Appendix B: Data Sharing Principles for Electronic Medical Record/Electronic Health Record Agreements
This document provides some interim guidance on the main principles that should be addressed when a physician is entering into an agreement for an electronic medical record (EMR) or an electronic health record (EHR) system. An EMR or EHR system typically involves a single, centralized electronic repository of medical records where access to and use of patient health information is based on a set of predefined access rights. Each provider of healthcare services, or custodian, has access to portions, or all, of the medical record to support the delivery of care to the patient.
This document recognizes that the principles applicable to data sharing may arise in many types of agreements relating to the implementation of an EMR or EHR system. For example, the data sharing principles may be applicable when physicians are creating an EMR for a group practice, when physicians are negotiating with a health authority for the creation of a region-wide EHR, and when physicians are negotiating with a service provider for the creation of an EMR (e.g. hardware, software, or hosting services). The document is intended to provide relevant principles to data sharing in multiple contexts, regardless of the type of contract that is being considered.
The principles set out in this document are not exhaustive and this document is not intended to provide any conclusions with respect to the potential risks or benefits of participation in an EMR or EHR system. Physicians will want to assess the risks and benefits in the context of their individual circumstances. As the custodians of very sensitive information, physicians need to carefully consider the extent to which patient information will be disclosed in an EMR or EHR system. When that sensitive information is shared in an EMR or EHR, it is imperative that there be an agreement that governs who is accountable for maintaining the security and privacy of the information. A physician should also consider how patient consent will be obtained for the use and disclosure of health information through an EMR or EHR.
This document is for informational and reference purposes only and should not be construed as legal or financial advice, nor is it a substitute for legal or other professional advice. All agreements should be reviewed by the physician’s own legal counsel and other professional advisers.
While the CMPA/CMA Data Sharing Principles are intended to provide guidance to physicians, the CMPA is hopeful they will assist all participants in addressing data stewardship issues associated with complex EMR or EHR systems.
This document recognizes that in implementing an EMR or EHR system there may be any number of different contracting scenarios and structures. While it is not possible to consider all potential arrangements, the principles set out in this document are intended to apply regardless of the particular contracting arrangement or structure.
1. Physicians, groups of physicians, and physician organizations
Physicians may organize themselves in a number of different ways when contracting for an EMR or EHR system. These include:
1.1 an individual physician (a “sole practitioner”) acting on his or her own behalf
1.2 an unincorporated group of physicians (a “group of physicians”) which may include:
- a shared call group
- a clinic with shared records
- a family health team or family health network
1.3 a physician organization, (a “physician organization”) which may be a corporation or which may be a partnership
2. Service providers, health regions, and hospitals
The parties with whom any of the above may contract for purposes of an EMR or EHR system may include:
2.1 a vendor or other service provider (e.g. software, hardware, ASP, hosting) (“service provider”)
2.2 a provincial government agency or organization such as a regional health authority or local health integration network or ministry (“health region”)
2.3 a hospital (“hospital”)
3. The contracts
The principles set out in this document need to be reflected in the following agreements:
3.1 Data sharing agreement — In this form of agreement, a sole practitioner, group of physicians or physician organization on the one hand, will be contracting with a service provider, health region, or hospital, on the other hand.
3.2 Inter-physician agreement — In this form of agreement, a physician will be contracting with other physicians. This may include an agreement between members of a group of physicians or as part of a physician organization. The agreement may deal with how an EMR in which the physicians are participating will be managed. Alternatively, these principles may be incorporated into a larger agreement that governs other issues with respect to the management of the group practice, clinic, or other organization (e.g. partnership agreement, shareholder agreement).
This document provides an overview of the following principles that should be considered in a Data Sharing Agreement or Inter-Physician Agreement:
1. Ownership of data/data stewardship
1.1 What it is:
For many years, the courts have recognized that the physician, institution, or clinic compiling the medical records also owns the physical medical records (McInerney v. MacDonald, 1992). The owner of medical records has traditionally controlled issues relating to access and record retention. In the context of an EMR or EHR there is an intermingling of data from various sources which complicates the issue of ownership, as well as access and record retention. The Data Sharing Agreement may also address the ownership of the intellectual property rights in the EMR or EHR system.
