Contributed by Annelise Harnanan
In an attempt to improve and modernize the state of health care in Canada, many provinces have been investing significant amounts of money and time into the digitization and centralization of health records. In 2013, Quebec introduced an electronic database, called the Québec Health Record, to securely share a patient’s information with their other healthcare providers. The aggregation of patients’ health data on a single electronic database has many advantages. However, the increasing use of Electronic Health Records (EHRs) has caused some concern that the legislative framework surrounding health information privacy might require some adaptations.
The term “Electronic Health Record” has been defined somewhat inconsistently in the literature. Häyrinen, Saranto & Nykänen, basing their definition off of the International Organization for Standardization, have described it as a “repository of patient data in digital form, stored and exchanged securely, and accessible by multiple authorized users”. EHRs bring all of a patient’s health data into one digital location. This information can be accessed by any of that patient’s health care providers when authorized by a patient. Notably, there are other electronic forms of medical information, such as electronic patient information files, which are localised at hospitals and health clinics and are not shared amongst health care providers.
Electronic servers can be used to store digital information || (Source: Flickr // Stefano Petroni )
The Benefits of an Electronic Health Record
The implementation of EHRs has been widely supported and encouraged. Experts claim that such modernization would greatly increase efficiency within the Canadian health care system. A 2002 report compiled by the Commission on the Future of Health Care in Canada contended that EHRs would significantly improve patient treatment.
For example, the existence of an EHR could provide an emergency room doctor with quick and easy access to a patient’s medical information and prescription history which the doctor otherwise may not have had. Additionally, with EHRs, doctors at walk-in clinics can have access to the details of a patient’s medical history. In both cases, patients can receive more personalized care due to the existence of an EHR. Therefore, even when a patient is not being seen by a family doctor who is familiar with their unique health needs, the patient can still receive care tailored to their own health circumstances. This is especially valuable given that in 2016, Statistics Canada reported that 15.8% of Canadians above the age of twelve said they did not have a regular health care provider.
Privacy Breach Risks
A commonly cited concern over the implementation of EHRs in Canada is the risk of privacy breaches. The digitization of health records may bring an ease of access which may not have previously existed when records were in paper form and stored under lock and key. Organisations that have access to electronic health records, which can include the provider of the electronic platform itself, information technology specialists, hospitals, private clinics and sometimes third parties such as provincial Workers’ Compensation Boards, would need to introduce stringent privacy regulations and mechanisms for ensuring only those authorized to view a particular patient’s health data have the ability to do so.
Concerns over the security of private health information under EHR systems are not unfounded. Earlier this year, a lab assistant in Calgary admitted to inappropriately accessing the health records of 11 Albertans. This unauthorized access was discovered during a routine audit of accesses to the EHR system. It appears that the digitization of health records in general can make health information more vulnerable to these privacy breaches.
Nova Scotia, which does not have an EHR system (the province is currently undergoing a bid process to acquire one) has also been the site of some serious privacy breaches. Between 2005 and 2011, a former employee of the Nova Scotia Health Authority (then called Capital District Health Authority) accessed, without authorization, the information of approximately 100 friends and family members. This has resulted in a class action lawsuit with a proposed settlement worth about $400,000. The former employee who committed the breach admitted to doing so simply because it was “so easy”. In a report released last year by the Office of the Information and Privacy Commissioner for Nova Scotia, Privacy Commissioner Catherine Tully recommended that the province’s health authority implement a number of preventative measures, including online privacy training for staff and proactive user audit flags for high profile patient and excessive patient access. The Health Authority has accepted and implemented these recommendations. Nevertheless, some have taken this incident as an indication that the province is not ready to embark on the task of implementing a centralized EHR system.
Mitigating risk – the Legislative Framework
In Canada, there are two levels of privacy legislation, both at the federal level and provincial level. At the federal level, laws relating to privacy rights include The Privacy Act, which governs the way federal government institutions handle personal information, and The Personal Information Protection and Electronic Documents Act (PIPEDA), which governs how private-sector organizations use personal information.
The provinces also have their own privacy legislation, and in some provinces this legislation has been deemed “substantially similar” to PIPEDA and must be followed instead. Ontario, Nova Scotia, Newfoundland and New Brunswick have adopted legislation deemed substantively similar to PIPEDA with respect to health information. Because of the complex nature of healthcare provision in Canada, there is some uncertainty over whether provincial or federal legislation would apply in the context of digital health information, EHRs and privacy breaches.
Generally, however, publicly funded hospitals are not regarded as commercial bodies, and their use of personal information is regulated by the provinces and territories. On the other hand, the Office of the Privacy Commissioner of Canada’s website explains, “private health practitioners” and “privately funded long-term care facilities, nursing homes, retirement residences and home care services are generally considered to be conducting commercial activities and therefore… PIPEDA would likely apply to their personal information practices unless substantially similar legislation exists within the province or territory”.
Because personal health information is mostly regulated under these provincial acts, the presence of EHRs and the degree of the law’s protection over the health information contained within them vary across Canada. Québec has had an EHR system for many years, and the province has developed a robust regulatory framework around it. Conversely, as mentioned earlier, Nova Scotia currently has no EHR system. Interestingly, although Ontario has an EHR system, the laws surrounding it, which received royal assent in 2016, have not yet come into force.
Ontario’s Personal Health Information Protection Act (PHIPA) sets out that health information custodians must “take steps that are reasonable in the circumstances to ensure that personal health information in the custodian’s custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copying, modification or disposal”. Additionally, concerns over privacy breaches can be reported to the Information and Privacy Commissioner (IPC) in the form of a complaint, whose office will then investigate the incident and where appropriate, levy a fine against someone who has committed an offence under the act. In 2017, the IPC ordered a social work student to pay $25 000 for accessing information of five individuals without proper authorization.
In 2016, amendments to PHIPA that would regulate EHRs were made under Bill 119. These amendments describe what it means to ‘use’ an Electronic Health Record, create a duty for prescribed organizations to develop and maintain an EHR, and set out the requirements of the EHR. Though these laws are not yet in force, presumably because it would take a great deal of time and resources for hospitals and other prescribed organizations to ensure they have the proper infrastructure to comply with them, the fact that they have been passed indicates that the Ontario government recognizes the growing prevalence of EHRs and the resulting need to legislate in a manner that protects the health information of Canadians.
Nevertheless, given the personal nature of the information that is contained in Electronic Health Records, one might question whether these provincial regulatory frameworks can provide adequate protection. Ontario’s PHIPA, for example, allows for someone whose privacy has been breached to commence a proceeding at a Superior Court for “damages for actual harm that the person suffered as a result of a contravention of this Act or its regulations”. However, some have suggested that with the increased use of EHRs, more safeguards should be put in place. In the Report on the Future of Health in Canada, Commissioner Romanow recommended that privacy breaches of Electronic Health Records should be “treated as an offense under the Criminal Code of Canada”. Indeed, this could ensure more consistent protections against improper access of personal health information throughout the country.
Annelise Harnanan is a Junior Online Editor with the McGill Journal of Law and Health. She is in her first year of the B.C.L./ L.L.B. program at McGill University’s Faculty of Law, and has a keen interest in health policy. She holds a BA with distinction in Political Science from Dalhousie University.