Navigating Compliance with Quebec’s Act Respecting Health and Social Services Information Through Private AI’s De-identification Technology

Quebec's Act Respecting Health and Social Services Information (ARHSSI) represents one of the most comprehensive and sector-specific privacy frameworks in Canada. While Quebec's Law 25 introduced sweeping changes to how organizations across the province handle personal information, the ARHSSI goes further, zeroing in on health and social services data with requirements that are, in several respects, more stringent than those found anywhere else in the country.

For organizations that collect, use, or share health and social services information in Quebec, the stakes are high. The Act introduces enforceable de-identification obligations, tightly defined access rights, and penalties that can reach $150,000 per violation. Understanding exactly what the ARHSSI requires, and how to build reliable compliance infrastructure, is not a compliance checkbox exercise. It is a strategic imperative.

This article provides a comprehensive overview of the ARHSSI, explains who falls within its scope, and explores how Limina's context-aware de-identification technology helps health and social services organizations meet their obligations, reduce risk exposure, and avoid the steep penalties associated with non-compliance.

Who does the ARHSSI apply to?

The ARHSSI designates a broad range of organizations as health and social services bodies (HSSBs), all of which are subject to its requirements. This includes the Ministry of Health and Social Services, the Health and Welfare Commissioner, the Commission on End of Life Care, and the Régie de l'assurance maladie du Québec (Quebec's Health Insurance Board). Specialized institutions like Héma-Québec, which manages the province's blood services, and the Institut national de santé publique du Québec are also captured.

The Act extends beyond public institutions to cover private facilities as well, including specialized medical centers, private seniors' residences, assisted procreation centers, and funeral service providers. Taken together, this is an intentionally broad scope that reflects a desire to ensure consistent privacy protections across the entire continuum of health and social care in Quebec, whether delivered by the public sector or by private operators.

"Health and social services information," as the Act defines it, encompasses any data that can identify an individual, whether directly or indirectly, when linked to their physical or mental health, medical history, biological samples, or the use of disability aids. It includes details about specific services received, outcomes, and the identity of service providers. Personal identifiers such as name, date of birth, and health insurance number are also considered health information when linked to care records or collected during registration or admission.

Notably, information collected strictly for human resources purposes about health workers or contractors is excluded from the definition. But for everything else falling within its scope, the ARHSSI applies in full.

What are the key obligations under the ARHSSI?

The ARHSSI covers a wide range of governance, access, and operational requirements. The following areas represent the core obligations that organizations subject to the Act must understand and address.

Collection, use, disclosure, and retention of information

Organizations must ensure that the collection, use, disclosure, and retention of health and social services information are done transparently and with clear justification. The collection must be limited to the minimum necessary for the stated purpose. As a default rule, consent is required before personal health information can be used or communicated. When HSSI is sent outside of Quebec, organizations must complete a privacy impact assessment (PIA) before any transfer takes place. Retention is equally constrained: data must only be kept for as long as necessary, and confidentiality safeguards must be maintained throughout the data lifecycle.

The obligation to de-identify by default

Perhaps the most operationally significant requirement in the ARHSSI is the mandate that personal information must be used or communicated in a de-identified form whenever possible. This is not a best-practice recommendation. It is a legal obligation that applies broadly to internal data use, external communications, disclosures to service providers, and the sharing of data with researchers. The requirement holds regardless of whether consent has otherwise been obtained. For organizations processing health and social services information at scale, this creates a meaningful operational challenge: every data flow involving HSSI must, as a default, be evaluated for whether it can proceed in de-identified form.

Access restrictions

The Act gives individuals the right to restrict access to their HSSI. This includes the ability to limit access by particular service providers or categories of providers, by relatives, and by researchers working on specific projects. The Act also limits internal access: personnel within an organization may only access HSSI for the purposes for which it was collected, or for purposes consistent with that original collection.

Rights of access to information

Individuals have a defined right to access their own health information. Related persons, including guardians, family members of minors, and relatives of deceased individuals, also have access rights in specific circumstances. Service providers and researchers may access HSSI under certain conditions, though researchers face stringent requirements, including the obligation to submit a PIA as part of their access request. Organizations must be prepared to process these requests in compliance with the detailed procedures the Act prescribes.

Technological products and privacy impact assessments

Any organization subject to the Act that plans to acquire, develop, or substantially overhaul a technological product or service must complete a PIA before proceeding if the project involves collecting, keeping, using, communicating, or destroying information the organization holds. The requirement is waived only if the product has been certified under a regulatory procedure that itself included a PIA. Organizations must also maintain a register of all technological products they use and publish that register on their website or through comparable means.

Confidentiality incidents

The ARHSSI takes a notably proactive approach to confidentiality incidents. Risk mitigation and incident-prevention obligations are triggered as soon as there is a risk of a confidentiality incident, not only once one has occurred. A separate 

The ARHSSI takes a notably proactive approach to confidentiality incidents. Risk mitigation and incident-prevention obligations are triggered as soon as there is a risk of a confidentiality incident, not only once one has occurred. A separate regulation accompanying the Act clarifies that formal notification obligations apply once an incident has in fact occurred, and sets out the specific details that notices must contain.

Oversight and penalties

The Act empowers authorities to conduct inspections and investigations, and to impose significant financial penalties for violations. For individuals, penalties range from $5,000 to $100,000. For organizations, violations can result in fines ranging from $15,000 to $150,000. The most severe penalties apply specifically where information that cannot lawfully be communicated under the Act is communicated anyway, making the failure to de-identify HSSI one of the highest-risk compliance gaps an organization can carry.

