Approved by Council: November 2000
Reviewed and Updated: September 2005, November 2006, May 2012, March 2020, June 2022
Companion Resources: Advice to the Profession

Policy

1. Whether in paper or electronic format, physicians must comply with all relevant legislation¹ and regulatory requirements related to medical record-keeping.

Establishing Custodianship and Accountabilities

2. Physicians must have a written agreement that establishes custodianship and clear accountabilities regarding medical records if they:
   1. practise in a setting where there are multiple contributors to a record-keeping system (e.g., a group or interdisciplinary practice, settings with a shared electronic medical record (EMR)); or
   2. are not the owner of the practice and/or of the EMR licence.^{2, 3}
3. Physicians must ensure their agreements:
   1. are in place prior to the establishment of the group practice, business arrangement, or employment, or as soon as possible afterward;
   2. comply with the Personal Health Information Protection Act, 2004 (PHIPA) and with the expectations set out in this policy; and
   3. address:
      1. custody and control of medical records, including upon termination of employment or the practice arrangement;
      2. privacy, security, storage, retention, and destruction of records; and
      3. enduring access for themselves⁴ and their patients.
4. Physicians with custody or control of medical records must give all former partners and associates reasonable access to their patient medical records to allow them to prepare medico-legal reports, defend legal actions, or respond to an investigation, when necessary.⁵
5. Physicians moving to a new practice who do not have custody or control of the medical records of patients who choose to follow them to the new practice, must obtain patient consent to transfer copies of the records to the new location.
6. Physicians must take all reasonable steps within their control to prevent a conflict about medical records from compromising patient care.

Access and Transfer of Medical Records

Providing Access to Medical Records

7. Physicians must provide patients and authorized parties⁶ with access to, or copies of, all the medical records in their custody or control upon request, unless an exception applies.^{7, 8}
8. Where an exception applies and access is refused, physicians must inform the individual in writing of the following:
   1. the fact of the refusal;
   2. the reason for the refusal; and
   3. the right of the patient to make a complaint to the Information and Privacy Commissioner of Ontario (IPC).⁹
9. Physicians must provide patients and authorized parties with explanations of any term, code, or abbreviation used in the medical record, upon request.¹⁰

Transferring Copies of Medical Records

10. Physicians must retain original medical records for the time period required by the Regulation¹¹ (see Medical Records Retention below) and only transfer copies to others.
11. Physicians must only transfer copies of medical records where they have consent or are permitted or required by law to do so.¹²
12. Physicians must transfer copies of medical records in a timely manner, urgently if necessary, but no later than 30 days after a request.¹³ What is timely will depend on whether there is any risk to the patient if there is a delay in transferring the records (e.g., exposure to any adverse clinical outcomes).
13. Physicians must transfer copies of the entire medical record, unless providing a summary or a partial copy of the medical record is acceptable to the receiving physician and/or the patient.
14. Physicians must transfer copies of medical records in a secure manner¹⁴ and document the date and method of transfer in the medical record.¹⁵

Fees for Copies and Transfer of Medical Records¹⁶

Fulfilling a request for copying and transferring medical records is an uninsured service. As such, physicians are entitled to charge patients or third parties a fee for obtaining a copy or summary of their medical record.

15. When charging for copying and transferring medical records, physicians must:
    1. provide a fee estimate prior to providing copies or summaries;¹⁷
    2. provide an itemized bill that provides a breakdown of the cost, upon request (e.g., cost per page, cost for transfer, etc.);¹⁸ and
    3. only charge fees that are reasonable.
16. When determining what is reasonable to charge, physicians must ensure that fees:
    1. do not exceed the amount of “reasonable cost recovery”;¹⁹ and
    2. are commensurate with the nature of the service provided and their professional costs (i.e., reflect the cost of the materials used, the time required to prepare the material and the direct cost of sending the material to the requesting individual).²⁰
17. When determining a reasonable fee, physicians must consider the recommended fees set out in the Ontario Medical Association’s Physician’s Guide to Uninsured Services (“the OMA Guide”)^{21, 22} and the applicable orders of the IPC²³.
18. When determining a reasonable fee, physicians must additionally consider the patient’s ability to pay.²⁴ In particular, physicians must consider the financial burden that these fees might place on the patient and consider whether it would be appropriate to reduce, waive, or allow for flexibility with respect to fees based on compassionate grounds.²⁵
19. Physicians may request pre-payment for records or take action to collect any fees owed to them but must not put a patient’s health and safety at risk by delaying the transfer of records until payment has been received.²⁶

