Electronic Records Handbook
With constant advancements in technology, electronic medical records (“EMRs“) and electronic health records (“EHRs“) have become an integral part of health care delivery in Canada. EMRs/EHRs have the potential to improve the management of individual patient care while bolstering the overall effectiveness of the health care system. Efficiency gains from such advancements are expected to enhance the quality of care, improve access to care and reduce costs.
Recognizing the potential applications and benefits, this handbook aims to provide members with an overview of the issues associated with the implementation and use of EMRs/EHRs, including technological issues and medico-legal risks. It is intended to be a practical resource for physicians.
Distinguishing between EMRs and EHRs
An EMR generally refers to an electronic version of the paper record that physicians have long maintained for their patients. The EMR may be a simple office-based system or a more sophisticated shared EMR accessible to those within a group practice, health care facility, or a network of health professionals (e.g. treating physicians, other health care providers, information managers, etc.).
EHRs are typically maintained by a hospital, health authority or provincial health ministry and generally include a wider cross-section of information from more diverse sources than EMRs. The EHR is a compilation of core health data from multiple sources (e.g. physicians, physiotherapists, pharmacists, laboratories, etc.). It is typically comprised of different records submitted by various providers and organizations and accessible by several authorized parties from a number of places of care, possibly even from different jurisdictions.
Selecting an appropriate system
Choosing an electronic record system
In choosing an appropriate system, members should assess the needs of their practice and select a system that will meet their expectations. Members are encouraged to seek professional assistance from a variety of possible sources, including a technology vendor, an information technology consultant, provincial/territorial/national medical associations and/or their local physician technical support program, if available. Colleagues who have implemented an EMR may provide useful feedback on the selection process. Some jurisdictions have a preapproved vendor list to facilitate the selection process and might also have funding available to offset some or all of the acquisition and implementation costs.
Members should be aware of the legal and regulatory requirements applicable in their jurisdiction and ensure the chosen system can fulfill applicable requirements. In addition, if linking to an EHR, members should be aware of compatibility requirements that may be prescribed by health authorities, health care institutions or facilities.
The system vendor will likely require the physician/group to sign a software license, which is a legal agreement governing the use and distribution of the copyright-protected EMR software. While granting the physician/group permission to use the software, license agreements also impose certain obligations and restrictions on the use of the product. Members should be aware of the terms of the software license agreement and are strongly encouraged to contact their personal legal counsel and/or provincial/territorial/national medical associations for advice before signing the license agreement.
The system vendor may provide computers, tablets, PDAs (personal digital assistants), servers or other equipment to be used with the particular EMR/EHR system. Such equipment might be purchased or leased by the physician/group. If the equipment is leased, members should be aware of the terms of the lease, including any early termination payments or penalties. If the equipment is purchased, members should be familiar with the terms of the purchase agreement, including any applicable warranties. Physicians are encouraged to consult their personal legal counsel before entering into any equipment lease or purchase agreement.
In addition to choosing the right system (including software and hardware), there are a number of practical considerations that should be taken into account, including:
These issues, among others, will be discussed in the following chapters.
Working with decision support systems
Decision support sheets or algorithms are commonly used by physicians to analyze clinical facts to assist them with treatment decisions or diagnoses. Some EMRs/EHRs are equipped with decision support tools embedded in the software that prompt the user to consider certain factors and/or possible decisions in response to the inputted data. The presence of a decision support tool within an EMR/EHR gives rise to unique and challenging issues that should be considered before acquisition.
For example, members should determine if the system permits individual users to disable or disregard the decision support tool. If this is the case, members will want to consider the availability of a robust audit trail that tracks the advice that is accepted or rejected by individual users. Although each system will function differently, users should be aware in advance how the particular decision support tool operates and whether the information generated is reliable.
Decision support tools must not be used as a replacement for a physician’s own judgment. Each suggestion offered by the decision support tool should be assessed based on the individual circumstances of the case.
Members will want to consider documenting in the patient’s chart their reasons for following or ignoring a suggestion provided by the decision support tool. If the diagnosis suggested by the software was ignored and proves in hindsight to be accurate, the physician may be required in the course of a legal action or College complaint to justify why the information was disregarded. Documentation of the physician's rationale for disregarding a suggestion would be helpful under these circumstances. Similarly, if the decision support tool is disabled, physicians will want to document their rationale for doing so.
Existing regulations and guidelines regarding the creation, maintenance, retention and destruction of traditional paper medical records generally extend to EMRs and EHRs. There may be additional requirements that apply specifically to records in an electronic format. These will be determined primarily by regulatory authorities (Colleges) and provincial, territorial or federal governments.
