Data Borders: the legal battle over health information storage in Ontario

A lawsuit filed by Doxy.me, a video conferencing platform to health professionals based in the United States, against Ontario Health underscores a significant disagreement regarding medical information storage in Ontario, Canada. Ontario Health’s guidelines dictate that health data must be stored within Canada to qualify for Ontario Health Insurance Plan (OHIP) benefits. This requirement has led to financial losses for Doxy.me and initiated a legal battle that extends beyond financial considerations. Doxy.me challenges the necessity of storing data in Canada, arguing that there is insufficient proof of its increased security compared to data stored elsewhere.

Although Ontario lacks specific legislation on data localisation, its Personal Health Information Protection Act (PHIPA) regulations govern data protection in the healthcare sector. Despite Doxy.me’s assertion of minimal data retention, recent legal decisions suggest increased privacy expectations, challenging the company’s position. This lawsuit represents a critical examination of data storage policies and privacy safeguards in the digital era. The pandemic has accelerated the adoption of virtual healthcare, prompting Ontario Health’s regulatory response, while other provinces, such as British Columbia, have taken a more relaxed approach.

Why does it matter?

This case delves into the security of online health records amidst growing cyber threats and examines Ontario’s capacity to enforce data storage regulations within the framework of international agreements like CUSMA. Amidst mounting cybersecurity risks, experts are divided on the importance of global data exchange, expressing concerns about the exposure of sensitive information under foreign jurisdiction, such as the U.S. Patriot Act.