What does the ARHSSI require for de-identification and anonymization?

The de-identification provisions of the ARHSSI sit at the intersection of data minimization, privacy protection, and operational feasibility. Understanding the distinctions between these concepts matters, because the mechanisms for achieving compliance differ.

Data minimization requires that only the health and social services information that is strictly necessary for a stated purpose be collected in the first place. Intake forms must be designed accordingly, or technology must be deployed to automatically block the collection of data that falls outside the scope of the purpose. For retention, once the data has served its purpose, it must be destroyed or, as the Act specifies, anonymized as an alternative.

On the question of anonymization standards, the Act's language mirrors the anonymization framework introduced under Law 25. A separate regulation on destruction of HSSI provides some procedural detail but is largely silent on what anonymization itself requires. Organizations seeking clarity on that question are well advised to consult the anonymization guidance published under Law 25 as a practical reference while the regulatory framework continues to develop.

The Act's most distinctive requirement, however, concerns the active use and communication of HSSI. The law explicitly states that health information must be de-identified "where such information can be used or communicated in a form that does not allow the person concerned to be identified directly." Research is, in practice, the most common context where this standard can realistically be met. But the obligation is not restricted to research. Any time HSSI can be handled in de-identified form, the Act requires it to be.

This means organizations cannot treat de-identification as a step reserved for data sharing agreements or research partnerships. It must be built into how they handle data day to day, and it must operate consistently and at scale to be meaningful.

If your organization handles health or social services data in Quebec and you're assessing your compliance posture, speak with a Limina expert today to understand how automated de-identification can reduce your risk exposure under the ARHSSI.

How does Limina help organizations comply with the ARHSSI?

Limina was built by linguists, which means its de-identification technology does not rely solely on pattern matching to detect sensitive data. It understands context, recognizes entity relationships within documents, and applies judgment about what constitutes personally identifiable information or protected health information in a given text. This makes it particularly well suited to the kind of nuanced, high-stakes data processing that the ARHSSI demands from healthcare organizations and health services bodies across Quebec.

Automated de-identification at scale

The ARHSSI's default de-identification requirement cannot be met through manual review alone. The volume of health and social services data that organizations handle, across structured databases, unstructured documents, audio recordings, and digitized paper records, makes automation essential. Limina's technology automates the detection and redaction of PII and PHI in real time across all of these data types. It supports granular entity-level configuration, so organizations can define precisely which categories of information must be removed for a given use case, enabling the flexibility that real-world data processing requires.

On-premises and Canadian-hosted deployment

Given the ARHSSI's strict requirements around communicating health information outside Quebec, organizations need de-identification solutions that can operate within their own infrastructure or on servers located within Canada. Limina supports both on-premises deployment and secure API integrations with Canadian server endpoints, ensuring that sensitive health data never leaves the organization's controlled environment, or the country, in the process of being de-identified.

Meeting anonymization standards

The removal of direct and indirect identifiers is always the first, and often the most technically demanding, step in any anonymization workflow. Limina's context-aware approach supports this process by applying de-identification according to generally accepted best practices, taking into account not just explicit identifiers like names and health card numbers, but indirect identifiers that could still allow re-identification when combined. Whether the end goal is de-identification for internal use or full anonymization for research data release, Limina provides the foundation that organizations need to get there.

Supporting PIAs and confidentiality incident reporting

Before any information can be redacted, it must first be identified. That identification step, particularly in unstructured data such as free text fields, embedded documents, scanned PDFs, and audio transcripts, is often the hardest part. Limina automates that detection process, making it possible for organizations to conduct thorough privacy impact assessments and to accurately inventory the HSSI present in a given system. When a confidentiality incident occurs, or when risk of one is identified, having a precise and up-to-date understanding of what personal health information exists where is foundational to fulfilling the notification and reporting obligations the Act imposes.

Reducing the risk of financial penalties

For organizations that fail to de-identify HSSI when the law requires it, the ARHSSI's penalty structure is unambiguous. Individual violations can result in fines up to $100,000 for individuals and $150,000 for organizations, with the most severe penalties reserved specifically for the unauthorized communication of information. Implementing systematic, automated de-identification through Limina directly addresses this risk by ensuring that health data is de-identified by default before it is used or communicated, rather than as an afterthought.

Organizations in pharma and life sciences that work with Quebec health data as part of research programs or clinical trial operations face the same obligations and the same exposure. Limina's platform is designed to meet the requirements of regulated industries where the cost of a data privacy failure is not just financial but reputational.

Ready to see what Limina can do for your compliance program? Get in touch with our team to discuss your specific data environment and learn how we can help you meet the ARHSSI's requirements with confidence.

Why ARHSSI compliance cannot wait

Quebec has consistently moved ahead of the rest of Canada on data privacy. Law 25 set a new standard for how organizations across the province handle personal information. The ARHSSI builds on that foundation with requirements that are more demanding still, particularly for the health and social services sector. The Act is already in force, and the regulatory bodies empowered to enforce it have the tools to investigate, inspect, and penalize organizations that fall short.

The organizations most exposed are those that continue to process health and social services information in identifiable form when de-identified alternatives are available. Whether that reflects a lack of technical capability, a slow procurement process, or simply an assumption that enforcement will be gradual, the legal obligation is clear and in effect. The ARHSSI does not wait for organizations to feel ready.

Building compliance infrastructure now, rather than in response to an enforcement action or a confidentiality incident, is both the prudent and the practical path. De-identification at scale requires technology that can operate consistently across data types, integrate with existing systems, and be configured to meet evolving regulatory expectations. That is exactly what Limina is built to provide.

‍