1.2 Why it is important:
The historical approach to medical record ownership is being outpaced by EMR and EHR solutions that extend beyond the traditional model of a medical record under the custody and control of a single physician or group practice. The EMR and EHR are characterized by a sharing of custody of the information within the record based on the origin of the information item where the traditional concept of ownership is difficult to apply.
While the Data Sharing Agreement may also address the ownership of the records, the primary focus should be on ensuring that physicians have appropriate access to the personal health information, and that physicians have the ability to provide their patients with access to their medical record.
Any provisions in a Data Sharing Agreement or Inter-Physician Agreement with respect to ownership of data should expressly provide that it does not prevent or interfere with a physician’s ability to:
- comply with the physician’s obligations regarding medical records
- access such records as otherwise set out herein
- transition the data to another service provider in the event of the termination of the data sharing agreement.
It is possible that the EMR and EHR could be considered assets that could be encumbered by its owner by way, for example, of a security interest in favour of third parties. The Service Provider, Health Region, or Hospital should be obligated to ensure the physician can continue to comply with his/her obligations and entitlements above, regardless of any encumbrances that may be asserted over the EMR/EHR system by other third parties.
2. Confidentiality and privacy
2.1 What it is:
Physicians have an ethical duty of confidentiality to their patients. In most jurisdictions, physicians and other custodians of personal information and personal health information are also bound by obligations imposed by privacy legislation.
Whether through privacy legislation, or the common or civil law, patients generally have a right of access to their personal health information and a right to ensure their information remains confidential.
2.2 Why it is important:
When personal health information is stored in an EMR/EHR, it is accessible by a greater number of people, in addition to the physician who contributed the personal health information to the EMR/EHR. In accordance with the duty of confidentiality and/or requirements of applicable privacy legislation, physicians may have an obligation to control who has access to the personal health information they contribute to the EMR/EHR.
Physicians may have an obligation to ensure patients can access their medical records.
The Data Sharing Agreement and any Inter-Physician Agreement should permit physicians to comply with relevant privacy legislation, the common law and the civil law, and provincial/territorial regulatory authority (College) policies that govern the confidentiality of patient information to ensure such an agreement reflects and protects the physician’s obligations under binding policies and the law.
The Data Sharing Agreement should contemplate what patient information can be collected, used, and disclosed on the basis of implied consent. Where the applicable privacy legislation requires explicit consent for use or disclosure, this should be addressed in the Data Sharing Agreement. Similarly, the Data Sharing Agreement should contemplate where patient information can be collected, used, or disclosed without patient consent. Collection, use, or disclosure that is not permitted by the legislation should be prohibited by the Data Sharing Agreement.
The Data Sharing Agreement and any Inter Physician Agreement should not generally impose restrictions on a physician’s ability to fulfill his or her legal obligations under applicable law to report confidential information such as the duty to report child abuse, the duty to report fitness to drive, and other applicable duties.
The Data Sharing Agreement and any Inter Physician Agreement should contemplate how patient access to personal health information will be provided.
3. Security and access to the EMR/EHR
3.1 What it is:
Most privacy statutes require custodians of personal health information to take all precautions to minimize the risk of loss, theft, or unauthorized access to health information. Such requirements are consistent with a physician’s duty of confidentiality. In some jurisdictions, where a security breach occurs, physicians may have an obligation to notify their patients.
3.2 Why it is important:
The physician will need to comply with all applicable legal and ethical obligations relating to the security of personal health information maintained within the EMR/EHR.
The Data Sharing Agreement should contemplate appropriate security protocols to provide access to those who require it for patient care or other purposes authorized by privacy legislation.
The Data Sharing Agreement should contemplate mechanisms for ensuring the information will not be accessed by unauthorized persons or for unauthorized purposes. Where a security breach occurs, physicians should be notified. The Data Sharing Agreement should address how notification of patients will be accomplished, where required.
If applicable law requires that patients have the right to restrict access to their personal health information available through an EMR/EHR system then the Data Sharing Agreement will need to address how these restrictions are implemented.
