Transcript Document

Contemporary Issues in Canadian Health Care
Nola M. Ries, MPA, LLM
Adjunct Assistant Professor, University of Victoria
Research Associate, Health Law Institute, University of Alberta

identify concerns about privacy,
confidentiality and security of EHRs

discuss relevant professional and legal issues

highlight lessons learned from case studies

“The value of electronic health records … as
tools to improve access, quality and
comprehensiveness of care should be
reinforced so that the public clearly
understands the benefits and demands of
their introduction.

We recommend that providers,
governments and the public jointly commit
to the rapid adoption of these tools.”
(Health Council of Canada, Report to Canadians, 2005)

“issue of privacy, confidentiality and protection of
personal health information in the context of an EHR
system is perhaps the most sensitive one raised”

“Currently, there is significant variation in privacy
laws and data access policies across the country that
poses a challenge for EHR systems that are
dependent on inter-sectoral and inter-jurisdictional
flows of personal health information. …”
Senator Kirby, Senate Report on the Health of
Canadians (2002)

Privacy: one’s right to control who has access to
information about oneself

Confidentiality: a duty owed by one to preserve the
secrets of another

Security: mechanisms put in place to safeguard
privacy and ensure confidentiality is maintained

Hippocratic oath
 “Whatsoever I shall see or hear concerning the life
of men, in my attendance on the sick, or even
apart therefrom, which ought not to be noised
abroad, I will keep silence thereon, counting such
things to be as sacred secrets.”
right of privacy fundamental in a free and
democratic society
 includes patient's right to determine with whom he
or she will share information and to know of and
exercise control over use, disclosure and access
concerning any information collected about him or
her
 right of privacy and consent are essential to trust
and integrity of the patient-physician relationship.



public sector information and privacy laws
health information laws
 Manitoba (1997)
 Alberta (2001)
 Saskatchewan (2003)
 Ontario (2004)

private sector privacy laws

EHRs “potentially conflict with privacy principles
unless patients control how the record is shared
and appropriate security measures are in place.”

“A coherent legal framework to appropriately
protect the privacy and confidentiality of personal
health records is therefore an essential first step
for successful EHRs”
Amanda Cornwall, “Connecting Health: A review of electronic health
record projects in Australia, Europe and Canada” (2003)


Should individual consent be required
before information is included in EHR or
disclosed through EHR?
To be legally valid, consent generally must
be informed:
 Who will have access to info?
 For what purposes?
 What security mechanisms are in place?
 What are risks of unauthorized access?

comprehensive health records

initially gave individuals right to refuse
consent

removed in 2003

retain right to restrict access to
comprehensive health record by giving
written instruction

Section 59: required individual consent
before information could be disclosed
electronically







authorization for custodian to disclose
purpose for disclosure
identity of recipient
acknowledgement of reasons, risk, benefits
date effective
statement that consent may be revoked
Removed in 2003
“in facilitating a province wide electronic health
record, practical experience made it apparent that
getting consent from Albertans was going to be
difficult and costly”
 not “possible to inform people in a meaningful way
of all the specific disclosures by electronic means,
which might ever be made of their health
information”

Frank Work, QC, Alberta Information & Privacy Commissioner


patient consent required to include
information in EHR
pilot project in Tasmania (2004):
 many patients were not asked for consent
 identified need for simple consent process

discussion about moving to presumed
consent / opt-out model

National Health Service “care record guarantee”
published May 2005

consent for sharing patient information in EHR
is generally presumed

but “You can choose not to have information in
your electronic care records shared”

consistent with 2006 BMA statement




maintain administrative, technical and
physical safeguards to protect confidentiality
and privacy
measures to guard against risks associated
with EHRs
audit logs
privacy impact assessments

benefits and risks of EHRs

professional obligations
 ethical and legal

patient rights
 consent and control

achieving an appropriate balance