Regulatory authorities (college) requirements
Several Colleges have adopted policies, bylaws, rules or regulations concerning EMRs/EHRs that include some or all of the following requirements:
While not all of these requirements may necessarily apply in every jurisdiction, they should be considered when setting up an EMR in a medical office.
Respecting privacy legislation
Privacy legislation governing the collection, use and disclosure of personal information is applicable in all provinces and territories. In many provinces, the legislation includes provisions that apply specifically to the privacy of electronic health records. Legislation governing electronic commerce may also be applicable and typically deems electronic records to be equivalent to paper records, regulates the use of electronic signatures and addresses certain evidentiary issues.
Most privacy statutes impose obligations on physicians and other custodians of patient information to take all precautions to minimize the risk of loss, theft or unauthorized access or use of that information. Some privacy legislation further requires custodians to implement specific safeguards when maintaining patient information in electronic form.
As with any patient information, physicians generally do not need a patient's express consent to include his or her health information in an EMR/EHR, or to share patient information with other health care providers for the purpose of providing treatment. Physicians can generally rely on a patient's implied consent to share information within the “circle of care,“ which includes those health care professionals who “need to know“ the information for the purpose of providing care.
Privacy legislation also generally permits custodians to share personal health information with an “agent“ (such as a service provider or company assisting with a physician’s medical practice) on the basis of implied consent. As a custodian, the physician hiring the agent remains accountable for the personal health information in the hands of the agent. As such, members should ensure that the service provider understands the necessity of protecting personal health information and takes appropriate steps when performing its functions. Members are encouraged to enter into a written agreement to confirm the agent understands his/her obligations. In some jurisdictions, a written agreement may be required by the privacy commissioner.
Although consent can usually be implied, it may be prudent in some circumstances to notify patients that their health information will be stored electronically, particularly if stored in a shared EMR or an EHR through which a number of people will have access to the patient's personal health information. Privacy legislation in some jurisdictions requires patient notification in these circumstances by speaking with them individually, sending them a letter, or placing a poster in the office.
Express consent should be obtained whenever a physician is asked to disclose patient information from an EMR/EHR:
a) To a third party outside of the circle of care (e.g. an insurer or employer) and who is not an agent of the physician; or
b) Where the information will be used for a purpose other than providing health care to the patient and it is not permitted or required by law.
Disclosure in the latter case is often referred to as a “secondary use“ of personal health information. Other examples of “secondary uses“ include marketing, conducting research or providing personal health information to an organization or government body for the purpose of health system planning. Some privacy statutes expressly permit the use of health information for these secondary purposes. Members will want to familiarize themselves with the exemptions contained in the relevant privacy legislation. Where appropriate, patient information should be de-identified to the extent possible before it is used for purposes other than providing health care.
When express consent is required, it is generally prudent to ask the patient to execute a consent form. If verbal consent is obtained, it should be documented in the patient's medical record. Regardless of the approach used, the patient's consent should be informed.
Core data set
The term “core data set“ typically refers to the portion of a patient’s record that is also accessible by non-primary care professionals or health care facilities. It can be viewed as a subset or, in some cases a summary or overview, of the patient's complete medical record. Since it is created for the purpose of sharing specific data between health care providers and others involved in the delivery of health care, it is generally included only within an EHR.
Members may wish to discuss with their regulatory authority (College), health authority, or privacy commissioner whether it is necessary to obtain consent from patients prior to uploading their health information in the core data set. Clarity should also be obtained from the relevant authority on the extent of information that must be included.
Patient requests regarding access to their information by others
Patients may request that access to their health information contained in an EMR/EHR be limited, even if it is for health care purposes. This can be done through a process commonly referred to as a “lock-box“ or “masking.“ Members with EMRs should consider whether their system permits masking, how they will manage lockbox/masking requests, and what obligations exist to inform recipients that the information may be incomplete. If storing patient information in a shared EMR or an EHR, members should also ask those responsible for the shared system how these lock-box/masking requests should be handled.
In jurisdictions with provincial EHRs, “disclosure directive/opt-out“ processes that permit individuals to control information may apply. Although the scope and restrictions on the directive or opt-out may vary, they can relate to the type of personal health information contained in the EHR, the purposes for which personal health information may be disclosed from the EHR, and the persons or classes of persons who may access the personal health information in the EHR. Where such a disclosure directive/opt-out process exists and is recognized by law, it may serve to restrict a health care provider's access to the information, except in certain circumstances such as incapacitation, in an emergency, or with the person’s express consent.
Patients generally have a right to access their own health information. Physicians must have a means to provide patients with access to their health information contained in an EMR/EHR in an appropriate format. Physicians may charge a reasonable fee for providing copies of records to patients.