4. Accuracy and data quality
4.1 What it is:
In a traditional paper medical record, the physician and his/her staff may have been the only professionals who relied upon the information maintained in his/her medical record. Whereas in an EMR/EHR, multiple health professionals may rely upon information that is maintained in the EMR/EHR. These health professionals may provide care to the patient without consulting with the physician who contributed the information to the EMR/ EHR, upon which they intend to rely. Further, most privacy statutes require custodians to maintain information that is accurate.
4.2 Why it is important:
In delivering care to patients, healthcare providers need to rely upon information maintained in the EMR/EHR. The importance of accuracy is increased where the healthcare providers relying upon the information in the EMR/EHR may not necessarily consult with each other on a regular basis, if at all.
The Data Sharing Agreement should contemplate mechanisms to ensure the accuracy and currency of the data maintained in the EMR/EHR. This should include mechanisms to make amendments in accordance with applicable requirements, and should include a system to notify users of previously accessed erroneous or outdated information.
5. Record maintenance requirements
5.1 What it is:
Most jurisdictions have regulatory or legislative requirements governing the creation, retention, and destruction of medical records. In some jurisdictions, specific requirements apply to electronic medical records. Medical records also provide evidence of the care that has been provided to the patient.
5.2 Why it is important:
Physicians are required to comply with relevant privacy legislation, common law or civil law, and legislation or provincial/territorial regulatory authority (College) policies that govern the creation, maintenance, and destruction of medical records.
Physicians should have access to the EMR/EHR for the required retention period specified by the College or through regulations. While the retention periods vary by jurisdiction, the CMPA recommends that physicians maintain clinical records for at least 10 years from the date of the last entry or for at least 10 years from the age of majority in the case of minors. For obstetrical care, the CMPA recommends that maternal records (e.g. prenatal and labour and delivery records) be maintained for at least 10 years from the time the infant reaches or would have reached the age of majority. The CMPA’s recommendation is the same or longer than the requirement in most jurisdictions. However, in Ontario, the College recommends physicians maintain clinical records for at least 15 years.
The Data Sharing Agreement should permit physicians to comply with applicable law as it relates to the creation, maintenance, and destruction of medical records.
The Data Sharing Agreement should not limit, restrict, or interfere with a physician’s ability to seek medical-legal advice from the CMPA and/or legal counsel.
In the event that a physician becomes involved in a medical-legal matter, the physician will want to ensure that he or she has a record of the care provided to the patient. Documents should generally be created, maintained, or retained with a view to satisfying court requirements regarding the integrity of the document and the process by which the record was created. The records should be maintained for a period that is consistent with record retention requirements and the records should be available to the physician in the event of a medical-legal matter. The Data Sharing Agreement should also address the destruction of records upon the expiration of the retention period. The Data Sharing Agreement should ensure when records are required to be destroyed, they are destroyed in the appropriate manner (e.g., physical destruction of hard drives, backup tapes).
The Data Sharing Agreement should contemplate what information will be included in the EMR/EHR in order that the content and form of the data complies with any applicable electronic record maintenance requirements.
6. Quality assurance
6.1 What it is:
Quality assurance committee records are those records prepared by a hospital committee for the purpose of reviewing adverse events and evaluating the effectiveness of a hospital’s practices and procedures.
6.2 Why it is important:
It is generally accepted that in order for quality assurance programs to be successful and effective, physicians and other participants should seek satisfactory assurances that the committee’s records will not be used outside of the quality assurance process. The public policy objective of encouraging healthcare practitioners to participate in quality assurance processes is reflected in legislation that protects quality assurance records from being disclosed in legal proceedings. Such legislation has now been enacted in all Canadian jurisdictions.
The Data Sharing Agreement should contemplate how quality assurance records will be segregated from other records in order to ensure the legislative protection from disclosure is available.
7. Services and functionality
7.1 What it is:
There is substantial effort required to procure, operate, and support the EMR/EHR system and the associated technical infrastructure. The scope of the services provided by the Service Provider, Health Region, or Hospital as part of the EMR/EHR system needs to be documented in the Data Sharing Agreement.
7.2 Why it is important:
There needs to be a legally binding agreement with respect to the scope of the services to be provided so that the Service Provider, Health Region, or Hospital, as the case may be, can be held accountable for performance of the agreement. Due diligence will be required in selecting a Service Provider to ensure the Service Provider is reputable and knowledgeable.