Retention and Destruction  

Medical Records Retention²⁷

20. Physicians must ensure medical records are retained for a minimum of the following time periods²⁸:
    1. Adult patients: 10 years from the date of the last entry in the record.
    2. Patients who are children: 10 years after the day on which the patient reached or would have reached 18 years of age.^{29, 30}

Destruction of Medical Records

21. Physicians must only destroy medical records once their obligation to retain the record has come to an end.
22. When destroying medical records, physicians must do so in a secure and confidential manner³¹ and in such a way that they cannot be reconstructed or retrieved. As such, physicians must, where applicable:
    1. cross-shred all paper medical records;
    2. permanently delete electronic records by physically destroying the storage media or overwriting the information stored on the media; and
    3. destroy any back-up copies of records.³²

Storage and Security

Storage

23. Physicians must ensure medical records in their custody or control are stored in a safe and secure environment³³ and in a way that ensures their integrity and confidentiality, including:
    1. taking reasonable steps to protect records from theft, loss and unauthorized access, use or disclosure, including copying, modification or disposal;³⁴
    2. keeping all medical records in restricted access areas or in locked filing cabinets to protect against unauthorized access, loss of information and damage;
    3. backing-up electronic records on a routine basis³⁵ and storing back-up copies in a secure environment separate from where the original data is stored.
24. Where physicians choose to store medical records content that is no longer relevant to a patient’s current care separately from the rest of the medical record, physicians must include a notation in the record indicating that documents have been removed from the chart and the location where they have been stored.
25. Physicians must ensure medical records are readily available and producible when access is required.³⁶

Security³⁷

26. Physicians with custody or control of medical records must ensure that:
    1. all individuals who have access to medical records are bound by appropriate confidentiality agreements; and
    2. agreements that address data sharing are established for all health care providers, organizations or service providers who will have access to or who will be sharing patient health information with the physician.³⁸
27. Physicians with custody or control of medical records must have records management protocols that regulate who may gain access to the medical records in their custody or control and what they may do according to their role, responsibilities, and the authority they have.³⁹
28. Accordingly, physicians with custody or control of electronic records must:
    1. ensure each authorized user has a unique ID and password; and
    2. maintain an audit trail for all accesses (views) of personal health information, even where no changes are made to the record.
29. When using an electronic record-keeping system, physicians must not share their credentials or passwords.

Electronic Records - System Requirements

30. Physicians must use due diligence when selecting an EMR system and/or engaging EMR service providers and must only use electronic record-keeping systems that:
    1. comply with privacy standards set out in PHIPA,
    2. comply with the standards set out in the Regulation⁴⁰, and
    3. can fulfill the requirements set out in this policy and the Medical Records Documentation policy (e.g., capturing all pertinent personal health information).⁴¹
31. Physicians must only engage with EMR service providers who are willing and able to make medical records accessible, where required, for the purposes of regulatory processes (e.g., College investigations and assessments) and must ensure that EMR service providers are aware of their obligations in this regard (e.g., through written agreements).
32. In particular, the Regulation⁴² requires that physicians must only use electronic systems that:
    1. Provide a visual display of the recorded information;
    2. Provide a means of access to the record of each patient by the patient’s name and Ontario health number, where applicable;
    3. Are capable of printing the recorded information promptly;
    4. Are capable of visually displaying and printing the recorded information for each patient in chronological order;
    5. Include a password or otherwise provide reasonable protection against unauthorized access;
    6. Maintain an audit trail (a record of who has accessed the electronic record) that:
       1. records the date and time of each entry of information for each patient,
       2. indicates any changes in the recorded information,
       3. preserves the original content of the recorded information when changed or updated, and
       4. is capable of being printed separately from the recorded information for each patient;
    7. Automatically back up files and allow the recovery of backed-up files or otherwise provide reasonable protection against loss of, damage to, and inaccessibility of, information.⁴³
33. Physicians must be proficient with their electronic record-keeping system in order to:
    1. meet the requirements for record-keeping set out in relevant legislation and this policy; and
    2. participate in all regulatory processes (e.g., College investigations and assessments).