Despite this obligation, there are circumstances when physicians may be concerned about providing access to certain information. For example, a psychiatrist may believe it would be harmful for a patient to review information related to the psychiatrist's impressions or analysis of the patient's mental health status. Although, in exceptional circumstances, a patient may be refused access to portions of his or her medical record, the general expectation is that the potentially harmful information be segregated from the record, rather than refusing patient access to the entire record.
As with paper records, physicians have an ethical and legal obligation to keep all patient information confidential. However, when patient information is stored in an EMR/EHR, it is likely accessible to a greater number of people than a traditional paper record and the protection of the information is therefore more complex.
Robust security features and policies must be implemented to ensure information maintained in an EMR/EHR is only accessible within the circle of care to provide adequate patient care, or for other purposes authorized by law or with express patient consent. This can be achieved through the use of user identification and passwords for logging on. In addition to having security mechanisms that limit access to authorized persons only, where possible, it is prudent to consider equipping the EMR/EHR system with controls that restrict access based on the user's role and responsibilities. Locating printers in areas with restricted access is another way to protect patient information.
The CMPA strongly recommends that physicians consider implementing encryption protection on all computer systems (including desktops and laptops) containing personal health information. Members who store patient information on portable data storage devices such as personal digital assistants (PDAs), USB flash drives, portable hard drives, etc. should also consider installing encryption software on these devices. Indeed, some privacy commissioners and Colleges have stated that physicians and other custodians must encrypt patient information stored on mobile devices.
When using a wireless network to access and send patient information contained in the EMR/EHR, members will want to consider steps to ensure that the network used is secure. Additional requirements may apply when transmitting a patient’s personal health information outside of the province/territory where it was collected. For example, patient notification may be required when using a service provider outside of Canada (e.g. for transcription of dictation).
Privacy impact assessment/audit
Some jurisdictions require a privacy impact assessment prior to implementing or making changes to an EMR system. While the assessment may not be a legal requirement in every jurisdiction, it is a prudent and valuable procedure. Privacy impact assessments identify and minimize the privacy risks associated with the implementation of the EMR system. Members are encouraged to consult with their respective privacy commissioner/ombudsman on how to conduct a privacy impact assessment. Some privacy commissioners have published guidelines in this regard. In some jurisdictions, it may be necessary to submit the completed privacy impact assessment to the privacy commissioner.
It is also prudent for members to conduct periodic privacy audits of the EMR system once it is installed. Routine audits ensure that access to patient records in the EMR/EHR has been restricted to authorized individuals for authorized purposes. Conducting these audits on a regular basis allows for the early identification and management of any unauthorized access.
Transportation of data
There may also be risks associated with the physical transportation of electronically stored personal health information. The Canada Border Services Agency and some foreign governments have issued statements declaring their unequivocal authority to search and potentially seize electronic devices that a traveller may be attempting to bring into the country. In some cases, the information obtained in a border search may be broadly shared. This raises obvious concerns regarding the privacy and security of patients' personal health information when it is stored on a device that is subject to a border search.
Members are encouraged to contact the CMPA prior to physically transporting or electronically transmitting health information across borders.
Physicians have a duty to their patients to keep records that are accurate, complete and up-to-date. With electronic record systems, physicians must ensure the authenticity and integrity of both the electronic data and the process by which it was created. Some measures may be required by legislation and/or by the member's regulatory authority (College).
An EMR/EHR should have an audit trail detailing user access and alterations to the record. An audit trail assists in demonstrating the information contained in the EMR/EHR is authentic and reliable. It also assists with continuity of patient care, especially where multiple health care providers have access to the record.
The audit trail system should enable the physician to:
Physicians have a responsibility to maintain accurate records. Fulfilling this responsibility includes complying with requests from patients seeking access to their record. A patient has the right to access his or her record and to request a correction. Physicians are generally entitled to refuse requests to correct medical opinions or information that is necessary for clinical purposes. The decision must be made on a case-by-case basis and in keeping with any applicable legislation or College requirements. For example, privacy legislation may set timelines for responding to patient requests, establish parameters for granting or refusing correction requests, identify how the record is to be corrected and require certain steps be taken once a request is granted or refused. Members should be familiar with those provisions and comply with them.
Members should also be aware that, with an EMR/EHR, there might be multiple health care providers treating the patient and making entries into the record. If a patient requests that the physician correct or alter an entry made by another health care provider, it would be prudent to direct the patient's request to that provider. Alternatively, the member may consult with the other health care provider if the entry is relevant to the treatment the member is providing or has provided the patient, in order to determine whether the change should be made and by whom.
