Law & Governance

Law & Governance 13(9) March 2010

Electronic Health Records: Examining Information Privacy

Megan Brister and Beth Dewitt


Information governance considers the principles, processes and policies for protecting personal information and personal health information. In particular, information governance frameworks draw upon legal, "best practice" and quality requirements to ensure that personal information and personal health information is kept confidential and secure at all times. This article examines the role of information governance frameworks in electronic health record (EHR) systems by discussing four key factors of information governance. The authors draw on approaches to EHR information governance across Canada and define the components of information governance that provincial agencies should consider to appropriately implement and manage EHRs.

Electronic health records (EHRs) are digital records of patients' medical history, stored and shared across healthcare systems (Canada Health Infoway 2010). EHRs support patient care by enabling healthcare providers to easily share and access personal health information such as laboratory tests, medication information, diagnostic images and treatment history. All Canadian provinces and territories are in the process of implementing province-wide EHRs. The management of EHR systems generally falls to government and arms-length "e-health" agencies, which implement these systems through a series of projects.

Despite the prevalence of EHR initiatives, there is a lack of clear, publicly available information about how EHRs actually enable the protection of patients' health information and the governance rules and processes around this. Such information includes, for example, who is accessing the EHR, for what purposes, how patients may control access to their information within the EHR, and whom patients may contact to inquire about their privacy in these systems. E-health agencies or organizations charged with managing or implementing EHRs would also benefit from a clearer understanding of these issues, in their own – and other – jurisdictions.

To this end, this article explores the information governance frameworks in place to guide the privacy roles and responsibilities of organizations that use or manage EHR systems. Information governance concerns the policies, processes, roles and responsibilities established to protect personal health information. For example, in the context of an EHR, different privacy responsibilities apply to different parties, depending on whether the party accesses information from the EHR, transfers information to the EHR or provides information technology to support the EHR. Information governance is based largely on privacy requirements found in health privacy and EHR-specific legislation. Privacy roles and responsibilities are effected through accountability models and enforced through oversight bodies and participation requirements imposed on parties taking part in the EHR. Each of these bolded terms is explored in detail below.

1. Legislative Requirements

EHR-specific legislation prescribes rules for the creation of and accountability for EHR systems, including rules concerning the collection, use and disclosure of personal health information across the EHR. EHR-specific legislation generally includes more specific rules than those found in health privacy legislation. As such, EHR-specific legislation provides a clear basis for EHR information governance models.

In Canada, EHR-specific legislation has been adopted in British Columbia (BC) and EHR-specific provisions have been proposed in Newfoundland and Labrador and in Alberta. For example, BC's Personal Health Information Access and Protection of Privacy Act – or "E-Health Act" – regulates the creation of databases containing personal health information, referred to as "health information banks." The E-Health Act also regulates the collection, use and disclosure of information within these health information banks.

Under the E-Health Act, the Minister of Health must establish the health information bank by a designation order. This order describes, for example, the nature of the personal health information that may be retained in the health information bank, and the purposes for which personal health information may be collected, used and disclosed, and by whom (BC E-Health Act 2008: s. 3[2]). The designation order also identifies the health information bank administrator, who is responsible for managing collection, use and disclosure via the health information bank. This means that responsibility for the shared repository always rests with a single individual or organization.

The E-Health Act also provides for the creation of data stewardship committees. These committees are responsible for managing disclosures of personal health information for secondary purposes (e.g., health system planning or research). Such purposes are outside the scope of the health information bank administrator's responsibility (BC E-Health Act 2008: ss. 11–16).

Since the E-Health Act provides a specific framework for information governance, including the roles and responsibilities for the collection, use, disclosure and protection of personal health information, it is expected that the Minister will designate each of BC's EHR systems (e.g., PharmaNet) as a health information bank.

In Newfoundland and Labrador, the Personal Health Information Act (PHIA) (proclaimed in part at the time of writing) will govern the collection, use and disclosure of personal health information as well as establish rules for exchange of information via the province's EHR. Under PHIA, custodians (e.g., healthcare providers) may disclose personal health information to an information network in order to enable the information network to create an EHR (Newfoundland PHIA 2009: s. 39[1]). It is expected that the Newfoundland and Labrador Centre for Health Information, which is currently tasked with implementing the EHR, will be designated under the PHIA Regulations as an "information network." This means that PHIA and its Regulations will help define accountability for EHR systems in the province.

