Governance: Is Ontario Ready for an EHR?

Imagine building a house without wiring it for electricity.

Despite good intentions, millions of dollars, years of effort and, probably matching the historical norm of any visionary undertaking, a scandal or two, Ontario does not yet have an electronic health record (“EHR”). Despite some success with building networks and applications to support an EHR, the government still hasn’t got data governance right.

Keep in mind the purpose of a functioning EHR is to facilitate access to sensitive personal information by a number of different players. Some are obvious such as medical personnel who access your health data to provide acute, primary or even long-term home care. Some may be government staff with one eye on the ever-increasing percentage of the provincial budget devoted to healthcare and another on programs to systemically reduce healthcare costs through health promotion/maintenance. Others may be researchers seeking new insights or solutions that may be gleaned from that vast pool of longitudinal data that EHR-related databases will hold.

But who controls the data? Who supervises access to the data? Who ultimately will be responsible and accountable for the protection of widely accessible personal health information in electronic form?

Who’s Managing the System?

While government certainly doesn’t own personal health information holdings, as a funder of public health care, they do control, directly or indirectly, a good number of the databases that would logically support an interoperable EHR.  To date, there is no statute or regulation designating any agency or ministry as the manager of an EHR system in Ontario. Alberta has done so; one might argue that British Columbia, with its eHealth Act, has effectively done so as well.

One can use a collaborative approach where providers enter into “data-sharing” agreements to undertake a minimum set of terms and conditions pertaining to use, access (including access by third parties) and security (including masking). I’d probably add breach notification to the list. The difficulty with such agreements – given so many custodians in the province  – will be avoiding misuse or data breaches and this means a considerable investment in audit and enforcement.

Similarly, it also seems that identity management, for those users who want to access an EHR, remains to be settled. One suggestion from a couple of years ago was to use a federated identity management system with attributes and authorizations, depending on the sensitivity of the personal health information being accessed, serving as appropriate safeguards. I don’t know if that is still the plan but it is reminiscent of the identity management approach found in Public Key Infrastructures (PKIs) back in the 90s. While PKI got overhyped by the turn of the century, the idea of a decentralized system built on trust and backed by agreements is very feasible. Back then, the trouble was no one wanted to sign the agreements – they simply weren’t sure if they were comfortable with the legal liability if something went wrong. The stakes are much lower in a closed EHR-focused system but do providers in Ontario, even if they are indemnified, want to give access to their records to people identified by another provider elsewhere in the province?

Where are the data stewards?

“Data stewardship” is often referred to as a management function associated with the collection, use, disclosure, management and security of information. Complicating matters is the fact that “stewardship” is sometimes confused with “ownership”. It’s important to remember that “ownership” of the record is distinct from ownership of the information in the record.

Just because someone owns a database holding some or all of a patient’s personal health information does not make them the owner of that data. While providers have a stake in health data an important concept that needs to be fully embraced is that governments and providers are stewards of patient personal health information.  Providers have to think in terms of an “information trust” with those holding and accessing health data – including government – having fiduciary responsibilities with respect to that personal health information.

We haven’t yet seen the results of any of cooperation between different stakeholders representatives (e.g. the regulatory colleges, the OHA, OMA, etc) with respect to appropriate protocols for information management in Ontario. Somewhat unrelated but illustrative is the reaction of a number of physicians to the recent Baseline Diabetes Initiative which seems to suggest that all stakeholders are not yet on the same page with respect to the sharing of information, or what role the Ministry should have in directing how patient information is collected, used and disclosed.

Until we see that degree of cooperation and the development of common standards as they pertain to data governance, Ontario isn’t ready for primetime as far as an EHR is concerned.

Oh, if this all seems an academic commentary, go see Alberta’s new EHR Regulation and see what they do in the governance of their EHR.

Leave a Reply