If a member refuses a patient's request for a change, the member should retain on the chart a copy of the patient's request, the letter of refusal setting out the reasons for refusal, including any communications received or sent via email or other electronic means. Some privacy legislation also requires physicians to retain copies of any letters of disagreement the patient sends upon learning of a refusal.
Physicians also have a general duty to correct inaccurate information in a patient’s record, especially where the information is vital to the patient's treatment.
If a member believes a change to the record is required, the amendment should be made in a manner that is as consistent as possible with applicable College requirements for paper records. The amendment should not obscure or delete the original entry. In an electronic environment, changes can usually be made using an addendum or digital strikeout. The date, time and initials (or electronic signature) of the person making the alteration should be visible on the electronic record. A “track changes“ function (commonly found in most word processors to monitor changes to documents) could be used for this purpose or where this is not available an addendum should be placed in the record, preferably next to the original entry if possible, explaining what change is needed.
Notifying other users of erroneous or outdated information
If a member becomes aware that the EMR/EHR to which he or she has access contains outdated, incomplete or inaccurate information, it is prudent to immediately alert other users of the EMR/EHR so that patient treatment is not compromised. Efforts should then be made to correct the erroneous information as soon as possible, in the manner discussed above. Members should also be aware that privacy legislation generally requires custodians who correct records to notify others to whom the relevant information has been disclosed.
The data sharing agreement (an agreement setting out the terms for the sharing of electronic health information) should ideally contain a provision that addresses the procedures for correcting the EMR/EHR and requiring notification of previously accessed erroneous or outdated information. Members should refer to applicable requirements and the specific data sharing agreement when considering making a correction.
Receiving data/records from other health care providers
A unique challenge with EHRs (and shared EMRs) is that other health care providers have access to the data and may contribute to the EMR/EHR directly. A physician may also receive data or records from other health care providers that are incorporated into a patient’s EMR. These physicians may be unfamiliar with each other's practices and may not consult with each other regularly, if at all.
The importance of accuracy is increased in these circumstances and all health care providers using the EMR/EHR should make reasonable efforts to know who contributes to it, how often it is being accessed, and how information they have added should appear on the screen or printout (e.g. initialed/signed and dated entries, strikeouts/addendums for changes to original entries, etc.).
Converting paper records to electronic form
If members choose to adopt an EMR, they might wonder whether their existing paper records should be transferred to an electronic format and whether, once scanned, the original records can be destroyed.
While transferring paper records to an electronic format can yield enormous benefits to physicians in terms of increased efficiency and improved patient care, members should nonetheless be aware that documents converted into electronic format are considered copies (otherwise referred to as “secondary evidence“) but may be admissible in legal proceedings if certain steps are followed. The rules concerning the admissibility of copies have been modified in most Canadian jurisdictions to take into account the reality of electronic record-keeping.
Responding to a legal request to produce an electronic record can be challenging. It may be necessary to produce the “metadata“ embedded in all electronic documents. Specialized technical assistance may be required to ensure that all the required data is included. Upon receiving a subpoena or a court order to produce medical records (in paper or electronic form), physicians are encouraged to contact the CMPA for advice.
Some Colleges permit the destruction of paper records once they have been scanned. However, the CMPA encourages its members to consider the following guidance to ensure paper records converted into electronic format meet evidentiary requirements:
Digital records should be kept in “read-only“ format so they cannot be altered or manipulated after conversion. Members should be aware of the differences between “scanning“ and “Optical Character Recognition“ (“OCR“). Scanning simply generates a noneditable digital representation of an image whereas OCR is a technology process that converts an image of handwritten or typewritten text into machine-editable text. Once an image has been converted using OCR, the text can be changed, searched, or otherwise manipulated. OCR may be used in conjunction with scanning. However, OCR alone should not be used when converting paper records to electronic form, unless the original paper records will also be scanned or will be maintained in paper form.
Where the appropriate steps have been taken, it may be reasonable for the member to destroy the original record. However, in exceptional cases, such as when the quality of the paper records makes the converted document difficult to read, it may be prudent to retain the paper records for the period of retention recommended by the CMPA: at least 10 years from the date of the last entry or, in the case of minors, 10 years from the date on which the minor reaches the age of majority. The eventual destruction of the paper records should be in keeping with the physician's obligation of confidentiality as well as any applicable legislative and College requirements.
Physicians who are already using an EMR and wish to switch to a new EMR software or vendor will need to consider how to maintain the integrity of the patient data as entered in the old EMR system. Options may include migrating the data from the old system into the new system or archiving the data in the old system. Regardless of the process, physicians will want to ensure they have continued access to their patients’ data for the applicable retention period and that the information including the metadata is not compromised or otherwise changed in the process.