In Alberta, the provincial EHR – Netcare – is managed by Alberta Health and Wellness (i.e., the Ministry of Health). EHR-specific amendments recently proposed to the Health Information Act (Alberta HIA 2000) will not only permit the transfer of information to the EHR (as proposed in Newfoundland and Labrador), but also enable health professional bodies to direct healthcare providers to make "prescribed health information" available to the EHR (Health Information Amendment Act [Alberta HIAA 2006: Part 5.1]). In order to ensure patients continue to have control of their information, these provisions were amended to require regulated health professionals or healthcare providers to consider the express wishes of the patient before sending prescribed health information to Netcare. In practice, this means that patients will continue to be able to mask their records in Netcare from view by certain healthcare providers.

As a result of BC's E-Health Act and pending legislation in Newfoundland and Labrador and Alberta, other provinces are considering similar EHR-specific regulations. In Ontario, the Personal Health Information Protection Act, 2004 (Ontario PHIPA 2004) and its accompanying Regulation (Ontario PHIPA Regulation 2004) set out privacy rules for the collection, use and disclosure of personal health information by individuals and organizations involved in the delivery of healthcare services. Ontario's Standing Committee on Social Policy, which is tasked with determining amendments to PHIPA, urged that PHIPA be amended to enable the creation of EHR-specific regulations. If created, these regulations will likely inform the information governance framework for the province's EHR by prescribing privacy requirements for healthcare providers and organizations exchanging information via EHR systems (Legislative Assembly of Ontario, Standing Committee on Social Policy 2008).

2. Accountability Models

Critical to establishing an information governance framework that ensures the confidential and secure exchange of personal health information is the adoption of an accountability model. Accountability models identify the individuals and/or organizations responsible for personal health information as it is exchanged through the EHR. Across Canada, the following three accountability models are implemented for various provincial EHR systems: 1) a "single-custodianship model," 2) a "multiple-custodianship model," or 3) a "no-custodianship model."

Alberta and Quebec both employ single-custodianship models. Under this model, a single entity or custodian is responsible for the personal health information entered into and accessed via the EHR system. All other participating healthcare organizations disclose personal health information to the custodian via the EHR, which then becomes responsible for the information. In Alberta, Alberta Health and Wellness is the custodian to which all organizations participating in the province's EHR disclose personal health information (Government of Alberta 2010). In Quebec, the Health and Social Services Agency for the Capitale-Nationale Region is the organization authorized (by Ministerial Order) to receive and retain personal health information within the provincial EHR (An Act respecting health services and social services, 1991: s. 434 [Quebec Health Services Act]).

It is important to note that under most privacy legislation in Canada, specific privacy responsibilities are defined for custodians. This means that under the single custodianship model, the EHR custodian is responsible, under law, for ensuring the protection of personal health information at all times. This model simplifies the management of privacy-related operations, such as putting agreements in place or investigating privacy breaches, and provides patients with a single point of contact for privacy matters, such as requests for access to information, inquiries or complaints.

The multiple-custodianship model can be found in Manitoba and Saskatchewan. Under this model, each participating custodian maintains custody and, therefore, responsibility for personal health information that it shares with the EHR. This means that each custodian must meet its privacy obligations for personal health information under provincial privacy legislation until such a time that another custodian collects the personal health information from the EHR system.

Under the multiple-custodianship model, third-party service providers play an important role by making the technical environment (e.g., systems and networks) of the EHR available to custodians to exchange information. As such, service providers are subject to privacy requirements under provincial privacy legislation, which prevent service providers from handling personal health information for any purpose other than to support the EHR. For example, the Saskatchewan Health Information Network (SHIN) is considered an "information management service provider" under Saskatchewan's Health Information Protection Act, 1999 since it provides information technology services to healthcare providers in support of the EHR (Saskatchewan HIPA 1999: s. 2[j]). The SHIN is not permitted to use, disclose, obtain, access, process, store, archive, modify or destroy any personal health information it receives from trustees (i.e., healthcare providers), except to manage the EHR (Saskatchewan HIPA 1999: s. 18[3]).

