The healthcare system is transforming as a result of the development and adoption of new digital health tools. With respect to medical record-keeping, the widespread adoption of electronic medical records (EMRs) has particularly changed the way that medical records are used and managed. Navigating the responsibilities regarding medical records can be a complex and daunting task for physicians, particularly in this era of digital health where there may be questions about ownership and accountabilities. This companion Advice document is intended to help physicians interpret their obligations as set out in the Medical Records Management policy and provide guidance around how these expectations may be effectively discharged. This Advice is also intended to help physicians navigate their roles and responsibilities and provide links to resources on best practices.

Roles and Obligations Regarding Medical Records

The Medical Records Management policy sets out expectations for physicians with custody or control of their records (i.e., the custodian of the records) and expectations for physicians more broadly (all physicians). Aren’t physicians always the custodians of their patient medical records? How do I determine what my role and responsibilities are regarding medical records?

Physicians are not always the custodians of their patient medical records. Physicians will either be the “custodian” of their medical records or an “agent” of the custodian. These roles and their corresponding obligations are set out in the Personal Health Information Protection Act, 2004 (PHIPA).

A “health information custodian” (“custodian”) is a person or organization who, as a result of their power, duties, or work, has custody or control of personal health information (PHI).¹ This includes health care organizations such as hospitals, pharmacies, and laboratories, as well as some individual physicians (such as owners of a clinic or physicians working as a sole practitioner in their own practice).²

An “agent” refers to individuals granted permission by a custodian to act on their behalf and handle personal health information, as required by their duties.³ Physicians working as employees in clinics or practising in hospitals are examples of physicians who may be acting as agents. In these scenarios the custodian might be the hospital, clinic, or owner of a clinic, including someone who is not a health care professional. 

Roles, responsibilities and rights of access to medical records are generally determined by PHIPA, a physician’s status as custodian or agent, and the agreements physicians enter into upon employment or establishment of a practice or practice arrangement.

Under PHIPA, those who have custody or control of medical records have ultimate responsibility for ensuring records are maintained in accordance with legal requirements. However, physicians who do not have custody or control of their patient medical records also have legal, ethical and professional obligations regarding records.

Physicians who practise in settings where there are multiple contributors to a record-keeping system or who are not the owner of the practice and/or of the EMR licence are required to have written agreements that address custodianship. Why is this necessary?

The move away from a sole practitioner model of care and increased use of electronic records has led to ambiguity about physicians’ roles and responsibilities regarding medical records, particularly where there is a shared EMR system or where the physician is not the owner of the clinic and/or the EMR licence. Questions or conflicts related to ownership and rights of access often arise when a physician leaves a practice and there is no written agreement about records. Written agreements help to minimize conflicts, clarify rights and responsibilities, and to ensure compliance with medical records obligations. This in turn promotes quality care.⁴

With this in mind, the policy requires physicians to have agreements in place prior to the establishment of a group practice, business arrangement, or employment, or as soon as possible afterward. Physicians who do not currently have written agreements that explicitly addresses custodianship must establish them as soon as possible. Reviewing existing agreements is also worthwhile and can help ensure compliance with the policy and applicable legislation.

Patient medical records compiled in a hospital are the property of the hospital.⁵ For the purposes of this policy, the provisions set out in the Public Hospitals Act, along with the terms of a physician’s hospital privileges can serve as the official agreement for physicians who work in hospitals.  

How do I determine who the custodian of my records is if I do not currently have a written agreement?

Determining custodianship in the absence of a written agreement can be difficult as it can depend on a number of factors and is ultimately case-specific. Where there are disputes about custodianship physicians can consult the CMPA or obtain independent legal counsel.

What if I am concerned that the custodian of my patient medical records is not acting in accordance with applicable legislation and the expectations of the Medical Records Management policy?

Physicians who are not the custodians of their patient medical records may feel they have limited control over the record-keeping system or procedures where they practise. Where physicians are concerned that the facility’s record-keeping practices do not meet the requirements of the Medical Records Management policy, or there are disputes about records, the Canadian Medical Protective Association (CMPA) can provide legal advice.  As required by the Medical Records Management policy, physicians must do everything reasonably within their control to prevent disputes about records from impacting patient care. Written agreements regarding medical records can provide assurance that the expectations of the policy are being met.

