Electronic Health Records: a Glimpse Into the Legal Framework

Contributed by Annelise Harnanan 


In an attempt to improve and modernize the state of health care in Canada, many provinces have been investing significant amounts of money and time into the digitization and centralization of health records. In 2013, Quebec introduced an electronic database, called the Québec Health Record, to securely share a patient’s information with their other healthcare providers. The aggregation of patients’ health data on a single electronic database has many advantages. However, the increasing use of Electronic Health Records (EHRs) has caused some concern that the legislative framework surrounding health information privacy might require some adaptations.

The term “Electronic Health Record” has been defined somewhat inconsistently in the literature. Häyrinen, Saranto & Nykänen, basing their definition off of the International Organization for Standardization, have described it as a “repository of patient data in digital form, stored and exchanged securely, and accessible by multiple authorized users”. EHRs bring all of a patient’s health data into one digital location. This information can be accessed by any of that patient’s health care providers when authorized by a patient. Notably, there are other electronic forms of medical information, such as electronic patient information files, which are localised at hospitals and health clinics and are not shared amongst health care providers.

2472281967_73772b6c43_o Electronic servers can be used to store digital information || (Source: Flickr // Stefano Petroni )

The Benefits of an Electronic Health Record

The implementation of EHRs has been widely supported and encouraged. Experts claim that such modernization would greatly increase efficiency within the Canadian health care system. A 2002 report compiled by the Commission on the Future of Health Care in Canada contended that EHRs would significantly improve patient treatment.

For example, the existence of an EHR could provide an emergency room doctor with quick and easy access to a patient’s medical information and prescription history which the doctor otherwise may not have had. Additionally, with EHRs, doctors at walk-in clinics can have access to the details of a patient’s medical history. In both cases, patients can receive more personalized care due to the existence of an EHR. Therefore, even when a patient is not being seen by a family doctor who is familiar with their unique health needs, the patient can still receive care tailored to their own health circumstances. This is especially valuable given that in 2016, Statistics Canada reported that 15.8% of Canadians above the age of twelve said they did not have a regular health care provider.

Privacy Breach Risks

A commonly cited concern over the implementation of EHRs in Canada is the risk of privacy breaches. The digitization of health records may bring an ease of access which may not have previously existed when records were in paper form and stored under lock and key. Organisations that have access to electronic health records, which can include the provider of the electronic platform itself, information technology specialists, hospitals, private clinics and sometimes third parties such as provincial Workers’ Compensation Boards, would need to introduce stringent privacy regulations and mechanisms for ensuring only those authorized to view a particular patient’s health data have the ability to do so.

Concerns over the security of private health information under EHR systems are not unfounded. Earlier this year, a lab assistant in Calgary admitted to inappropriately accessing the health records of 11 Albertans. This unauthorized access was discovered during a routine audit of accesses to the EHR system. It appears that the digitization of health records in general can make health information more vulnerable to these privacy breaches.

Nova Scotia, which does not have an EHR system (the province is currently undergoing a bid process to acquire one) has also been the site of some serious privacy breaches. Between 2005 and 2011, a former employee of the Nova Scotia Health Authority (then called Capital District Health Authority) accessed, without authorization, the information of approximately 100 friends and family members. This has resulted in a class action lawsuit with a proposed settlement worth about $400,000. The former employee who committed the breach admitted to doing so simply because it was “so easy”. In a report released last year by the Office of the Information and Privacy Commissioner for Nova Scotia, Privacy Commissioner Catherine Tully recommended that the province’s health authority implement a number of preventative measures, including online privacy training for staff and proactive user audit flags for high profile patient and excessive patient access. The Health Authority has accepted and implemented these recommendations. Nevertheless, some have taken this incident as an indication that the province is not ready to embark on the task of implementing a centralized EHR system.