The single-and multiple-custodianship models ensure that an entity or entities are always responsible for personal health information. However, the multiple-custodianship model requires several healthcare organizations to co-operate to meet patients' privacy needs. For example, an individual's request for his or her health record requires information from several organizations to adequately fulfill the request. Further, in the multiple-custodianship model, personal health information is protected only as well as the weakest healthcare organization is able to protect such information. This means that all participating healthcare organizations must depend on one another to ensure that personal health information is protected across the continuum of care. Several jurisdictions manage this issue by imposing privacy and security requirements on participating healthcare organizations through contracts (see discussion on participation requirements below).

Under the no-custodianship model, none of the custodians are responsible for the personal health information retained in the EHR. Rather, once custodians submit personal health information to the EHR system, this information has been "disclosed" to all other custodians participating in the EHR. This means that privacy legal requirements for custodians no longer formally apply to this personal health information. Instead, the custodians rely upon the privacy and security safeguards provided by the service provider hosting the EHR system to protect the personal health information retained in and exchanged via the EHR. This service provider holds the personal health information in trust until the information is "collected" by an accessing healthcare provider.

As in the multiple-custodianship model, it may be difficult to determine accountability under the no-custodianship model for the personal health information when, for example, a breach occurs or a patient requests access to his or her health information. Further, under health privacy legislation, service providers play a role in relation to custodians by making EHR systems available to exchange personal health information. When there is no custodianship over information, it is questionable whether service providers are subject to privacy legal requirements.

3. Oversight Bodies

Oversight bodies, such as EHR committees and councils, set policy and procedural and technical requirements to govern the protection of personal health information within the EHR. This may include establishing policies that participating healthcare organizations must follow to participate in the EHR or technical requirements that systems must meet, as well as conducting compliance and monitoring activities to ensure policies and requirements are met. Such oversight bodies may be legislated, as in the case in BC where data stewardship committees are responsible for managing disclosures of personal health information for secondary purposes under the E-Health Act.

Where oversight bodies are not formalized under legislation, provinces may choose, through policy, to establish committees or councils to serve the same function. For example, the Newfoundland and Labrador Centre for Health Information (the "Centre"), the agency responsible for overseeing the implementation of the province's EHR, has Information Governance Advisory Committees that report to its Board of Directors through the Centre's Chief Executive Officer and are responsible for advising on the management and operation of the EHR, including the policies, procedures and technologies employed to protect personal health information. The Centre has also established an Internal Privacy Committee to ensure all practices related to the retention and exchange of personal health information by the Centre and via the Health Information Network (i.e., the EHR) meet specific privacy standards developed by the Information Governance Advisory Committees and formalized through the Centre's policy and procedures. For example, the Internal Privacy Committee may conduct privacy audits on the Centre's practices and review the findings of privacy impact assessments conducted by the Centre on all EHR systems (Centre for Health Information, Newfoundland and Labrador 2010).

Oversight bodies also rely on terms of reference to formalize the committee's powers and responsibilities. These committees generally report directly to the Chair of the Board of Directors for a provincial e-health agency, as is the case in Newfoundland and Labrador, or to a Deputy Minister for Health. For example, Manitoba eHealth, which is responsible for implementing the province's EHR strategy, set up an oversight body that is charged with setting data-protection rules for the EHR. This oversight body, known as the Provincial Privacy and Security Council, must establish privacy and security requirements for the Manitoba EHR, and all EHR systems and participating healthcare organizations must meet these requirements in order to protect personal health information and participate in the province's EHR (Manitoba eHealth 2008b). The Council reports to the Manitoba eHealth Board Chair (through the eHealth Strategic Council), who is also the Deputy Minister of Health, and is governed by terms of reference (Manitoba eHealth 2008a).