Transitioning to an (other) electronic record-keeping system

What are some considerations when deciding which EMR vendor to choose?

Choosing an EMR vendor is a crucial step in the process of transitioning to electronic records and warrants careful attention and due diligence. Physicians are not necessarily experts in technology and may need assistance in evaluating and choosing the appropriate vendor. OntarioMD can help physicians determine the appropriate system for their practice needs.

EMR systems vary in terms of capabilities, space requirements to accommodate hardware, data storage capacity, and degree of control over the data within the EMR and the functions it can perform. When making a choice about an EMR, it is important to consider the type of system that best meets a physician’s unique practice needs, including the following:

• requirements set out in policy and legislation (whether vendor policies are compliant with regulations under the Medicine Act, 1991⁶ and PHIPA, and will enable the College access to medical records, when required),
• privacy and security functions of the software,
• objectives they hope to achieve with an EMR,
• the functions they require within their EMR,
• advice from colleagues or experienced EMR users about the advantages and disadvantages of particular systems,
• the support and training offered by the EMR vendor,
• the stability of the company to provide continued support for the foreseeable future, and
• vendor policies about software upgrades and data access provisions in case of a departure from a physician group.

It is important for physicians to seek legal review of contracts with EMR vendors prior to entering into any agreements.

What are some resources to help me transition to an (other) EMR system?

Transitioning to an EMR, or to a new EMR, can be a daunting, time consuming, and expensive process for physicians but is ultimately intended to enhance the physician’s practice. Physicians seeking additional guidance related to transitioning systems can refer to the following resources for assistance:

• Information and Privacy Commissione’s (IPC’s) A Practical Tool for Physicians Transitioning from Paper-Based Records to Electronic Health Records
• CMPA’s Electronic Records Handbook
• OntarioMD’s EMR Data Migration Guide for Community Care Practices
• OntarioMD’s Transition Support Guide

Using Certified EMRs

How can I determine which EMRs are compliant with privacy legislation and the standards set out in the Regulation?

Independently verifying that an unaccredited system meets privacy and security standards is difficult. Physicians may not be experts in information technology or security and thus they may rely on service providers to ensure their EMRs are secure. Organizations like OntarioMD can help physicians navigate their choices and support compliance with the policy. Use of EMRs that are certified by OntarioMD can help physicians ensure their systems meet privacy and security standards that they would otherwise have to verify independently. Systems that are certified by OntarioMD also provide access to provincial digital tools such as Ontario Laboratories Information System (OLIS), Health Report Manager (HRM), and eConsult.

Maintaining Privacy and Security Standards

I am required to maintain privacy and security standards. Are there resources to help me navigate my obligations? What are some best practices when it comes to ensuring security of medical records?

Guidance released by the IPC, and orders of the IPC can help physicians remain up to date about evolving industry standards.⁷

Additionally, conducting routine privacy assessments, or audits of all processes related to their medical record-keeping practices can help physicians maintain an understanding of the privacy risks of their practice. The CMPA suggests that completing this process is especially prudent when transitioning medical record-keeping systems as it can help physicians identify and minimize the risks associated with the implementation, or change, of an EMR system. For guidance on how to conduct a privacy assessment, physicians can consult the IPC’s Planning for Success: Privacy Impact Assessment Guide.

Lastly, when using an EMR, the IPC recommends reviewing the audit trail on a regular basis to detect and deter unauthorized access. For more information, please refer to the IPC's guidance document Detecting and Deterring Unauthorized Access to Personal Health Information.

Is it appropriate to stay logged into an EMR?

No. Physicians are required by the Medical Records Management policy to ensure their electronic record-keeping systems are equipped with user identification and passwords for logging on and are prohibited from sharing their credentials or passwords. Physicians are also required by the Medical Records Documentation policy to have identifiable entries. As such, physicians are reminded of the importance of logging out after they are finished documenting in an electronic medical records system.

The College requires that I be proficient with my electronic record-keeping system but I have just switched from paper records to an EMR and am still learning how to use my new system. Are there resources that can assist me in gaining proficiency?