Mitigating risk – the Legislative Framework

In Canada, there are two levels of privacy legislation, both at the federal level and provincial level. At the federal level, laws relating to privacy rights include The Privacy Act, which governs the way federal government institutions handle personal information, and The Personal Information Protection and Electronic Documents Act (PIPEDA), which governs how private-sector organizations use personal information.

The provinces also have their own privacy legislation, and in some provinces this legislation has been deemed “substantially similar” to PIPEDA and must be followed instead. Ontario, Nova Scotia, Newfoundland and New Brunswick have adopted legislation deemed substantively similar to PIPEDA with respect to health information. Because of the complex nature of healthcare provision in Canada, there is some uncertainty over whether provincial or federal legislation would apply in the context of digital health information, EHRs and privacy breaches.

Generally, however, publicly funded hospitals are not regarded as commercial bodies, and their use of personal information is regulated by the provinces and territories. On the other hand, the Office of the Privacy Commissioner of Canada’s website explains, “private health practitioners” and “privately funded long-term care facilities, nursing homes, retirement residences and home care services are generally considered to be conducting commercial activities and therefore… PIPEDA would likely apply to their personal information practices unless substantially similar legislation exists within the province or territory”.

Because personal health information is mostly regulated under these provincial acts, the presence of EHRs and the degree of the law’s protection over the health information contained within them vary across Canada. Québec has had an EHR system for many years, and the province has developed a robust regulatory framework around it. Conversely, as mentioned earlier, Nova Scotia currently has no EHR system. Interestingly, although Ontario has an EHR system, the laws surrounding it, which received royal assent in 2016, have not yet come into force.

Ontario’s Personal Health Information Protection Act (PHIPA) sets out that health information custodians must “take steps that are reasonable in the circumstances to ensure that personal health information in the custodian’s custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copying, modification or disposal”. Additionally, concerns over privacy breaches can be reported to the Information and Privacy Commissioner (IPC) in the form of a complaint, whose office will then investigate the incident and where appropriate, levy a fine against someone who has committed an offence under the act. In 2017, the IPC ordered a social work student to pay $25 000 for accessing information of five individuals without proper authorization.

In 2016, amendments to PHIPA that would regulate EHRs were made under Bill 119. These amendments describe what it means to ‘use’ an Electronic Health Record, create a duty for prescribed organizations to develop and maintain an EHR, and set out the requirements of the EHR. Though these laws are not yet in force, presumably because it would take a great deal of time and resources for hospitals and other prescribed organizations to ensure they have the proper infrastructure to comply with them, the fact that they have been passed indicates that the Ontario government recognizes the growing prevalence of EHRs and the resulting need to legislate in a manner that protects the health information of Canadians.

Nevertheless, given the personal nature of the information that is contained in Electronic Health Records, one might question whether these provincial regulatory frameworks can provide adequate protection. Ontario’s PHIPA, for example, allows for someone whose privacy has been breached to commence a proceeding at a Superior Court for “damages for actual harm that the person suffered as a result of a contravention of this Act or its regulations”. However, some have suggested that with the increased use of EHRs, more safeguards should be put in place. In the Report on the Future of Health in Canada, Commissioner Romanow recommended that privacy breaches of Electronic Health Records should be “treated as an offense under the Criminal Code of Canada”. Indeed, this could ensure more consistent protections against improper access of personal health information throughout the country.

Annelise Harnanan is a Junior Online Editor with the McGill Journal of Law and Health. She is in her first year of the B.C.L./ L.L.B. program at McGill University’s Faculty of Law, and has a keen interest in health policy. She holds a BA with distinction in Political Science from Dalhousie University.

The Criminalization of HIV Non-Disclosure: A Closer Look at the Duty to Disclose

Contributed by: Annelise Harnanan

A Closer Look at the Duty to Disclose

In Canada, failing to disclose a positive HIV status may lead to charges for various offences – most notably aggravated sexual assault and aggravated assault. Two landmark Supreme Court of Canada cases have described the circumstances under which an individual with HIV may be prosecuted for not disclosing their status: R v Cuerrier and R v Mabior. However, the criminalization of non-disclosure of HIV status has been widely criticized by experts in various fields, such as the domains of science and public health.