Finally, provinces benefit from committee membership that includes representation from all levels of the health system. In Alberta, for example, the EHR Data Stewardship Committee, responsible for information governance oversight of the EHR, consists of representatives from the Alberta Cancer Board, the Alberta College of Pharmacists, Alberta Health and Wellness, the Alberta Medical Association, the Calgary Health Region, Capital Health, the College of Physicians and Surgeons of Alberta, the Regional Shared Health Information Program, the Pharmacists Association of Alberta and the public (Office of the Information and Privacy Commissioner of Alberta 2008). This committee reports directly to the Minister of Alberta Health and Wellness (i.e., the Minister of Health).

4. Participation Requirements

In a shared-repository environment such as an EHR, participation requirements ensure all organizations connecting to the EHR have adequate levels of privacy controls. In other words, participation requirements prevent or mitigate the effect of "weak links" that put personal health information managed throughout the EHR at risk. Participation requirements typically include assessments, agreements and technical or administrative privacy requirements imposed on technology providers or healthcare organizations connecting to the EHR.

Assessments, such as checklists, reviews and privacy impact assessments (PIAs), are preventive controls used to determine if a healthcare organization has the appropriate privacy practices in place and to identify risks that must be mitigated before the organization may connect to the EHR. For example, in Ontario, a Data Protection Checklist (Anzen Consulting Inc. 2006) was used to ensure hospitals connecting to the provincial client registry had met all the necessary requirements under Ontario's PHIPA (Carr et al. 2009).

In Alberta, a healthcare provider who wishes to connect to or access Netcare (i.e., the provincial EHR) must conduct and submit to Alberta Health and Wellness a PIA and an Organizational Readiness Assessment (Government of Alberta 2010). PIAs are also submitted to the Information and Privacy Commissioner/Alberta for review. This requirement is provided for under Alberta's HIA, which requires custodians (i.e., healthcare providers) to complete PIAs before implementing or changing any system involved in the collection, use or disclosure of health information (Alberta HIA 2000: s. 64).

Currently, only health privacy legislation in Alberta and Ontario requires PIAs, and, in Ontario, PIAs are only required of "health information network providers" (Ontario PHIPA Regulation 2004: s. 6[3]). PIAs are also required as a condition of funding from organizations such as Canada Health Infoway. Infoway requires conceptual, logical and physical PIAs before funding EHR initiatives (Canada Health Infoway 2010).

The mandatory requirement to conduct PIAs to connect to the EHR has been the subject of debate in several provinces. Information and Privacy Commissioners and other EHR oversight bodies, such as those committees and councils discussed above, require a significant number of resources to adequately review and provide guidance on PIAs. Therefore, most provinces have opted for a voluntary model that is supported by PIA guidelines. However, even with clear guidelines, the scope and quality of PIAs may vary significantly from one organization to the next, unless the analysis is subject to review. Further, the purpose of PIAs is to identify risks to patient privacy that may result from the implementation of a new EHR system. Therefore, it is important that oversight bodies have a mechanism to ensure that all identified risks have been appropriately mitigated. This practice is not enshrined in any health privacy or EHR legislation, and it is conducted to a limited degree in accordance with organizational policies.

Healthcare organizations are also required to enter into agreements to participate in the EHR. These agreements are executed at the organizational and user level. For example, in Alberta, healthcare-provider organizations that will access the EHR must enter into an Information Manager Agreement with Alberta Health and Wellness. Individual healthcare providers must then sign the Information Exchange Protocol (i.e., user agreement), which binds the providers to the Information Manager Agreement (Government of Alberta 2010). Ontario has taken a similar approach to its Wait Time Information System. Healthcare providers (i.e., users) must be authorized by their hospital to use the system and read and accept an end-user licence agreement (Wait Time Information Office 2008).

Finally, several jurisdictions have imposed technical and administrative privacy requirements on systems that comprise or support the EHR. Alberta's Netcare Physician Office System Program published Vendor Conformance and Usability Requirements that describe, among other things, the privacy and security requirements that physician office software must have in place to participate in this program (Physician Office System Program 2010). In Ontario, Cancer Care Ontario, which was responsible for implementing the provincial client registry, executed a licensing agreement with the vendor providing the client registry software. This agreement included detailed privacy and security requirements and obligations to ensure the protection of personal health information managed via the software (Information and Privacy Commissioner/Ontario 2006).