The College recognizes that becoming skilled with a new system may depend on a number of factors and that it may take some physicians longer than others to do so. There are resources that can assist physicians in gaining proficiency with their systems. For example, OntarioMD’s Peer Leader program provides consulting services that can help physicians become more proficient with their EMR, optimize their existing EMR functions, and improve clinical decision support. More information on the Peer Leader program can be found on OntarioMD’s website.

Use of Commercial Services

Physicians are ultimately responsible for ensuring their professional and legal medical record-keeping obligations are met, including when engaging commercial services to assist with managing their records or record-keeping systems. The same obligations apply when physicians engage commercial providers for services such as information technology functions, storage, maintenance, scanning, destruction, and other medical record-keeping related tasks. To ensure that commercial service providers are aware of their obligations with respect to medical records, it is generally good practice to: 

• Make any agreements with such providers in writing; 
• Ensure agreements reflect the same legal and regulatory requirements that apply to physicians who have custody or control of records;
• Seek legal counsel or contact the CMPA for advice in these circumstances.

Service providers acting on behalf of physicians are bound by the same rules governing medical records as physicians (e.g., obligations related to privacy, security, and access) and physicians must only engage with service providers who are willing and able to comply with their medical record-keeping obligations, including making records accessible to the College, where required (e.g., College investigations and assessments).⁸ Clarifying these obligations when contracting with service providers is important to ensure that physicians are able to fulfill their legal and professional obligations. Reviewing existing agreements is also worthwhile and can help ensure compliance with the policy and applicable legislation.

Fees and Transferring Medical Records

Am I allowed to charge patients or third parties requesting copies of records for a review of records prior to transfer?

Orders of the IPC set out that a reasonable fee for copying and transferring medical records includes fifteen minutes of review prior to transfer.⁹  Some situations may require more than fifteen minutes of review (e.g., if the nature of the request requires careful consideration of sensitive information), however, where the expectations of the Medical Records Documentation policy are met, an extensive review (e.g., beyond 15 minutes) would rarely be necessary. It would be inappropriate for physicians to charge for a review of records to ensure their records are complete, up to date, and accurate, as this is already a requirement.

In keeping with the requirements in the Medical Records Management policy, if charging for a review of records prior to transfer, fees must be reasonable and reflect the nature and reason for the review.

How can physicians assess a patient’s ability to pay? How do I know if my patient cannot afford to pay for a copy of their records?

In keeping with the expectations in the College’s Uninsured Services: Billing and Block Fees policy and the Canadian Medical Association’s Code of Ethics and Professionalism¹⁰, physicians are required by the Medical Records Management policy to consider the patient’s ability to pay when setting out reasonable fees for a copy of the patient’s medical record. This does not mean that physicians are required to provide this (uninsured) service for free. Rather, the policy requires physicians to give consideration as to whether it would be appropriate to reduce, waive, or allow for flexibility based on compassionate grounds. Whether it is appropriate to adjust fees on compassionate grounds will depend on a variety of factors, including the specific financial circumstances of the patient.

In some practice settings, physicians may naturally become aware of information relevant to a patient’s ability to pay during the course of the physician-patient relationship (e.g., health status, challenges faced, etc.). The social determinants of health can be indicators of a patient’s ability to pay and help physicians in determining whether it is appropriate to reduce, waive, or allow for flexibility based on compassionate grounds. Patients might also self-identify as being in financial need by expressing concern about their ability to pay the fee for a copy of their medical record. The policy recognizes that physicians are entitled to charge for copying and transferring medical records but aims to strike a balance between this entitlement and the reality that some patients will have real difficulty paying for copies of their records.

A patient of mine is transferring their care to another physician and that physician has requested a copy of my records. Am I permitted to charge for this service?

Yes. Charging for records in this scenario is permitted because the physician is requesting a copy of the records on behalf of the patient. This is distinct from information sharing that occurs between health care providers within the circle of care. Physicians are not permitted to charge for records transfer that is part of the ongoing provision of care, such as information sharing for the purposes of a consultation.

What are some considerations when determining whether the fees I’m charging are reasonable?

