Software Development
The 9 Common Mistakes to Avoid in Custom Development
Personal Health Information: What You Need to Know in Quebec
In healthcare, the concept of personal information is not just a minor legal detail. Personal health information is central to compliance with Law 25, which applies to all public and private organizations in Quebec, and Law 5, which more specifically governs organizations in the health and social services network.
For a clinic, hospital, pharmacy, research centre, or technology company in the healthcare sector, knowing exactly what constitutes personal information determines your obligations regarding collection, use, retention, and disclosure.
This article clarifies the concept, provides concrete examples tailored to the healthcare environment, and outlines the best practices to put in place right away.
Definition of personal health information under Quebec law
According to the Commission d’accès à l’information du Québec (CAI), personal information is any information about a natural person that allows them to be identified, directly or indirectly.
In practical terms, there are two categories.
First, direct identifiers: name, address, email, social insurance number, health insurance number, date of birth, etc.
Second, indirect data that can identify a person when combined with other information: IP address, device identifier, biometrics, etc. For example, the combination of a postal code, gender, and date of a clinic visit could make it possible to identify someone.
This definition is rooted in the fundamental right to privacy, which gives each individual control over how their own data circulates.
Law 25 and Law 5: two complementary frameworks
Although they are often mentioned together, these two laws do not have the same scope.
Law 25 modernizes the rules for protecting personal information across all public bodies and private enterprises in Quebec, regardless of sector. A private pharmacy, a clinic unaffiliated with the public network, a digital health startup, or a software solutions provider are all subject to it.
Law 5, or the Act respecting health and social services information, specifically governs organizations in Quebec’s public health and social services network, as well as their authorized partners. It deals specifically with health and social services information.
Depending on your status, you may be subject only to Law 25 or to both laws. This distinction directly affects your obligations and the design of your systems.
Health information: a particularly sensitive subset
Law 5 introduces a more specific concept within personal health information: health and social services information. This is a type of personal information considered sensitive because of its nature and the potential harm that could result from a breach.
This includes, in particular:
diagnoses, medical history, and test results
prescriptions, treatments, and medications
clinical notes, observations, and care plans
laboratory and medical imaging results
biometric data, such as fingerprints or facial recognition
information related to mental health or sexual health
The heightened sensitivity of this information requires express consent: a clear oral or written statement that is separate from general consent.
To learn more about the legal framework that applies to this data, read our full article on Law 5 on health information.
Concrete examples in clinical and pharmacy settings
To make the definition of personal health information more tangible, here are examples grouped by level of sensitivity.
Category | Examples | Level of sensitivity |
Patient contact information | Name, address, email, phone number, file number | Standard personal information |
Administrative identifiers | SIN, RAMQ, driver’s licence, passport | Standard to high personal information |
Clinical information | Diagnosis, prescription, medical notes, allergies | Sensitive personal information |
Biometric data | Fingerprints, facial recognition, DNA | Sensitive personal information |
Digital data | IP address, device identifier, browsing path on a patient portal | Standard personal information |
Inferred data | Risk profiles generated by an algorithm or AI | Standard personal information, sometimes sensitive |
Even information generated by an artificial intelligence system, such as an automatically calculated clinical risk score, is considered personal information when it is linked to a natural person.
What is not considered personal information
Not all data processed by a healthcare organization is personal. Distinguishing between the two helps avoid imposing unnecessary constraints on information that does not warrant them.
The following are generally not covered:
aggregate statistics, such as the total number of consultations per month
information about an organization, such as a clinic’s legal name or Quebec enterprise number
isolated technical data, such as a browser version, provided it is not paired with a unique identifier
irreversibly anonymized data, in accordance with recognized de-identification best practices
fictional datasets used for development or training
Be careful with data matching. A harmless data point on its own may become personal when combined with others. A postal code alone does not identify someone, but when combined with a date of birth and gender, it may be enough to identify a patient in a small geographic area.
Are you designing a new clinical tool or modernizing an existing system that processes personal health information? Talk to a specialist to build compliance in by design.
Best practices for managing personal health information
Compliance is not just about a legal document. Managing personal health information is reflected in processes, tools, and organizational culture. Here are the practices we see working in healthcare sector mandates.
Map your data flows
Document where information is collected, where it travels, where it is stored, and who can access it. Without this mapping, it is impossible to demonstrate compliance or respond quickly to an incident.
Apply data minimization
Collect only what is strictly necessary for the stated purpose. A clinic registration form does not need a SIN if nothing in the process requires it.
Control access by role
Not every staff member needs access to every file. Putting in place granular permission management based on the principle of least privilege significantly reduces the exposure surface.
Encrypt data at rest and in transit
Encryption is no longer optional for health information. It applies just as much to databases as to exchanges with partners such as RAMQ or TELUS Health.
Prepare an incident response plan
A privacy incident is not a matter of “if,” but rather of “when.” A strong documented plan sets out which steps to follow, in what order, who does what, and how affected individuals will be notified.
Conduct privacy impact assessments (PIAs)
Any new initiative involving sensitive health information, such as a clinical AI project or a data transfer outside Quebec, should be subject to a PIA before deployment. This requirement is explicit in Law 25 for private enterprises and in Law 5 for organizations in the health network.
To go further on the technical issues, read our article on preventing threats in software security.
Why this definition is crucial for your compliance
Clearly defining personal health information triggers a cascade of obligations that must be met throughout the data lifecycle.
Collection: necessary, limited to the stated purpose, transparent, and based on valid consent.
Use and disclosure: governed by consent, except where clearly defined legal exceptions apply.
Retention: limited to what is useful, followed by secure destruction or compliant anonymization.
Governance: appointment of a person responsible for personal information protection, maintenance of an incident register, staff training.
Depending on the organization’s status, obligations fall under Law 25, Law 5, or both. Public health network institutions and their partners are covered by Law 5, while private clinics, pharmacies, research organizations, and healthcare technology solution providers are at minimum governed by Law 25.
Conclusion
Clearly defining what personal health information is is the first step in a strong compliance approach. Without that foundation, internal policies remain unclear and technology tools are poorly calibrated.
Beyond legal obligations, rigorous management of this data protects patient trust, your organization’s relationships, and its reputation.
Would you like to build or modernize a digital solution that complies with Quebec healthcare sector requirements for personal information? Talk to a specialist to assess your situation and structure an approach tailored to your needs.
FAQ
Is an electronic patient record part of personal health information?
Yes, an electronic patient record is fully considered personal health information within the meaning of Law 5. It contains a significant concentration of sensitive data, ranging from diagnoses to clinical notes, prescriptions, and medical history. Its management is strictly governed by law, including access, retention, disclosure, and the eventual destruction of the information it contains.
Is anonymized data still covered by Law 25 or Law 5?
If anonymization is irreversible and complies with practices recognized by the Commission d’accès à l’information, the data is no longer considered personal and is therefore no longer subject to the applicable obligations, whether under Law 25 or Law 5, depending on the organization’s context.
Is written consent required for every use of health information?
Not necessarily. Consent must be informed, freely given, and appropriate to the sensitivity of the information concerned. For information considered sensitive, such as a diagnosis or a genetic result, express, separate, and explicit consent is generally required. However, certain legal exceptions do apply, particularly in cases of emergency disclosure, a professional obligation, or sharing between authorized parties within the network.