Back-up and recovery
It is not uncommon for computer systems to fail, which can lead to the loss of patient information contained in an EMR. In some jurisdictions, legislation and/or regulatory authority (College) policies require that physicians ensure electronic files are routinely backed-up and that the system allows for the recovery of such files.
Even if there are no specific regulatory requirements in a particular jurisdiction, it is good practice to back-up patient information on a daily or weekly basis and to ensure the back-up files are encrypted. Members may also want to regularly test the restore process for these backed-up files. Furthermore, members may wish to use an off-site back-up system to protect patient records, in the event that an office computer is stolen, lost or destroyed. Physicians should consult with their vendor or service provider for more information about the back-up and recovery capabilities of the particular system being used.
The critical function of a signature is to associate the signatory with the contents of the document. Can an electronic signature effectively serve the same purpose in an EMR/EHR? In fact, it can legally serve the same purpose. An electronic signature, although not tangible in nature, can still be evidence of the association of the signatory with the document and its contents.
“Electronic signature“ is a generic term that refers to a wide variety of non-manual signature options, including digital signatures. It is commonly defined as electronic data created or adopted by a person to sign a document. The data is then attached to or associated with the document.
A “digital signature“ is a technology-specific type of electronic signature. It is one of the many techniques that satisfy the functions sought to be performed by electronic signatures. A common misconception is that electronic signatures are merely a digital version of a handwritten signature. While a signature entered on a touchpad is one example of an electronic signature, a more common example are those consisting of one or more letters, characters, numbers or symbols that are attached to or associated with an electronic document.
Although electronic signatures are generally recognized as being as valid as manual signatures, they cannot yet be used in all circumstances. For example, a physician may not be able to use an electronic signature for prescriptions in some provinces and territories.
Where they are permissible, electronic signature devices must meet certain reliability requirements. In the event of a potential future legal proceeding, a member employing such a device will want to be able to explain how the device works and attest to its reliability. Without this assurance of reliability, a court or tribunal may not allow the electronically signed document to be admitted as evidence or it may be given reduced weight.
It is therefore important to be able to demonstrate the electronic signature was properly associated with the document in question (e.g. report, consent form, etc.). Without this assurance of reliability, the other side in a dispute could argue that the patient did not know what document to which he or she was affixing a digital signature when signing with a stylus on a digital signature pad. Alternatively, it could be argued the physician's signature was not associated with the correct report and the physician did not, in fact, review the relevant document.
In order to be in a position to effectively respond to such arguments, members should consider a system with the following characteristics:
Members are encouraged to explore the various electronic signature options with an information technology consultant.
Electronic records facilitate the quick transmission of patient information to other health care providers or to the patient. In a shared EMR or an EHR, it is likely other health care providers involved in the patient's care will have direct, independent access to the patient's record and the information necessary to provide treatment. In these circumstances, the treating physician has a limited role in making the patient information available.
If uploading patient information from an EMR to another EMR/EHR, members should consider whether the network they are using is sufficiently secure. Again, members should consult with their respective College concerning any applicable policies or guidelines in this regard. Similarly, when a physician receives a request from another treating health care provider for patient information contained in an EMR that is not shared, the physician should choose a secure means to transmit the information through various electronic means, such as fax, email or another EMR/EHR.
Communicating electronically with patients and others
Colleges may have policies or guidelines on communicating with patients through email or fax. Prior to communicating with patients through email or fax, members should discuss the risks and obtain the patient's consent to transmit their health information in this manner. Any discussions with the patient should be documented in the patient's medical record and the use of a written consent form is advisable (see the Information Letter (March 2009) entitled “Using email communication with your patients: Legal risks“ with the attached template consent form).
Emailing with patients raises unique legal issues. At least one provincial privacy commissioner has suggested physicians avoid communicating personal health information via email unless the email service is secure and offers strong encryption. Members should establish policies and procedures for the handling of email communications. Employees should be informed (through a policy or otherwise) of the risks associated with inappropriate email communication.
If employed by (or hold privileges within) an organization, institution or hospital, it may be difficult to protect sensitive email correspondence from being accessed by the organization. For example, a member working from a hospital might be vulnerable to the hospital administration accessing email correspondence that has been prepared on a hospital computer or transmitted over the hospital system. If it is necessary to use email to communicate sensitive personal matters, consider using a personal email account accessed from a computer you personally control such as at your office or home. This caution is especially pertinent for members who are being assisted by counsel with a legal matter.