The policy requires physicians who are charging for copying and transferring records to only charge fees that are reasonable, and to not exceed reasonable cost recovery. It requires ensuring fees are commensurate with professional costs of preparing the materials and sending the materials.  A number of factors can contribute to decisions about reasonableness, including the size of the file or extent of information being requested, the mode of transfer, whether the records are in digital form or are paper-based. This could all have an impact on the time required to prepare the material and the cost of sending the material. In some cases, the cost of preparing the materials might be quite low and in these cases fees must reflect that.

What is the best way to send patient medical records to requesting patients or authorized third parties? How can I ensure the secure transfer of records?

Physicians are required by the Medical Records Management policy and by PHIPA to transfer copies of records in a secure manner. The College is aware of instances where records have been lost during transfer. In such circumstances, physicians have reporting obligations under PHIPA.¹¹ Sending records in a method that allows them to be tracked or traced can help to avoid such scenarios.

Medical Records Retention

What are some additional considerations for determining how long to maintain my patient medical records?  

A provision in the Limitations Act, 2002 allows for some legal proceedings against physicians to be brought forward 15 years after the act or omission on which the claim is based took place.¹² As a result, notwithstanding the 10 year retention requirement set out in regulation¹³ physicians may wish to maintain medical records for a minimum of 15 years from the date of the last entry in the record. This would enable physicians to provide evidence should it be required in any future legal proceedings brought against them.

The CMPA provides assistance to physicians who are considering whether to destroy medical records.

Medical Records and Closing a Practice

What are my obligations for medical records when closing my practice?

The College’s Closing a Medical Practice policy sets outs expectations for physicians who cease to practice due to retirement, resignation, revocation, suspension, illness or death or who relocate to another practice. It includes specific expectations for medical records in these circumstances and can be consulted for further information.

Recordings

What should I do if my patient requests to record their appointment? Do I have obligations related to medical record-keeping if a recording is made?

It is becoming increasingly common for patients to want to record their medical appointments via audio, video, or photography. In many cases, these recordings can benefit patients by helping them understand and remember the information they are being provided. However, recordings also have the potential to raise broader issues, including implications for medical records.

The CMPA sets out guidance for responding to patient requests regarding audio and video recordings and advises that where recordings are made, the fact of the recording should be documented in the patient’s medical record.  For further information, see the CMPA’s document Smartphone recordings by patients: Be prepared, it’s happening.

Endnotes

^1. “Health information custodian” is defined at s. 3(1) of the Personal Health Information Protection Act, 2004, S.O. 2004, c.3, Sched. A (hereinafter PHIPA).

^2. This list is non-exhaustive; a full legislative definition, along with certain exceptions, is found s. 3 of PHIPA.

^3. “Agent” is defined at s. 2 of PHIPA.

^4. The Canadian Medical Protective Association’s (CMPA) Electronic Records Handbook has advice for establishing such agreements. In particular, the CMPA’s Data Sharing Principles and the template titled Contractual Provisions for Data Sharing contained within can be reviewed and serve as a model. The OMA can also provide assistance establishing agreements.

^5. Section 14(1) of the Public Hospitals Act, R.S.O. 1990, c.P.40.

^6. Ontario Regulation 114/94, General, Section 20, made under the Medicine Act, 1991, S.O. 1991, c.30 (hereinafter Medicine Act, General Regulation).

^7. Guidance documents and orders of the IPC can be found on the Commission’s website.

^8. There may also be other entities that are authorized by statute or regulation to access patient medical records.

^9. See IPC Orders HO-009 and HO-14.

^10. The Canadian Medical Association’s Code of Ethics and Professionalism (#26) states that physicians have an ethical and professional responsibility to “Discuss professional fees for non-insured services with the patient and consider their ability to pay in determining fees.”

^11. Please see the College’s Mandatory and Permissive Reporting and Protecting Personal Health Information policies for more information.

^12. Section 15(2) of the Limitations Act, 2002, S.O. 2002, c. 24, Sched. B. 

^13. Section 19(1) of the Medicine Act, General Regulation requires medical records to be retained for a minimum of 10 years from the date of the last entry in the record for adult patients and 10 years after the day on which the patient reached or would have reached 18 years of age, for patients who are children.