Ontario Introduces new Legislation to Govern Electronic Health Records

Posted By Laura Crestohl – Oct. 28, 2013

This summer, the Ontario government introduced the Electronic Personal Health Information Protection Act (“EPHIPA”), which will amend the Personal Health Information Protection Act (“PHIPA”) to deal with the introduction of electronic health records (“EHRs”). The aim of the Bill is to regulate the privacy of individuals and their rights to their personal information in light of the specific concerns that surround EHRs. The bill went through its second reading and debate on October 10th, 2013.

The amendments govern the use, collection and disclosure of EHRs, and propose:

  1. the creation of “prescribed organizations” to create and maintain EHRs
  2. allowing patients to create consent directives
  3. giving patients the right to access their records
  4. allowing patients the right to request a correction of their records
  5. giving patients the right to know who accessed their records
  6. allowing patients to lodge complaints
  7. limiting the sharing of EHRs
  8. the creation of harsher sanctions for persons or organizations who breach the Act,
  9. the creation of an independent advisory to advise the Ministry of Health and Long-Term Care (“the Ministry”) on policies regarding electronic health records.
Under PHIPA, only “health information custodians”, such as health care practitioners, long-term care homes, retirement homes, pharmacies and ambulance services, are allowed to collect individual’s health information. The new legislation will allow a new class of organizations, known as “prescribed organizations”, to collect and manage the information found in electronic health records. These organizations would have to be transparent about how they deal with and protect personal information.

EPHIPA would give individuals more control over the use, collection and disclosure of their personal health information. The bill would allow patients to create “consent directives” over who can, and who cannot, access or use their personal health information. These directives could be modified at any time, and can be overridden, if the patient gives consent, or in certain situations where a prescribed organization reasonably believes that collection would reduce or eliminate a risk of serious injury. Thus, in most circumstances, EPHIPA would have the effect of giving the patient more agency in controlling how their personal information is collected, used and disclosed by different health organizations.

The response to the proposed legislation has generally been positive. Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, commended the bill’s amendments to PHIPA. Commissioner Cavoukian stated:

These amendments are necessary to foster public trust and confidence, as the health sector transitions from paper-based records to electronic health records… I will continue to work closely with the Government and the health care sector to ensure a smooth and seamless transition into the digital era, while strongly protecting the privacy of Ontarians and the confidentiality of their personal health information.

As well, Megan Brister and Michelle Gordon of the International Association of Privacy Professionals claim that although EPHIPA formalizes many of the leading practices in the industry, organizations should consider the legislation while developing policies and practices related to EHRs, as to avoid costly rework if the legislation becomes law.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s