Members should also implement standard procedures when faxing patient information to minimize the possibility of misdirected faxes. For example, depending on the recipient and the sensitivity of the information being faxed, it may be prudent to consider contacting the recipient prior to sending the information by fax to confirm the fax number and ensure the recipient is present to receive the document.
As with paper records, procedures are required to ensure adequate disposing of electronic records. The following are some key points to keep in mind when considering the retention and destruction of EMRs:
Some privacy legislation requires physicians to keep a record of:
Effective destruction requires the EMR/EHR be permanently deleted or irreversibly erased. When destroying the information, members must consider whether it is necessary to destroy not only the “original“ records, but also any copies of these records, including back-up files.
Some privacy commissioners have recommended the physical destruction of the electronic storage device (e.g. hard drive) to ensure the permanent deletion of patient information stored on these devices. This may include physically destroying the electronic storage device, or it may be sufficient to employ wiping software to delete the information contained on the hard drive. However, depending on the sophistication of the software, wiping may not irreversibly erase every bit of data on a drive. Selling or giving away electronic storage devices that contain or once contained patient information should be avoided.
Given the technological expertise required to effectively destroy electronically stored information, it is preferable to engage an accredited service provider to destroy patient information maintained in EMRs. Some privacy commissioners have stated that when engaging a commercial service provider to dispose of patient information, physicians must enter into a written contractual agreement with that service provider. The agreement should clearly spell out the responsibilities of the service provider to securely destroy the health information records, how the destruction will be accomplished, under what conditions, and by whom. While not currently a requirement in all jurisdictions, this is a prudent practice for all members who engage the services of a records disposal company.
Storing electronic health information data with third parties
With the advent of new forms of recordkeeping come new formats for storing and maintaining the data contained in electronic records. Even the most technologically savvy physician is likely to engage the assistance of an outside service provider for implementing, maintaining and storing electronic medical records. In addition, many provinces, health authorities and hospitals are seeking to set up their own EHRs that may integrate physicians' EMR systems. Accordingly, there are a number of different scenarios and structures that will see a physician contracting with a third party to implement an EMR/EHR system.
Some of the potential contracting arrangements that a member may consider entering into for the purposes of an EMR/EHR system include:
In any of these situations there are certain fundamental principles that should be considered when entering into an agreement. The CMPA, in conjunction with the Canadian Medical Association, has published guidance on Data Sharing Principles for Electronic Medical Record/Electronic Health Record Agreements, contained at Appendix C. Members should consult this document as well as their personal legal counsel whenever contemplating a data sharing agreement or inter-physician agreement.
Choosing a third-party vendor to set up/maintain an EMR/EHR
Members considering implementing an EMR system may need to retain a third-party vendor to provide the necessary advice on issues including software, hardware, electronic storage, etc. Some of the provincial governments have set up specific programs to provide technical and financial assistance to physicians in this regard. This may include screening and approving vendors to ensure they conform to applicable requirements.
While a government or other authoritative endorsement of an EMR vendor may provide some comfort as to the system's suitability, members will need to exercise their own “due diligence“ and ensure they understand the agreement they sign with a vendor of an EMR/EHR system. The agreement should fully describe the services and functionality to be provided by the EMR system. The scope of the service provided by the vendor must be adequately set out in order that the vendor can be held accountable for the performance of the agreement. Members may wish to ask the following questions of the vendor and ensure the data sharing agreement addresses the following:
Implementing an inter-physician agreement for shared EMRs
Where a member practices within a group of physicians or a physician organization, it may make practical and financial sense to have a shared EMR system for use by all of the physicians. This system may or may not be integrated with a hospital, regional or provincial EHR system.
An agreement among a group of physicians or a physician organization with an information technology consultant should be subject to the same considerations as discussed above with respect to choosing a third-party vendor. In addition, there should be an agreement with respect to the shared EMR system among the individual physicians and health care professionals making up the group or organization. An agreement relating to a shared EMR may be stand-alone or may be included in a larger agreement between the physicians that governs other issues with respect to the management of the group practice, clinic or other organization (e.g. partnership agreement or shareholder agreement).
Once a patient's medical record contains contributions from various individuals and is to be accessed by a number of health care providers, questions of ownership and security become significantly more complex. In addition to the fundamental principles discussed above, particular attention should be paid in the interphysician agreement to ensuring a patient's record is accessible only by authorized users for authorized purposes. It will likely be necessary to consider mechanisms for restricting access to only those physicians and their staff that need access to a particular patient's record for medical care or for other authorized purposes.