Transitioning Records Management Systems⁴⁴

34. When transitioning from one record-keeping system to another (i.e., a paper-based to electronic system, or from one electronic system to another), physicians must:
    1. maintain continuity and quality of patient care;
    2. continue appropriate record-keeping practices without interruption;
    3. protect the privacy of patients’ personal health information; and
    4. maintain the integrity of the data in the medical record.
35. To ensure the integrity of the medical record is maintained, physicians who are transitioning from one record-keeping system to another must have a quality assurance process in place that includes:
    1. written procedures that are consistently followed; and
    2. verification that the entire medical record has remained intact upon conversion (e.g., comparing scanned copies to originals to ensure that they have been properly scanned or converted).
36. Physicians who wish to destroy original paper medical records following conversion into a digital format must:
    1. use appropriate safeguards to ensure reliability of digital copies;
    2. save scanned copies in “read-only” format; and
    3. destroy medical records in accordance with the expectations set out in this policy.
37. Physicians who use voice recognition software or Optical Character Recognition (OCR) technology to convert records into searchable, editable files must retain either the original record or a scanned copy for the retention periods set out above.
38. So that complete and up to date information is contained in one central location, physicians with custody or control of records must:
    1. set a date whereby the new (electronic) system becomes the official record; and
    2. inform all health care professionals who would reasonably be expected to contribute or rely on the record of this date.
39. Physicians must only document in the new system from the official date onward.

Endnotes

^1. Personal Health Information Protection Act, 2004, S.O. 2004, c.3, Sched. A (hereinafter PHIPA); Part V of the General, Ontario Regulation 114/94, enacted under the Medicine Act, 1991, S.O. 1991, c. 30 (hereinafter Medicine Act, General Regulation); General, Ontario Regulation 57/92, enacted under the Independent Health Facilities Act, R.S.O.1990, c.1.3 (hereinafter IHFA, General Regulation); Hospital Management, Regulation 965, enacted under the Public Hospitals Act, R.S.O. 1990, c.P.40 (Public Hospitals Act, Hospital Management Regulation); Personal Information Protection and Electronic Documents Act of Canada, S.C. 2000, c. 5 (hereinafter PIPEDA).

^2. Section 14(1) of the Public Hospitals Act sets out that patient medical records compiled in a hospital are the property of the hospital.  For the purposes of this policy, the provisions set out in the Public Hospitals Act, along with the terms of a physician’s hospital privileges can serve as the official agreement for physicians who work in hospitals.  

^3. Additional advice for establishing such agreements can be found in the Canadian Medical Protective Association’s (CMPA) Electronic Records Handbook. In particular, the CMPA’s Data Sharing Principles and the template titled Contractual Provisions for Data Sharing can be reviewed and serve as a model. The OMA can also provide assistance establishing contracts.

^4. See PHIPA, s. 41(1) for the specific circumstances where physicians are permitted access to the personal health information of their former patients.

^5. See PHIPA, s. 41(1) for the specific circumstances where access can be provided to former partners and associates.

^6. Authorized parties include substitute decision-makers and estate trustees/executors of the estate where applicable, and third parties where consent has been obtained.

^7. PHIPA, s. 52; Section 52 of PHIPA contains a comprehensive list of the exceptions.

^8. There are exceptions that may limit the information a physician is required to produce in the context of an independent medical examination. For more information, please refer to PIPEDA. The CMPA’s article, Providing access to independent medical examinations also sets out advice on this issue.

^9. PHIPA, s. 54(1)(c). When access is refused on certain grounds, there are exceptions to the type of information that must be provided to patients. See PHIPA, s.54(1.1) for more information.

^10. PHIPA, s. 54(1)(a).

^11. Medicine Act, General Regulation, s. 19(1).

^12. For more information regarding disclosure, please refer to the College’s Protecting Personal Health Information policy.

^13. PHIPA, s. 54(2). Physicians are required under PHIPA to respond to requests of records transfer as soon as possible, but no later than 30 days of the request. Sections 54(3) and 54(5) of PHIPA set out provisions for circumstances requiring expedited access and an extension. 

^14. PHIPA, s. 13(1).

^15. For more information on transferring records, please see the Advice to the Profession: Medical Records Management document.

^16. These requirements apply regardless of whether access is provided directly by a physician or an agent of the physician, such as a records storage company.

^17. PHIPA, s. 54(10).