Together, the above-discussed components of information governance form a model that ensures all healthcare providers and organizations participating in the EHR have clear privacy roles and responsibilities. This article serves to outline approaches to EHR information governance and contributes to the relatively limited public information about how EHRs enable broader sharing and protection of patients' health information.

About the Author(s)

Megan Brister, CISSP, PMP is a partner with Anzen Consulting Inc., who has built a career in the data-protection field working with both private and public organizations to develop effective and practical privacy and information security programs. Megan has conducted dozens of privacy impact assessments and privacy gap assessments for government, healthcare delivery organizations, data brokerage companies and information technology firms. Megan has also developed and implemented information governance models for several electronic health record systems. Megan has over 10 years of information privacy experience and is a Certified Information Systems Security Professional (CISSP) and Project Management Professional (PMP).

Beth Dewitt, MA, is a privacy consultant with Anzen Consulting Inc. who specializes in information governance, consent and the privacy statutory issues involved in the implementation and deployment of large provincial and national health information technology solutions. Beth has advised several project teams implementing EHR solutions as well as trained privacy officers to manage the day-to-day operations of the privacy function. Beth holds a Master of Arts in Social Anthropology and a Graduate Diploma in Health Services and Policy Research from York University.


An Act Respecting Health Services and Social Services. 1991 R.S.Q. c. S-4.2. [Quebec Health Services Act]

Anzen Consulting Inc. 2006, November. Enterprise Master Patient Index – Data Protection Checklist.

Bill 7, An Act to Provide for the Protection of Personal Health Information, 1st Sess., 46th General Assembly, Newfoundland and Labrador. Retrieved January 20, 2010. [Newfoundland Personal Health Information Act]

Canada Health Infoway. 2010. "About Electronic Health Records." Retrieved January 20, 2010. <>.

Carr, D., V. Welch, T. Fabik, N. Hirji and C. O'Connor. 2009. "Taking It to the Streets: Delivering on Deployment." Healthcare Quarterly 12 (Sp): 30–9.

Centre for Health Information, Newfoundland and Labrador. 2010. "Welcome to the Centre." Retrieved January 20, 2010. <>.

E-Health (Personal Health Information Access and Protection of Privacy) Act, S.B.C. 2008, c. 38. [BC E-Health Act]

Government of Alberta. 2010. Department of Health and Wellness. "Welcome to Alberta Netcare." Retrieved January 20, 2010. <>.

Health Information Act, R.S.A. 2000, c. H-5 [Alberta HIA].

Health Information Amendment Act, S.A. 2006, c. 18 [Alberta HIAA].

Health Information Protection Act, S.S. 1999, c. H-0.021. [Saskatchewan HIPA].

Information and Privacy Commissioner/Ontario. Investigation Report – PHIPA Report HI06-45. 2006, August 25. Initiate Systems Inc. and the Ontario Ministry of Health and Long-Term Care.

Legislative Assembly of Ontario. Standing Committee on Social Policy. 2008. "Review of the Personal Health Information Protection Act, 2004." 1st Sess., 39th Parliament, 57 Elizabeth II. <>.

Manitoba eHealth. 2008a, April 7. "COACH: Manitoba signs on for province-wide use of Privacy Guidelines." Media Release.

Manitoba eHealth. 2008b. "Enabling Clinician Access Safely & Securely: Any Time, Any Where." Presentation at eHealth Conference 2008.

Office of the Information and Privacy Commissioner of Alberta. 2008. Investigation Report Concerning the Disclosure of Health Information Using Alberta Netcare (Investigation Report: H2008-IR-001J).

Ontario Regulation 329/04; amended to O. Reg. 537/06. [Ontario PHIPA Regulation]

Personal Health Information Protection Act, 2004. S.O. 2004, c. 3, Sched. A. [Ontario PHIPA]

Physician Office System Program. 2010. "Vendor Conformance and Usability Requirements." Retrieved January 20, 2010. <>.

Wait Time Information Office. 2008. Privacy Policy. Retrieved January 20, 2010. <>.


Be the first to comment on this!

Note: Please enter a display name. Your email address will not be publically displayed