 (240 × 80 px) (1) (1).png)
Since July 1, 2024, the Act respecting health and social services information establishes a rigorous governance framework for health information management in Quebec.
Download our comprehensive guide to understand and apply Law 5 within your organization.
This new legislation establishes a rigorous governance framework for the management of health information in Quebec. Inspired by Law 25, it adopts many of the same principles—this time applying them specifically to the health and social services sector.
Whether you are a public institution, a non-profit organization, a subcontractor, or a partner, you are likely affected.
Law 5 introduces specific rules governing the collection, use, retention, and sharing of health information.
It clarifies responsibilities for all parties, including partners and service providers.
It strengthens individual protections while enabling better access to information for authorized professionals.
In short: compliance no longer stops at your organization—it extends across your entire ecosystem.
The law applies to "health and social services sector bodies," including:
CIUSSS, CISSS, hospitals, CLSCs, CHSLDs, and other public healthcare facilities
Healthcare professionals in private practice and their teams
Laboratories, specialized medical centers, fertility clinics
Ambulance services, private seniors' residences, palliative care homes, funeral service providers
Even if your organization is not a health sector body, you may be indirectly affected:
Internal Employee Assistance Programs (EAPs)
Risk: Collection and processing of sensitive data
On-site medical clinics or nursing services
Risk: Shared responsibility for health data
Partnerships with providers subject to Law 5
Risk: Contractual compliance obligations
Appoint a Health Information Protection Officer (HIPO / RPRS) with a formal written mandate.
Map all health information held: type, purpose, location, and access method.
Draft and publish rules governing collection, access, retention, transmission, and destruction.
Maintain automated logs of all access to and transmission of health data.
Obtain consent that is clearly free, informed, and specific—and retain proof.
Conduct Privacy Impact Assessments before any high-risk technological project.
Notify the CAI and affected individuals within 72 hours when an incident presents a serious risk of harm.
Provide annual staff awareness training, with proof of participation.
Include mandatory clauses covering security, subcontracting, and audit rights.
In addition to the fines and penalties imposed under Law 25, additional fines of up to $150,000 per incident may apply in cases of non-compliance with Law 5.
Compliance with Law 5 is now just as critical as compliance with Law 25.
Review your contractual relationships—you may be required to certify Law 5 compliance when receiving health data from medical partners.
Your contracts and security measures must align with Law 5 requirements if you serve clinics or healthcare organizations.
Exact RH already supports many organizations—clinics, non-profits, and SMEs—in the practical application of Law 5:
Law 5 (Act respecting health and social services information) establishes a rigorous governance framework for health information management in Quebec. In force since July 1, 2024, it adopts principles similar to Law 25 but applies them specifically to the health and social services sector.
Law 5 applies to health and social services sector bodies including public institutions (CIUSSS, CISSS, hospitals), private healthcare practices, specialized medical centers, laboratories, ambulance services, private seniors' residences, and funeral service providers.
Key obligations include appointing a Health Information Protection Officer (RPRS), maintaining a data inventory, implementing written policies, keeping access logs, obtaining clear consent, conducting Privacy Impact Assessments (PIAs), notifying incidents within 72 hours, and including mandatory clauses in vendor contracts.
In addition to Law 25 fines and penalties, Law 5 provides for additional fines of up to $150,000 per incident in cases of non-compliance with health information protection requirements.
Yes, non-medical organizations may be indirectly affected if they have Employee Assistance Programs (EAPs), on-site medical clinics, or partnerships with healthcare providers subject to Law 5. They may need to certify Law 5 compliance when receiving health data.
Yes, Law 5 requires consent that is clearly free, informed, and specific. Organizations must retain proof of consent for health information collection, use, and sharing.
An access log is an automated record of all access to and transmission of health data. Law 5 requires organizations to maintain these logs to track who accessed what information and when.
When an incident presents a serious risk of harm, organizations must notify the CAI and affected individuals within 72 hours. This includes data breaches, unauthorized access, and loss of health information.
Law 5 is inspired by Law 25 and adopts many of the same principles, but applies them specifically to the health and social services sector. Compliance with Law 5 is just as critical as compliance with Law 25 for healthcare organizations.
Exact RH provides compliance diagnostics, policy drafting and consent templates, targeted training for staff and managers, PIA support and security testing, incident risk level assessment, and assistance with CAI communications.
Contact us for a free assessment. We'll help you turn Law 5 compliance into a trust-building advantage for your organization—and for your patients, employees, and partners.
Free Consultation: 1-866-950-3357