9129338065_9e9d4cfe2b_o A model of the HIV virus || (Source: Flickr // James H. )

The Law

The Criminal Code does not contain any offences specifically related to HIV or other sexually transmitted infections. However, in the late 1990s, the police started to lay criminal charges related to HIV exposure. In R v Cuerrier, Cuerrier was charged with two counts of aggravated assault under s. 268 of the Criminal Code which states that “Every one commits an aggravated assault who wounds, maims, disfigures or endangers the life of the complainant.” Cuerrier, who was HIV-positive, had unprotected sexual relations with two women without informing them of his status. It is important to note that one cannot consent to an assault; therefore it is important for the court to establish that consent could not have been obtained, because the victims were not informed of critical information that would otherwise have made them refuse the sexual encounter. The courts held that the fact that he did not inform them of this positive status constituted a fraud and vitiated consent under s. 265 (3)(c), satisfying the mens rea element for the offence of aggravated assault. Additionally, the offence’s requirement that the accused’s acts endanger the life of the complainant under s. 268 (1) of the Criminal Code was met because not disclosing his positive status, vitiating consent under s. 265 (3)(c), and having unprotected sex “put the complainant at a significant risk of suffering serious bodily harm”. Therefore, the courts had stated that non-disclosure of an HIV-positive status could constitute assault if there was a significant risk of serious bodily harm to the complainant.

After the ruling in R v Cuerrier, commentators pointed out the challenges in determining when there may or may not be a significant risk of bodily harm. For example, it was uncertain whether condom use would negate the significant risk of bodily harm. Additionally, it was not clear whether or not a person’s viral load would affect this risk. In her article for the McGill Journal of Law and Health, Grant argues that Courts’ interpretation of Cuerrier have resulted in “too broad and too uncertain a test for criminalization of non-disclosure”. Over time, the courts also wrestled with this idea, and many acknowledged the need to clarify the law and its duty to disclose.

In R v Mabior, the judges of the Supreme Court acknowledged this need and set out to specify when the non-disclosure of a positive HIV status during sexual activity could count as a “significant risk of serious bodily harm.” The Court found that this risk exists when there is a “realistic possibility of transmission”. This realistic possibility of transmission is defined in negative terms: it is not met “if the HIV-positive person has a low viral count […] and there is condom protection” (para 4). In other words, to avoid criminal prosecution, a person with HIV who does not disclose that status during sex must have a low or undetectable viral count and they must use a condom. Notably, however, the Supreme Court said that this test is a conclusion flowing from the facts of this case, and that it does not prohibit the common law from adapting to advances in treatment and different circumstances involving other risk factors. Nevertheless, Mabior’s contributions to the legal framework surrounding the duty to disclose have been critiqued. Some of the criticisms are examined below.

The Science

It is often said that the law does not keep pace with science or technology, and some say that the criminalization of non-disclosure is no exception. In July 2018, a team of twenty scientists released an Expert Consensus Statement examining the abundance of prosecutions related to the perceived risk of HIV acquisition. The authors contend that these prosecutions often happen where “HIV transmission did not occur, was not possible or was extremely unlikely” and therefore are not informed by the best available scientific evidence. The authors state that the per act chance of HIV transmission during sexual intercourse ranges from “zero to low”, and that correct use of a condom prevents HIV transmission. “Correct use”, they say, means “the integrity of the condom is not compromised, and the condom is worn throughout the sex act in question”. Contrary to the ruling in Mabior, this suggests that even if a person has a high viral load but uses a condom properly, a realistic possibility of transmission of HIV would not exist. Though this article was published  recently, the evidence used has been written on as far back as 1997, suggesting that this information had been around at the time of the ruling in Mabior in 2012. This supports the contention that the law is not always up to date with science.

