Duties and responsibilities

Expectations of physicians in practice

Who has custody of medical records, and who can they be shared with?

Originally published June 2018
18-14-E

Having completed her residency, a family physician sets up a practice at a walk-in clinic. A patient for whom she provided care during her residency wants to establish a doctor-patient relationship with her at the clinic. Eager to provide continuing care for this patient, the physician wants to obtain the patient’s record from the hospital, but the administrator tells her that the hospital is the custodian of the record and the patient’s authorization is needed to release information in the patient’s record.

This scenario highlights the fact that physicians who are new to practice, or in a hospital or other group practice, may not be able to take patient records with them when they leave their current practice arrangement. How, then, can a physician in these circumstances arrange the transfer of patient health information?

Custody of and access to records

Hospitals, clinics, and healthcare institutions typically maintain patient health information in an electronic medical record (EMR) or electronic health record (EHR) system. This complicates the issue of custody and access, due to the intermingling of information from various care providers. In a solo practice, the issues are more straightforward: the physician is the custodian of the medical record and therefore has control over access to the record, as well as its retention and disposal.

In both practice scenarios—shared and solo practice—the patient has the right to determine who may have access to their health information. Indeed, a patient can place conditions or restrictions on which health providers and others have access to their information. As a general rule, patients are also entitled to have access to their medical record unless there are compelling reasons to withhold such access, as outlined in the article “A matter of records: Retention and transfer of clinical records.” The onus is on the physician to justify withholding access, such as if the physician believes access is likely to cause a substantial adverse effect on the patient or another person.

Sharing records

In the case of shared EMRs and EHRs where information is accessible by a greater number of people, physicians still have an obligation to protect patient information that is in their custody from being accessed inappropriately. Clarity over control and stewardship of information in a shared practice arrangement can be achieved by entering into a Data Sharing Agreement or Inter-Physician Agreement. The CMPA’s Electronic Records Handbook [PDF] a includes data sharing principles for EMR/EHR agreements as well as a template agreement that can be used as the basis for developing a data sharing contract with another party (such as hospital, health region, or service provider) or with other physicians. Such agreements should include appropriate security protocols to restrict access to the information to those who require it for providing care or for other authorized purposes.

In a private practice, when asked to provide a patient’s health information—whether by another care provider in the patient’s circle of care or the patient—the treating physician should retain the original files and take steps to preserve the confidentiality of patient information. To accommodate such a request, the information may be transferred via a report or letter summarizing the relevant entries in the file, or a secure electronic or paper copy of the file can be sent if requested. Physicians should be aware of applicable regulatory authority (College) policies and guidelines as well as privacy legislation governing the electronic transfer of personal health information.

Who may have access to IME files?

Independent medical examinations (IMEs) provide a physician’s perspective of an individual’s medical needs or condition. The IME file will normally include information from the party that made the request, the notes taken of the IME itself, and possibly information from other sources.

If the examinee asks the physician for access to the IME file, the physician may be required to provide the individual with that access. The disclosure, however, may be in a redacted format that excludes such items as instructions from the third party that requested the IME (if applicable), and the physician’s observations and thought process concerning the examination. Before providing an examinee with access to IME information, physicians should first consult with the third party that requested the IME, and contact the CMPA, to discuss the facts and circumstances of the case. When physicians provide IMEs in their capacity as employees in an organization, the request for information would typically need to be directed to the organization.

What about fees?

Physicians are expected to charge only nominal fees, and to inform the patient of these fees in advance, to cover overhead costs for retrieving, copying, and sending information in medical records. Physicians may want to contact their regulatory authority (College) or medical association for guidance about the amount that is considered appropriate. Privacy commissioners may also provide such guidance. Physicians should not refuse access to records solely on the basis that the individual making the request has not paid the fee.

What happens to records when leaving a practice?

In a group practice, there should be a clear understanding about who will retain the medical records when a physician leaves the practice. It is possible the group will undertake retention of the records, especially if patients will continue to be followed by that group. The physician who created a specific medical record should have access to a copy of the portion of the record that he or she created even after leaving the practice; this access should be specified in a Data Sharing Agreement.

Continued access to relevant patient information is important as the treating physician may still receive requests from patients to obtain their medical records. Physicians may also need the records in the event of medical-legal issues that may arise years later. Once the applicable retention period for a record has expired, the original record should be destroyed in an appropriate manner that ensures the information remains secure. Lastly, the destruction of records should be documented in a log book listing the destroyed records on a given date.

The bottom line

Physicians in a shared practice can achieve clarity concerning stewardship of medical records by entering into a Data Sharing Agreement or Inter-Physician Agreement. In solo practice, physicians should retain patient records for the required retention duration. Any transfer of information to another healthcare provider should be done in a manner that preserves the security and confidentiality of patient health information, and ensures the original records remain intact.


DISCLAIMER: The information contained in this learning material is for general educational purposes only and is not intended to provide specific professional medical or legal advice, nor to constitute a "standard of care" for Canadian healthcare professionals. The use of CMPA learning resources is subject to the foregoing as well as the CMPA's Terms of Use.