^18. It is an act of professional misconduct to fail to provide an itemized invoice when asked (See s. 1(1) paragraph 24 of Ontario Regulation 856/93 Professional Misconduct, enacted under the Medicine Act, 1991 S.O. 1991. C.30 (hereinafter Professional Misconduct Regulation).

^19. PHIPA, s. 54(11).

^20. In accordance with s. 1(1), paragraph 21 of the Professional Misconduct Regulation it is an act of professional misconduct to charge a fee that is excessive in relation to the services provided.

^21. The OMA Guide is typically updated annually, and so physicians must ensure they have reviewed the most recent edition.

^22. While physicians are not obliged to adopt the recommended fees set out in the OMA Guide, in accordance with s. 1(1) paragraph 22 of the Professional Misconduct Regulation, it is an act of professional misconduct to charge more than the current recommended fees in the OMA Guide without first notifying the patient of the excess amount that will be charged.

^23. See IPC Orders HO-009 and HO-14.

^24. The Canadian Medical Association’s Code of Ethics and Professionalism (#26) states that physicians have an ethical and professional responsibility to “Discuss professional fees for non-insured services with the patient and consider their ability to pay in determining fees.”

^25. For more information on how to determine a patient’s ability to pay, please refer to the Advice to the Profession: Medical Records Management document.

^26. For additional guidance on fees please refer to the College’s Uninsured Services: Billing and Block Fees policy.

^27. There are separate provisions for the retention of certain records, including the following:

• Physicians who cease to practise family medicine or primary care have specific retention requirements under s. 19(1)(2) of the Medicine Act, General Regulation; see the College’s Closing a Medical Practice policy for more information.
• Hospitals have separate retention schedules for diagnostic imaging records; see s. 20(4) of the Public Hospitals Act, Hospital Management Regulation for more information.
• Independent health facilities have separate retention schedules for patient health records; see s. 11(1) of the IHFA, General Regulation for more information.

^28. Retention requirements apply equally to the medical records of patients who are living and deceased.

^29. Medicine Act, General Regulation, s. 19(1).

^30. When a request for access to personal health information is made before the retention period ends, physicians are obligated under section 13(2) of PHIPA to retain the personal health information for as long as necessary to allow for an individual to take any recourse that is available to them under PHIPA. This may require physicians to retain records longer than the above time periods, in some instances. Furthermore, s. 15(2) of the Limitations Act, 2002, S.O. 2002, c. 24, Sched. B allows for some legal proceedings to be brought forward 15 years after the act or omission on which the claim is based took place and thus physicians may wish to retain records for longer than the 10 year requirement.

^31. PHIPA, s. 13(1).

^32. For further information, see s. 13(1) of PHIPA and the IPC’s Fact Sheets on Secure Destruction of Personal Information and Disposing of Your Electronic Media.

^33. PHIPA, s. 13(1).

^34. PHIPA, s. 12(1). What is reasonable in terms of records management protocols will depend on the threats and risks to which the information is exposed, the sensitivity of the information, and the extent to which it can be linked to an identifiable individual.

^35. The CMPA suggests daily or weekly back-ups be considered. The CMPA provides risk management advice regarding back-up and recovery practices for EMR systems in its Electronic Records Handbook.

^36. This includes where physicians rely on an external facility or organization, such as a commercial storage provider, diagnostic facility, or clinic to retain records.

^37. For expectations related to privacy breaches please refer to the College’s Mandatory and Permissive Reporting policy.

^38. The CMPA’s Electronic Records Handbook contains advice for creating data sharing agreements.

^39. Records management protocols include both physical and logical access controls. Physical access controls are physical safeguards intended to limit persons from entering or observing areas of the physician’s office that contain confidential health information or elements of an EMR system. Logical access controls are system features that limit the information users can access, modifications they can make, and applications they can run. Examples of the latter include the use of “lockboxes” and “masking” options to restrict access to personal health information at a patient’s request.

^40. Medicine Act, General Regulation, s. 20.

^41. Use of EMRs that are certified by OntarioMD can help ensure compliance with this expectation. Please see the Advice to the Profession: Medical Records Management document for more information on the benefits of using EMRs that are certified by OntarioMD.

^42. Medicine Act, General Regulation, s. 20.

^43. Medicine Act, General Regulation, s. 20.

^44. For additional guidance related to transitioning record-keeping systems please refer to the companion Advice to the Profession: Medical Records Management document.