The Data Sharing Agreement should address: (a) details of the service offering; (b) functionality of the service; (c) documentation; (d) roles and responsibilities of the parties to the agreement; (e) financial terms; (f) vendor ownership; (g) transition into and out of the EMR/EHR system; (h) performance expectations; (i) service levels; (j) consequences of failure to meet service levels; (k) support and maintenance obligations; (l) system security; (m) server location; (n) reporting; (o) data backups; (p) disaster recovery; (q) hardware requirements; and (r) software requirements.
The Data Sharing Agreement should also contemplate how the physician, Group of Physicians or Physician Organization can terminate the agreement and transition to another service provider (including transition of the EMR/EHR data) in the event that they are not satisfied with the service being received. Continuity and quality of care would need to be maintained throughout any such transition period.
8. Termination and the continuity of operation of the electronic medical system
8.1 What it is:
A Data Sharing Agreement may typically be terminated by mutual agreement of the parties or by one party in connection with a breach of the agreement or insolvency of the other party. Additionally, a Group of Physicians may disband or a Physician Organization may be dissolved.
8.2 Why it is important:
Continued access to the information in the EMR/EHR is required in accordance with the physician’s record retention obligations as described above.
The Data Sharing Agreement and any Inter Physician Agreement needs to provide for the continuation of the operation of the EMR/EHR system or alternatively needs to specify what happens to the EMR/EHR records on termination of the Data Sharing Agreement or the withdrawal of a physician from a Group of Physicians or Physician Organization.
As further explained below, the agreements should contemplate maintenance of the EMRs in original form following termination, as well as continued access to the records by the physician and possible removal of the EMRs from the system. This may include the copying of medical records for any patient to whom the physician provided care, the de-commissioning of the technical solution, the access to and eventual archiving of medical records and reporting to patients and other necessary bodies on the handling of the medical record as a result of the termination. The Agreement should address departure, termination, and death. The physician will want to ensure that his or her former group practice colleagues will properly maintain the original medical records and that the physician will continue to have access to these records and the corresponding audit trail.
The physician will want assurances the physicians who continue to have custody of the EMR/EHR will take all reasonable steps to prevent the information from being lost, stolen, or inappropriately accessed. The physician will also want to ensure the original records are destroyed when the applicable retention period has expired.
9. Termination for convenience
9.1 What it is:
A termination for convenience clause permits a party to an agreement to terminate the agreement without cause by providing notice to the other party.
9.2 Why it is important:
There are many reasons why a physician may need to terminate his or her participation in an EMR/EHR system under a Data Sharing Agreement or Inter-Physician Agreement. These may include the physician leaving the jurisdiction or ceasing to practise medicine as a result of disability, death, or other circumstances.
In addition to the right to terminate the Data Sharing Agreement for breach or insolvency of the other party, a physician should ensure that the Data Sharing Agreement and Inter-Physician Agreement provides the physician with the right to terminate the physician’s participation in the EMR/EHR system without cause by providing written notice to the Physician Organization, Group of Physicians, Service Provider, Health Region, Hospital or other party as applicable.
The Data Sharing Agreement should make clear that certain provisions of the agreement affecting the terminating physician, such as indemnities and confidentiality obligations, survive termination, and that such termination does not affect the rights and obligations applicable to any other non-terminating parties.
10.1 What it is:
An indemnity is intended to allocate to a contracting party risk and responsibility under an agreement and typically requires a party to contractually assume certain liability either (i) for matters that are the responsibility of such party; or (ii) in connection with that party’s breach, negligence, or other misconduct.
10.2 Why it is important:
Liability may arise in a number of scenarios in connection with an EMR/EHR system in the context of a Data Sharing Agreement. For example and without limitation: (i) an EMR/EHR system may go down and a physician may be deprived of access to the information needed to treat patients; (ii) patient information may be improperly disclosed to or accessed by a third party; or (iii) an EMR/EHR system may contain inaccurate information that might be unknowingly relied upon by a physician or other healthcare provider providing care. Absent an indemnity in favour of the physician dealing with these issues, it is not clear how liability would be apportioned for harm caused to a patient arising from these scenarios.
