■ Duties and responsibilities:

Expectations of physicians in practice

Who has custody of medical records, and who can they be shared with?

Preserving the security and confidentiality of patient health information

Shelves of medical records

5 minutes

Published: June 2018 /
Revised: June 2022

The information in this article was correct at the time of publishing

Having completed her residency at a Family Medicine Unit (FMU), a family physician sets up a practice at a community walk-in clinic. A patient for whom she provided care during her residency wants to establish a doctor-patient relationship with her at the clinic. Eager to provide continuing care for this patient, the physician wants to obtain the patient’s record from the FMU, but the administrator tells her that the FMU is the custodian of the record and the patient’s authorization is needed to release information in the patient’s record.

This scenario highlights the fact that physicians who are in a hospital or other group practice may not be able to take patient records with them when they leave their current practice arrangement. How, then, can a physician in these circumstances arrange the transfer of patient health information?

Custody of and access to records

The issue of custody and access is more complicated in hospitals, clinics, and healthcare institutions, due to the intermingling of information from various care providers in the medical record. In a solo practice, the issues are more straightforward: the physician is the custodian of the medical record and therefore has control over access to the record, as well as its retention and disposal.

In both practice scenarios—shared and solo practice—the patient has the right to determine who may have access to their health information. Indeed, a patient can place conditions or restrictions on health providers’ access to their information. As a general rule, patients are also entitled to have access to their own medical record unless there are compelling reasons to withhold such access, as outlined in the article "How to manage your medical records: Retention, access, security, storage, disposal, and transfer". The onus is on the custodian to justify withholding access, such as if the custodian believes access is likely to cause a substantial adverse effect on the patient or another person.

Access for quality improvement reviews, teaching, and learning

Institutions typically grant physicians access to patients’ medical records for the purposes of providing clinical care. If physicians wish to access a patient’s information for non-clinical purposes, these physicians should request access from the institution if such access is not already allowed. These purposes can include quality improvement reviews as well as teaching and self-directed learning. If the institution does not allow access to a medical record for a desired purpose, the physician or other care provider may turn to the patient for the necessary consent. Physicians may want to encourage their institution or clinic to develop a privacy policy, if one does not already exist, that clarifies permitted access to patient records for quality improvement purposes, teaching, or for responding to a College or hospital complaint.

Sharing records

With records that are accessible to multiple people, physicians still have an obligation to protect patient information in their custody from being accessed inappropriately. Clarity over control and stewardship of information in a shared practice arrangement can be achieved by entering into a Data Sharing Agreement or Inter-Physician Agreement. The CMPA’s Electronic Records Handbook includes data sharing principles for eRecord agreements, as well as a template agreement that can be used as the basis for developing a data sharing contract with another party (e.g. hospital, health region, or service provider) or with other physicians. Such agreements should include appropriate security protocols to restrict access to the information to those who require it for providing care or for other authorized purposes.

In a practice outside of a hospital, when dealing with a request to provide a patient’s health information—whether from another care provider in the patient’s circle of care, or from the patient—the treating physician should retain the original files and take steps to preserve the confidentiality of patient information. To accommodate such a request, the information may be transferred via a report or letter summarizing the relevant entries in the file. A secure electronic or paper copy of the file can be sent if requested. Physicians should be aware of applicable regulatory authority (College) policies and guidelines, as well as privacy legislation governing the electronic transfer of personal health information.

Who may have access to IME files?

Independent medical examinations (IMEs) provide a physician’s perspective of an individual’s medical needs or condition. The IME file will normally include information from the party that made the request, the notes taken of the IME itself, and possibly information from other sources.

If the examinee asks the physician for access to the IME file, the physician is generally required to provide the individual with that access. The disclosure, however, may be in a redacted format that excludes such items as instructions from the third party that requested the IME (if applicable), and the physician’s observations and thought process concerning the examination. Before providing an examinee with access to IME information, physicians should first consult with the third party that requested the IME, and contact the CMPA, to discuss the facts and circumstances of the case. When physicians provide IMEs in their capacity as employees in an organization, the request for information would typically need to be directed to the organization.

What about fees?

Physicians are expected to charge only nominal fees, and to inform the patient of these fees in advance, to cover overhead costs for retrieving, copying, and sending information in medical records. Physicians may want to contact their regulatory authority (College) or medical association or federation for guidance about the amount that is considered appropriate. Privacy commissioners may also provide such guidance. Physicians should not refuse access to records solely on the basis that the individual making the request has not paid the fee.

What happens to records when leaving a practice?

In a group practice, there should be a clear understanding about who will retain the medical records when a physician leaves the practice. It is possible that the group will undertake retention of the records, especially if patients will continue to be followed by that group. Even after leaving the practice, a physician who created a specific medical record should have access to a copy of the portion of the record that they created; this access should be specified in a Data Sharing Agreement.

Continued access to relevant patient information is important, as the treating physician may still receive requests from patients to obtain their medical records. Physicians may also need the records in the event of medico-legal issues that may arise years later. Once the applicable retention period for a record has expired, the original record should be destroyed in an appropriate manner that ensures the information remains secure. Lastly, the destruction of records should be documented in a logbook listing the records destroyed on a given date.

The bottom line

Physicians in a shared practice can achieve clarity concerning access and stewardship of medical records by entering into a Data Sharing Agreement or Inter-Physician Agreement. In solo practice, physicians should retain patient records for the required retention duration. Any transfer of information to another healthcare provider should be done in a manner that preserves the security and confidentiality of patient health information, and ensures the original records remain intact.

DISCLAIMER: The information contained in this learning material is for general educational purposes only and is not intended to provide specific professional medical or legal advice, nor to constitute a "standard of care" for Canadian healthcare professionals. The use of CMPA learning resources is subject to the foregoing as well as the CMPA's Terms of Use.