Data sharing agreements with health authorities
In some jurisdictions, the medical association will have negotiated some form of data sharing or information management agreement to govern physicians’ use of an EHR managed by the health authority. Where no information management agreement exists, members seeking to be a user of an EHR system established by a health authority, or linking an EMR to the EHR, should consider entering into a data sharing agreement. The principles of this agreement are the same as those discussed above (and in Appendix C).
A unique issue may include protection for quality assurance/improvement records. Where a hospital quality improvement committee has prepared records for the purpose of reviewing adverse events and evaluating the effectiveness of a hospital's practices and procedures, these records should be segregated from other records to ensure that any legislative protection from disclosure is maintained. The data sharing agreement should stipulate how records will be segregated and how access to records will be limited. For example, the data sharing agreement should stipulate that this information (i.e. personal and quality assurance/quality improvement information) will not be disclosed unless required by law.
Other issues in this context are whether a physician's personal information (contained in the EHR) will be disclosed to his or her regulatory authority (College) or other investigative agency (e.g. in the course of a billing audit).
Protecting against liability when sharing personal health information
A number of provisions can and should be incorporated into any data sharing agreement or inter-physician agreement to minimize the risk of liability in the context of an EMR/EHR, including:
These provisions are discussed in detail in Appendix C.
Termination of agreement and ensuring continuity of operation
There may come a time when parties mutually agree to terminate a data sharing or interphysician agreement (e.g. a physician group may disband or be dissolved). The agreement might also be terminated in connection with a breach of the agreement or insolvency of other parties.
There are also many reasons why a member's participation in the EMR/EHR system may come to an end (e.g. leaving the jurisdiction or ceasing to practise medicine as a result of disability or death). Members should ensure their data sharing or inter-physician agreement includes a clause permitting its termination without cause by providing notice to the other party.
Indemnities and confidentiality obligations in the agreement should continue to apply despite termination. Members will also need to ensure they have continued access to the information in the EMR/EHR in accordance with their record retention obligations. Even if a member is no longer practising medicine, he or she may receive requests from patients to access their medical records. Members may also require the records in the event of a medico-legal issue. The agreement should require that the custodians of the records maintain them in their original form and take reasonable steps to prevent the information from being lost, stolen or inappropriately accessed. Provisions should be included to ensure the original records are appropriately destroyed when the applicable retention period has expired.
Canadian physicians are witnessing increased reliance on technology to manage patient health information. EMRs and EHRs are likely to continue to develop new functionality, including the use of patient portals through which patients can access their information, interact with health care providers and possibly upload data. Beyond EMRs and EHRs, Internet-based products that facilitate the creation of health records by patients themselves are quickly entering the marketplace. These innovations, while generally well intended, give rise to unforeseen medico-legal issues that will need to be addressed.
Patient health record (PHR) and patient portals
Unlike an EMR or EHR, which is typically created and maintained by a health care professional or facility, a patient health record (PHR) commonly refers to a compilation of information (including past and present medical conditions, medications and allergies) personally gathered and maintained by the patient using a third-party service or tool. Some of these applications offer a self-diagnosis tool through additional Internet-based information about symptoms, causes and treatments.
Patients may choose to grant physicians and other health care providers access to the information entered into their online patient health record. Many products also allow hospitals, clinics, laboratories, pharmacies and individual physicians to upload additional health information into the electronic health record created by the patient. Emerging new functionality may allow patients not only to access their information online, but also to interact with health care providers and possibly to upload data, such as blood pressure readings, temperature, or blood sugar levels.
Members should exercise caution if relying exclusively on the information contained in an Internet-based electronic health record, particularly one created by the patient. It may be prudent in some circumstances to take steps to verify that the information is accurate and complete. Patient-created health records should not be considered a replacement for a physician's own record-keeping obligations, nor should they replace an individualized assessment of a patient (including asking direct questions concerning his or her medical history). Where a patient requests a physician upload information to an online health record, the physician should discuss the request with the patient, and carefully consider issues about consent and security.
Physicians may choose to create a website accessible by their patients and/or other health professionals. While there are potentially endless possible uses for such websites, many are being used as a means of communicating with patients. Some of the more advanced physician websites and patient Internet services offer online tracking tools to facilitate and monitor patients' ongoing follow-up care (e.g., chronic disease management). These tools generally permit the patient to enter his or her health information through a secure web-based patient portal for review and monitoring by the physician. The physician can respond to the data by communicating with the patient through email alerts or secure messaging.
Advancements in portal technology and Internet-based patient records will require analysis of issues such as privacy, security and the integrity of those records. The extent to which physicians should rely on the information in patient communications or patient-created health records, the extent to which physicians should permit interfaces between those records and EMRs/EHRs, and the extent to which those lines of communication are sufficiently secure must be explored further.
