In April 2013 the Ontario Government tabled Bill 78, the Electronic Personal Health Information Protection Act, 2014 (“EPHIPA”) adding a new Part v.1, “Electronic Health Records”, to the Personal Health Information Protection Act, 2004 (“PHIPA”). The government’s stated goal for EPHIPA is to support better information sharing and coordination among the variety of complex health systems within Ontario. In the government’s words, EPHIPA will establish enhanced privacy and security requirements for EHRs and will clarify the rules under which healthcare providers collect, use and disclose personal health information within shared EHRs. Recently, the Minister of Health and Long-Term Care has stated that the Bill, which failed to pass prior to the last election, would be reintroduced in the Legislature.
As originally introduced, EPHIPA is intended to encourage the adoption of EHR systems within the province. It will be recalled that the establishment of a “single” province-wide EHR for all Ontario residents was the announced goal when the government created the Smart Systems for Health Agency, later to become eHealth Ontario. Many pitfalls and hurdles later, including some successes, Ontario has moved towards the adoption of a province-wide EHR system, but, as currently articulated, not one that will involve a single EHR. Instead, we have progressed to what can be characterized as a network of “distributed” systems, including both category-specific (such as the Diagnostic Imaging Program) and regional (networks or “integration hubs” – the main ones being Connecting GTA, Connecting Southwest Ontario, Connecting Northern and Eastern Ontario). In addition, we have a diversity of specific care-focussed networks ranging from a small number of participants within local catchment areas to diverse participants across the province.
Notwithstanding the government’s characterization of the legislation as providing for a “safe and secure EHR” (suggesting a single record), the distinguishing characteristic of the EPHIPA model is that it contemplates continuance of the distributed EHR framework as we know it and, at least in the foreseeable future, is not intended to serve as the underpinning of a single province-wide EHR.
Understanding how EPHIPA will impact and be integrated within the current EHR systems is important for the future development of those systems.
Prescribed Organizations – Successors to HINPs
The focus of EPHIPA is on the role and obligations of “prescribed organizations” – essentially the service providers for the electronic health records database and its connecting systems. Under PHIPA, these service providers are the “health information network providers” (or “HINPs”) established under s. 6 of the PHIPA Regulations. The regulations prescribe minimum standards for HINPs (including security policies and procedures, logging of data accesses and transfers, conducting TRAs and PIAs, plain language descriptions of the services and their privacy and security protections, and obligations for notification of data breaches). As well, HINPs must have in place agreements with the custodians for which they provide services, describing those services as well as the security safeguards that they have in place; this agreement requirement is typically satisfied by a Network Services Agreement.
A review of the key compliance requirements that EPHIPA lays down for POs indicates that for the most part they are not new, but are consistent with the existing HINP requirements. The EPHIPA provisions build on these HINP requirements, creating a more detailed code, adding provisions respecting consent directives and making the PO’s full privacy and security framework subject to a tri-annual audit by the Information and Privacy Commissioner. In addition, significantly, EPHIPA contemplates the Ministry of Health and Long-Term Care stipulating minimum standards for privacy and security systems for the EHR networks – a power that is not contained within the current PHIPA. This power to stipulate minimum practices, procedures and safeguards respecting privacy and security represents EPHIPA’s most significant change to the existing law, apart from the addition of rules responding to consent directives. The continuity will be helpful in transitioning from the existing HINP regime to the PO regime, although it can be anticipated that the ministerial power to stipulate rules respecting privacy and security may lead to more stringent requirements meeting province-wide, increasingly unified standards.
Presumably, given the potential for more rigorous compliance requirements, the designation of POs will result from a negotiated process between the government and service provider organizations who are candidates for the designation. It can be anticipated that the three key regional integration networks currently supported by eHealth Ontario (cGTA, cSWO, cNEO) likely will be include the first POs designated. What is not clear is whether the government intends to move proactively to designate other regional or category-specific EHR Networks. To the extent that this is the intention, significant discussions can be contemplated addressing the timing and expectations with respect to any such transitions.
Impact of EPHIPA on Network Agreements
As noted, EPHIPA can be viewed as a transition of obligations currently met by HINPs to the more rigorous code required to be met by POs. Does this eliminate the need for a Network Services Agreement between a PO and participants in the network? As currently understood, EPHIPA does not stipulate this requirement. It may be posited that the substantive content within the current HINP requirement for agreements (s.6, PHIPA Regulations) should reasonably be satisfied by the more explicit provisions of EPHIPA. However one can envisage a continuing role for a Network Services Agreement under the PO framework. Firstly, on some basis, there will need to be a commitment or agreement by the PO to provide the network services. This commitment should necessarily involve a description of the services, or reference to a roles and responsibilities document, setting out not only the obligations of the PO but also the responsibilities of the participants toward the PO. Secondly and not unimportantly, the respective liabilities and, as appropriate, limitations on those liabilities, of the PO and the participants should be addressed in an agreement.
Will there continue to be a role for Data Sharing Agreements within the EPHIPA regime? It should be remembered that Data Sharing Agreements are entered into among the participants of a network and typically do not include the HINP (unless it is also a participant). They address not only the basic “agreement” to share data but also the mutual obligations between participants to protect that data, as well as any liability limitations and indemnity obligations. While the enhanced obligations under EPHIPA may give network participants confidence that their data will be protected within the EHR hosted by the PO, this protection does not extend to data when shared with (i.e. as received by) another participant. Furthermore, EPHIPA contains no provisions addressing potential liability limitations or indemnity among the participants.
In sum it can be envisaged that, at least within the environment currently sketched out by EPHIPA, the contractual framework including obligations and responsibilities as currently provided for by Network Services Agreements and Data Sharing Agreements, will continue to be relevant for EHR networks governed by the PO regime.
For more information please contact:
David Young 416-968-6286 firstname.lastname@example.org
Note: The foregoing provides only an overview and does not constitute legal advice.
© David Young Law 2015
Read the Full PDF - Single Click to open. Right Click to Save Locally