Ontario EHR Governance Arrives…
I had previously written on the subject of electronic health records here, as well as about their governance here. The latter post was about the state of EHR governance in Ontario, especially when one considers legislative developments in Alberta and BC. It seems that the current Liberal government has decided to address the issue with the introduction of Bill 78, the Electronic Personal Health Information Protection Act 2013.
The stated objective of the legislation is to authorize and facilitate the sharing of personal health information (“PHI”) in connection with the provision and management of health care. The bill, introduced in May, hasn’t made it to second reading yet so the timing of its eventual application to health information systems in Ontario remains to be determined.
The bill will amend the Personal Health Information Protection Act, 2004 by adding a new Part V.1. There’s a lot in the bill and I don’t propose to go through the details but it does deal with the custodianship of personal information in a electronic health record (“EHR”) and sets out a series of obligations for (i) prescribed organizations, (ii) health information custodians that submit PHI to an EHR and (iii) those that access PHI in an EHR.
Bill 78 also proposes an advisory committee that is to make recommendations in relation to EHRs; provides new powers of the Information and Privacy Commissioner in relation to prescribed organizations; and, intriguingly, provides authority for the Ministry to require custodians and classes of custodians to submit PHI to prescribed organizations for the purposes of an EHR. I’ll come back to these bolded items later.
There is a general prohibition on health information custodians collecting PHI from an EHR maintained by a prescribed organization, except for providing healthcare or eliminating a risk of harm to the subject individual or others. A prescribed organization is required to exercise a series of enumerated functions with respect to it’s electronic health record, and must comply with about two dozen specific requirements in creating or maintaining an EHR.
The “lockbox” concept is extended to allow patients to block PHI from being accessed by a specific healthcare provider. This is qualified to allow disclosure of alerts about potentially harmful medication interactions, as long as the information that is subject to the directive is not provided, as well as disclosures that eliminate or reduce significant risk of harm to the patient or others.
Breaches of privacy would require notification by the prescribed entity to the health information custodian that submitted the affected PHI to the EHR and the IPC. Liability on conviction of an offense increases to $100,000 for an individual and up to $500,000 for an organization.
It will be interesting to see the composition of the advisory committee and the extent of its influence in EHR governance. One might argue that it would be better if the Committee had a formal rather than an advisory role in the collection and use of personal health information. The government will have greater access to PHI and a “watchdog” function would provide a balancing influence. That may still happen but a constructive improvement would be to emulate BC’s approach where the legislative expressly provides for a broader stakeholder membership and includes members of the public.
Similarly, authority…to require custodians…to submit PHI to prescribed organizations for the purposes of an EHR, has an Orwellian pallor, especially since there is not yet a lot of explanation as to the purpose and objective of such information collection. Even the Ontario Hospital Association has noted that this aspect requires more clarity. It’s as if they built a provincial EHR, based on ’90s architecture, and now need to make it relevant in the 21st century by ensuring it holds PHI. It also leads one to speculate about a more interventionist personalization of healthcare in the future. But that’s getting ahead of ourselves on a topic that should be a subject of public policy and debate. How a requirement to submit PHI to “prescribed organizations” impacts primary healthcare and squares with the ethical obligations of healthcare providers remains to be seen.
Let’s hope Ontario MPPs explores these themes when the text of Bill 78 is further considered in the legislature.