In the context of a Data Sharing Agreement, a physician may be asked to give an indemnity in favour of a Group of Physicians, Physician Organization, Service Provider, Health Region, or Hospital, for example, in connection with that physician: (i) making inappropriate disclosure of, or permitting unauthorized access to patient information; or (ii) submitting incorrect patient information into an EMR/EHR.
It is important to note the party giving an indemnity is typically liable for a broader range of damages under the indemnity than would be the case if the party merely breached a contract.
Generally speaking, when considering providing an indemnity and its scope, a party should be liable for those acts for which he or she would be responsible at law, which usually amounts to those acts or omissions over which the party has control.
Please note that an individual physician may remain ultimately responsible to a patient notwithstanding the physician’s participation in a Group of Physicians or Physician Organization and consequently the indemnities referred to above would need to appear in the Data Sharing Agreement between the Physician Organization and the Service Provider, Health Region, or Hospital, for example, whereby one or both indemnifies the individual physician who is not otherwise a party to the Data Sharing Agreement. An indemnity does not relieve the physician of liability if a patient is harmed due to inaccessible or incorrect data. However, in the event of such harm and where the patient brings a claim against the physician, the clause will permit the physician to look to the other party for indemnification of the damages.
- A physician should seek to be indemnified in connection with: (i) any improper disclosure or personal use of health information by a Physician Organization, Group of Physicians, Service Provider, Health Region, Hospital or other party to the Data Sharing Agreement or Inter-Physician Agreement; and (ii) a failure of an EMR/EHR system that results in harm to a patient.
- Any indemnities granted by a physician or by a Group of Physicians or Physician Organization should be limited to liability resulting from those acts over which the physician, Group of Physicians, or Physician Organization (or those for whom they are responsible at law) have control. Any indemnification provision should provide for some mechanism of notification of the right of each party to retain its own counsel, and should provide the party granting the indemnity with the opportunity to approve any settlement. When granting an indemnity, the physician should be mindful that the CMPA does not consider itself bound by indemnities given by members to third parties. However, where an indemnity in favour of a third party specifically relates to the practice of medicine and the direct provision of patient care by the member, the member may be eligible for assistance from the CMPA with respect to the member’s actions. The CMPA will not necessarily assist members with respect to promises of indemnification for administrative or non-medical care acts or omissions, which the physician may assume as an obligation under a Data Sharing Agreement or Inter-Physician Agreement.
Where multiple health professionals are parties to the Data Sharing Agreement, it may be advisable to seek indemnification from each of the professionals. Any indemnity given by a physician or given by another for the benefit of the physician should always be reviewed by legal counsel for the physician. Particular consideration should be given to an indemnification that is made by a physician organization, which may create a joint and several contractual obligation on the part of all physicians in the organization. It will be necessary for the legal counsel to review the clause together with the entire contract.
11. Limitation of liability
11.1 What it is:
A party to a Data Sharing Agreement or Inter-Physician Agreement may seek to limit its liability for damages in connection with the agreement by including a limitation of liability clause. These clauses typically purport to limit liability to direct damages and exclude entirely certain other types of damages such as indirect, consequential, special, and punitive damages.
11.2 Why it is important:
From the perspective of a physician considering participation in an EMR/EHR system, both the nature of the potential risks and the scale of exposure associated with such participation are not entirely clear. For example, there is some uncertainty with respect to what damages might be claimed in connection with either an improper release of personal health information or the use of incorrect personal health information. Additionally, as noted above, software or hardware malfunctions resulting in “down time” for an EMR/EHR system could also give rise to liability.
A limitation of liability clause in favour of a Service Provider, Health Region, or Hospital might limit the rights of a physician, Group of Physicians, or Physician Organization to claim damages arising from a breach of the Data Sharing Agreement by the other party or the other party’s negligence. The clause may also restrict the physician’s ability to claim damages resulting from a claim brought by a third party against the physician, Group of Physicians, or Physician Organization, as a consequence of an act or omission of the other party to the Data Sharing Agreement.
