Understanding eRecords
EMRs and EHRs — What is the difference?
Electronic medical records (EMRs)
An EMR generally refers to an electronic version of a medical record. The EMR may be a simple office-based system, but is more likely a shared electronic record accessible to those within a group practice, healthcare facility, or a network of health professionals (e.g. treating physicians, other healthcare providers, information managers, etc.).
Electronic health records (EHRs)
An EHR is typically maintained by a hospital, health authority, or provincial health ministry. It generally include a variety of repositories of patient data, and is usually accessible by several authorized parties from a number of places of care. Physicians generally have less onerous obligations when using an EHR, given the hospital, health authority or provincial health ministry is the custodian.
Custodians, information managers, and service providers
Under privacy legislation, individuals and entities that have custody and control of personal health information are ultimately responsible for complying with the legislation. In some jurisdictions these individuals and entities are called custodians. In other jurisdictions the legislation may use the terms trustee or organization. For example, a hospital is the custodian of an EHR used in the institution, and physicians are the custodians of the EMR used in their private practice.
Custodians’ responsibilities generally include collecting, using, or disclosing personal health information only with the consent of the patient, or as required or permitted by law. They must also take reasonable steps to maintain the administrative, technical, and physical safeguards that protect the confidentiality of the information. They are responsible for protecting the information from reasonably anticipated threats to its security or integrity, or from loss, unauthorized access, use, disclosure, or modification.
Custodians may delegate some or all of their duties under privacy legislation to agents or affiliates. For example, when a physician practises within a hospital or clinic, the facility is the custodian of the personal health information. However, typically hospitals and clinics authorize a physician to act on the institution’s behalf for the purposes of assisting it in fulfilling its duties under the applicable privacy statute. If that occurs, a physician will then have similar obligations as the custodian under the applicable privacy legislation.
Irrespective of their role as a custodian or affiliate, physicians have a professional obligation to take reasonable steps to protect the personal health information of patients.
In fulfilling their duties, custodians of eRecords are often assisted by information managers or third-party service providers. A service provider may offer information processing, storage, retrieval, or disposal services; data transformation or information management services; or information technology functions.
Some privacy legislation specifies that when engaging a service provider, a custodian must enter into a written agreement. Despite having such an agreement, the custodian remains ultimately responsible for complying with privacy legislation. As a result, if a service provider contravenes an obligation under privacy legislation, it is usually as if the custodian breached the legislation directly.
Confidentiality and non-disclosure agreements
While physicians have an obligation to ensure that the patient information entrusted to them is kept secure and confidential, physicians’ employees and staff share in the responsibility of meeting this obligation.
The CMPA encourages doctors to have their employees and staff members sign a confidentiality or non-disclosure agreement. It may be beneficial to have the agreement renewed annually. Such agreements help employees and staff understand their obligations, encourage respect for confidential patient information, and provide valuable reassurance to the patient. See the sample Confidentiality/Non-disclosure agreement.