|
|
spring 2007 |
 |
|
P
R I V A C Y
Health
Information Act anticipates electronic health records
Implications for
physicians unclear
The Department of Health
has recently circulated a draft Health Information Act for public
consultation. Motivated by and anticipating the growing use of
electronic health records, and the networking of such records among
health care entities, the rules govern how personal health information
(including paper records) can be securely collected, used, disclosed and
maintained.
|
|
|
|
By Ed Brown |
|
The Department of Health has recently
circulated a draft Health Information Act for public
consultation. Motivated by and anticipating the growing use of
electronic health records, and the networking of such records among
health care entities, the rules govern how personal health
information (including paper records) can be securely collected,
used, disclosed and maintained.
Under the draft act, rules and procedures
are created for custodians of health information. This includes
enumerating the situations under which consent must be obtained from the
patient for the use and disclosure of their information. Generally,
consent is not required to disclose the information to the patient’s
other care providers or for purposes authorized by legislation (s.
13(2)). But there are significant administrative burdens implicated for
custodians in the context of electronically stored data: security
safeguards (s.24) compliance procedures (s.25) and provision of access
to the patient (s.18) as well as correction or annotation of records by
the patient (s.10).
Doubtless the expectation is that the
administrative burden would fall primarily on large institutional
infrastructure, as the institutions are also information custodians: but
it is not clear that this relieves the responsibility for correct
handling of the information from the individual health professional. In
any case the physician still bears the administrative burden and
obligations with respect to records kept in private practice. It is
likely that many of these obligations could be out-sourced to an
information technology service provider. In other words, many electronic
health records systems are run by an IT service, would try to meet these
obligations for the subscriber/custodian. The custodian would have to
enforce their obligations through the service contract (s.16). Of
course, the clinic maintaining paper records doesn’t have this option.
This draft is similar in conception to
existing legislation in Ontario, Alberta, Saskatchewan and Manitoba.
While harmonizing our health regime with other jurisdictions is
important, there are many questions about how this approach to
information management reshapes the actual practice of health care,
including:
-
The specter of ongoing patient access
to their personal charts has raised some concerns among physicians
about compromising their value.
-
Requiring all information to be
accurate, complete and up-to-date “as necessary for the purposes for
which it is to be used” (s. 9) ignores the realities of practice,
which often deals with conflicting, incomplete or unreliable data.
-
The idea that protecting confidences
around patient information can be relegated to institutional
administration or private service providers fails to recognize the
direct fiduciary responsibilities of the physician.
-
Whether
following the rules under this type of regime actually protects (or
is intended to protect) against malpractice claims in the arena of
private tort law is also unclear.
-
These concerns show the legislation
has the secure management of information in mind, but leave
implications for the practitioner yet to be worked out.
Dr. Edward Brown is a faculty member of
the Computer Science Department at Memorial University where he conducts
research in privacy technology and participates in the Medical
Informatics Group. He practices law with the local firm of White
Ottenheimer & Baker, with a particular interest in privacy and
technology matters. He can be reached via
email.
|