- A physician should not permit any other party to the Data Sharing Agreement to limit or exclude their liability for any acts or omissions that could result in liability to a patient or some other third party. For example, where possible, a physician should not permit a Service Provider, Health Region, or Hospital to limit their liability in connection with the improper disclosure or use by the Service Provider, Health Region, or Hospital of personal health information.
- The physician should try to include a limitation of liability clause in his or her favour with a view to limiting the physician’s potential liability in connection with the physician’s breach of the Data Sharing Agreement or the physician’s negligence in connection with the Data Sharing Agreement. As a general statement, it is typically difficult to extract a one-way limitation of liability clause in a contract unless the party getting the benefit of that clause has substantially greater bargaining power. It is more realistic that if a physician requests a limitation of liability clause in his or her favour, the other party will insist upon similar protection.
- Any limitation of liability provision should be reviewed by legal counsel for the physician. It will be necessary for legal counsel to review the clause together with the entire contract.
12. Representations and warranties
12.1 What it is:
A representation is a statement of fact (present or past) and a warranty is a promise that a particular fact is true. In the context of a Data Sharing Agreement, a party may give various representations and warranties, which may relate to the accuracy of personal health information contributed to an EMR/EHR system, how patient consent is obtained, and/or compliance with applicable law.
12.2 Why it is important:
A party will be liable to other contracting parties if he/she makes a representation and warranty that is not accurate or that is not fulfilled.
- A physician should seek representations and warranties from other parties to an agreement as to: (i) their existence, status, and authority to enter into the agreement, (ii) the enforceability of the agreement, (iii) the fact that the entering into and performance of the agreement does not contravene any laws, constating documents, or any agreements to which they are a party, and (iv) other matters specific to the subject matter of the agreement.
- A physician should seek representations that the service provider will not infringe any third party intellectual property rights.
- A physician should not give any representations or warranties with respect to matters over which the physician does not have control or in respect of which the physician does not have knowledge. The physician should ensure that any representation or warranty given by the physician is true and correct. To the extent that a physician gives representations and warranties they should, where possible, be limited to the knowledge of the physician, should be qualified by a concept of materiality and should have a finite survival period.
- Any representations and warranties given by a physician should be reviewed by legal counsel for the physician, together with the entire contract.
13. Dispute resolution
13.1 What it is:
A Data Sharing Agreement or Inter Physician Agreement may include a dispute resolution and/or arbitration provision to provide a process for the resolution and settlement of disputes arising under the agreement as an alternative to court proceedings.
13.2 Why it is important:
Alternative dispute resolution and/or arbitration can be advantageous in that it is generally less expensive, can be more efficient, and is more private than court proceedings.
- The dispute resolution and/or arbitration clause should not preclude assistance from the CMPA or the physician’s personal legal counsel to ensure that the physician’s interests are adequately represented should a dispute arise.
- The dispute resolution and/or arbitration clause should not preclude the physician from seeking injunctive relief from a court where there is risk of immediate or continuing harm.
14. Governing law/forum
14.1 What it is:
Parties to an agreement may specify their choice of law which is to be applied in interpreting and enforcing the agreement. The parties may also specify the forum or location where any dispute is to be heard.
14.2 Why it is important:
Where there is no choice of law or forum set out in the Data Sharing Agreement, then the court where an action is commenced may assume or decline jurisdiction. The physician, Group of Physicians, or Physician Organization may be required to resolve a dispute in a location that is more convenient and more favourable to the Ministry, Service Provider, Health Region, or Hospital that commenced or is responding to the action.
Any Data Sharing Agreement should include a governing law clause that provides that the governing law and forum is stipulated to be the Canadian province or territory in which the physician practises and that any proceedings take place in a location that is convenient for the physician.
15.1 What it is:
There will be costs associated with the operation, maintenance, and support of an EMR/EHR system.
15.2 Why it is important:
The costs associated with the operation, maintenance, and support of an EMR/EHR system will be significant.
The funding and support infrastructure for physicians for the EMR/EHR system should meet the needs of physicians. Where physicians are considering the creation of a corporation or partnership for the purposes of the EMR/EHR system, it may be prudent to consult with a tax professional to ensure the corporation/ partnership is structured to the advantage of the physicians involved.