Electronic records have the potential to improve the management of individual patient care as well as the overall effectiveness of the health care system. While encouraging, the implementation and use of electronic records in medical practice introduce complexity.
Before embarking on the process of converting to electronic records, physicians would be well served to familiarize themselves with applicable legislation, regulatory authority (College) requirements, privacy convention, regulations or other expectations regarding the use of electronic records. Other critical issues, such as access and security, data integrity, consent and data sharing agreements should be thoroughly considered and assessed prior to the implementation of electronic records.
There is a patchwork of privacy legislation across Canada. Only some statutes deal directly with personal health information while even fewer specifically regulate the use of electronic records. It is hoped that, with time, a consistent legislative framework will be implemented that applies to all personal health information, regardless of how that information is maintained. The CMPA continues to work with others to address this and other emerging issues. In the interim, physicians should ensure they are aware of the provisions that apply in their jurisdiction.
Members are encouraged to monitor CMPA publications on this topic and to contact the Association should they have any questions or concerns about the adoption and implementation of EMRs or EHRs.
The following is not intended as an exhaustive list, but merely some suggestions for further references for physicians with respect to EMRs/EHRs.
Minimizing medico-legal risk when using technology. CMPA Information Sheet, June 2008, IS0884E
Medico-legal issues arising from new health-care technologies. CMPA Information Sheet, December 2007, IS0777E
Protecting sensitive electronic health information: Think encryption. CMPA Information Sheet, September 2007, IS0771E
How do you protect privacy? CMPA Information Letter, December 2006 - Volume 21, No.4, (Revised April 2008), IL0640E
Safeguarding your patients' privacy when data is stored on computers. CMPA Information Letter, October 2003 – Volume 18, No. 3,
Using email communication with your patients: legal risks. CMPA Information Letter, March 2005 – Volume 20, No. 1,
Canada Health Infoway www.infoway-inforoute.ca
Canadian Medical Association www.cma.ca
Canadian EMR www.canadianemr.ca
The College of Family Physicians of Canada http://www.cfpc.ca/
College of Physicians and Surgeons of British Columbia www.cpsbc.ca
British Columbia Medical Association www.bcma.org
Physician Information Technology Office www.pito.bc.ca
Society of General Practitioners of BC www.sgp.bc.ca
Office of the Information and privacy commissioner for British Columbia www.oipcbc.org
British Columbia Ministry of Health Services - eHealth www.health.gov.bc.ca/ehealth
College of Physicians and Surgeons of Alberta www.cpsa.ab.ca
Alberta Medical Association www.albertadoctors.org
Physician Office System Program www.posp.ab.ca
Office of the Information and privacy commissioner of Alberta. www.oipc.ab.ca
Alberta Netcare www.albertanetcare.ca
College of Physicians and Surgeons of Saskatchewan www.quadrant.net/cpss/
Saskatchewan Medical Association Privacy Toolkit www.sma.sk.ca/privacy/
Office of the Saskatchewan Information and privacy commissioner www.oipc.sk.ca
Saskatchewan Ministry of Health - Health Information Solutions Centre www.health.gov.sk.ca/health-information-solutions-centre
College of Physicians and Surgeons of Manitoba www.cpsm.mb.ca
Manitoba eHealth www.manitoba-ehealth.ca
Manitoba Ombudsman www.ombudsman.mb.ca
Manitoba eHealth www.manitoba-ehealth.ca
College of Physicians and Surgeons of Ontario www.cpso.on.ca
eHealth Ontario www.ehealthontario.on.ca
Information and privacy commissioner of Ontario www.ipc.on.ca
Collège des médecins du Québec www.cmq.org
Dossier de santé www.dossierdesante.gouv.qc.ca
College of Physicians and Surgeons of New Brunswick www.cpsnb.org
College of Physicians and Surgeons of Nova Scotia www.cpsns.ns.ca
Nova Scotia Department of Health - Electronic Medical Records (eResults) www.gov.ns.ca/health/eResults
Prince Edward Island
College of Physicians and Surgeons of Prince Edward Island www.cpspei.ca
Newfoundland & Labrador
College of Physicians and Surgeons of Newfoundland & Labrador www.nmb.ca
Newfoundland & Labrador Centre for Health Information www.nlchi.nl.ca
These learning materials are for general educational purposes only, and are not intended to provide professional or medical or legal advice nor represent a professional or legal “standard of care“ for Canadian health care providers. Variations in practice are expected and may be appropriate. These suggestions should not be construed as dictating rules for patient care and communicating with patients. Your use of CMPA learning materials is subject to the foregoing as well as CMPA's complete disclaimer found at www.cmpa-acpm.ca.