The consensus statement then asserts that people living with HIV have an increased life expectancy and that their quality of life has significantly improved thanks to antiretroviral therapies. Researchers maintain that persons with HIV can live healthy, normal lives if they obtain proper treatment. This questions whether or not the criminal law ought to punish only those with a positive HIV-status, and not other treatable sexually transmitted infections, in cases of non-disclosure. It also brings into question whether non-disclosure of issues not related to sexually transmitted infections, such as increased risk of pregnancy, should also vitiate consent. Given the scientific research, it is unclear what differentiates HIV positive status from these other cases to vitiate consent. Without sufficient differentiation, in order to be consistent, the criminal law should arguably not criminalize HIV-exposure in the case of non-disclosure.

A Public Health Perspective

In a report on Criminalizing HIV Non-disclosure, Exposure and Transmission, Mykhalovskiy and others compile and summarize various research projects addressing the topic. They noted that most research found that criminalization negatively impacts public health and community-based efforts to prevent HIV transmission. They found that criminalization increases stigma and discrimination – especially in racialized communities. It is argued that this stigma discourages people from getting tested, which delays treatment. This delay in treatment can be detrimental to a person’s health. The authors also note that criminalization of non-disclosure can negatively impact HIV care by legally altering the relationship between practitioner and patient.  Though this is described as a “subtle impact”, the authors of the study explain that nurses have reported challenges in maintaining good relationships with their patients. They also found that some nurses’ note-taking practices were altered upon criminalization, due to the possibility that client records might be subpoenaed. Though this particular study was based on a small sample, if there is a broad change in practitioner behaviour due to criminalization, it could be harmful to public health efforts combatting HIV if it negatively impacts the rapport between patient and practitioner.

101019-N-3237D-039 Doctor Patient communication such as this can be negatively affected || (Source: Flickr // Continuing Promise 2010 )

Is the Law “Catching Up”?

In certain cases, courts have not strictly applied the test set out in Mabior that there is no realistic possibility of transmission (and therefore no significant risk of bodily harm) if a condom is used and there is a low viral load. For instance, the Nova Scotia Provincial Court, in R v J.T.C., decided that although the accused did not use a condom during sex, the realistic possibility of transmission test was found not to have been met because he had a low viral count. In this case from 2013, the court relied on expert scientific evidence to conclude that there was a very low risk of HIV transmission and acquit the accused. Therefore, the law acknowledged that, contrary to the ruling set out in Mabior, there may not be a realistic possibility of transmission without condom use, if there is a low viral load.

Recently, the Canadian government set out to reconcile tensions between the scientific and public health arguments described above and the law’s criminalization of non-disclosure. In December 2017, the Department of Justice Canada released a report on the Criminal Justice System’s Response to Non-disclosure of HIV. The report, among other things, acknowledges the accuracy of the science described above. It also concludes that the criminal law should “generally not apply” to persons living with HIV who use condoms or are on treatment because “the realistic possibility of transmission test is likely not met in these circumstances”. In spite of the Supreme Court’s rulings in Cuerrier and Mabior, given the Government’s report mentioned earlier, it is possible that courts will find, as in R v J.T.C., ways in which a realistic possibility of transmission does not exist through means other than condom use and a low viral load. However, it is unclear if the report’s recommendations will be followed nation-wide. It is possible that courts continue to apply the test laid out in Mabior inconsistently. The uncertainty of whether or not one’s actions will be criminalized arguably violates the principle of rule of law that one should be able to know for what he or she may be criminalized. However, there is hope that judges take the time to carefully examine the facts and listen to expert witnesses backed by science in ascertaining whether this risk existed in individual circumstances.

Annelise Harnanan is a Junior Online Editor with the McGill Journal of Law and Health. She is in her first year of the B.C.L./ L.L.B. program at McGill University’s Faculty of Law, and has a keen interest in health policy. She holds a BA with distinction in Political Science from Dalhousie University.