Electronic records handbook

Table of contents

Patient consent and rights to access records

Although consent can usually be implied, in some circumstances it may be prudent to notify patients that their health information will be stored electronically, particularly if stored in a shared EMR or an EHR where a number of people have access.

Disclosure of patient health information

Express consent should be obtained whenever a physician is asked to disclose patient information from an eRecord:

  • to a third party outside of the circle of care, such as an insurer or employer who is not an agent of the physician, or
  • if the information will be used for a purpose other than treating the patient and it is not permitted or required by law.

When appropriate, patient information should be de-identified as much as possible before being used for purposes other than providing healthcare. When personal health information will not be de-identified, express consent is required and it is generally prudent to ask the patient to execute a consent form. If verbal consent is obtained, it should be documented in the patient’s medical record. Regardless of the approach, the patient’s consent should be informed.

Access for quality improvement reviews, teaching, and learning

If physicians wish to access a patient’s information for non-clinical purposes, these physicians should request access from the institution if such access is not already allowed. These purposes can include quality improvement reviews as well as teaching and self-directed learning. If the institution does not allow access to a medical record for a desired purpose, the physician or other care provider may turn to the patient for the necessary consent. Physicians may want to encourage their institution or clinic to develop a privacy policy, if one does not already exist, that clarifies permitted access to patient records for quality improvement purposes, teaching, or for responding to a College or hospital complaint.

Patients seeking to restrict access to their information

Patients may ask that access to their health information in an eRecord be limited, even if it is for healthcare purposes. This can be done through a process called a lockbox or masking. Physicians with EMRs should consider whether their system permits masking, how they will manage requests for a lockbox or masking, and what their obligations are for informing recipients that the health information may be incomplete. If storing patient information in a shared EMR or an EHR, physicians should ask those responsible for the shared system how to handle lockbox or masking requests. Physicians will also want to explain to patients that the masking of some or all personal health information could result in another healthcare professional not being aware of diagnoses, treatments, or laboratory results. These discussions should be fully documented in patients’ records.

In jurisdictions with provincial EHRs, there may be disclosure directive or opt-out processes that permit individuals to control their information. Although the scope and restrictions on the directive or opt-out may vary, they can relate to the type of personal health information contained in the EHR, the purposes for which personal health information may be disclosed from the EHR, and the persons or classes of persons who may access the personal health information in the EHR. When such a disclosure directive or opt-out process exists and is recognized by law, it may restrict a healthcare provider’s access to the information, except in certain circumstances such as incapacitation, in an emergency, or with the person’s express consent.

Patients’ access to their own health information

Patients generally have a right to access their own health information. As a result, physicians must have a way to give patients access to their health information that is stored in an eRecord, and the information must be provided in a format that patients can understand. Physicians may charge a reasonable fee for providing copies of records to patients.

Despite this obligation, there are limited circumstances where a physician can deny an individual’s request for access, including when disclosure may present a risk of harm to the individual or reveal personal health information about a third party. In these exceptional circumstances, it is usually possible to segregate the specified information and grant the patient access to the rest of the record.

Physicians may wish to consult with their system vendor for information on how to segregate records in this manner. Contact the CMPA for advice on responding to access requests in these circumstances.