the information, the terms governing the communication of information, procedures for processing confidentiality incidents and complaints, and an update schedule for technological products.
  • Privacy Impact Assessments: A Body must conduct a privacy impact assessment to determine and mitigate the risks to HSS information where information is communicated outside Quebec, or in the event of any project to acquire, develop or overhaul technological products or services or an electronic service delivery system involving the collection, keeping, use, communication or destruction of HSS information held by the Body. 
  • Privacy by Default: A Body that collects HSS information through a technological product or service must ensure that privacy settings provide the highest level of confidentiality by default. 
  • Keeping Logs: A Body must log all accesses to or other uses of HSS information.
  • Technology Register: A Body must keep and publish online a register of every technological product or service it uses.
  • Transparency in Automation: A Body that uses the information it holds to render a decision based exclusively on automated processing must inform the person concerned and disclose the information and factors used to render the decision upon the person’s request.
  • Confidentiality Incidents: Where a Body has reason to believe a confidentiality incident breaching HSS information has occurred, or there is a risk it will occur, the Body must take reasonable steps to reduce the risk of injury. If the incident presents a risk of serious injury, the Body must promptly notify the Minister, the Commission d'accès à l'information du Québec (CAI) and the persons affected. 

Written Agreements With Service Providers

The Act also includes several obligations that are relevant to entities that provide services to Bodies. In particular, the Act provides that a Body may communicate necessary HSS information to persons or groups entrusted to carry out a mandate or under a contract for services. However, the mandate or contract must be in writing and include prescribed data protection terms, including terms that require the service provider to: 

  • Keep the information confidential
  • Comply with prescribed information governance rules
  • Only use the information for carrying out the mandate or performing the contract
  • Ensure all staff sign confidentiality agreements
  • Only use technological products or services authorized by the Body
  • Immediately notify the person in charge of the protection of information within the Body of any breach of the agreement
  • Allow the Body to audit the service provider
  • Not retain any information at the end of the mandate or contract

Additionally, before agreeing to any mandate or contract that involves communicating HSS information outside of Quebec, the Body must conduct a privacy impact assessment. 


The CAI oversees the Act and can levy fines between C$1,000 and C$150,000 on a legal person, depending on the infraction. These amounts are doubled and tripled in subsequent offences. Bodies, professionals subject to the Act, and HSS providers operating in Quebec should evaluate their overall HSS information handling practices and consider their compliance obligations under these new requirements.

For further information, please contact: 

or any other member of our Privacy & Data Protection group.