Electronic Health Networks (EHNs) facilitate the communication and exchange of personal health information (PHI) among health sector parties (primarily those designated as health information custodians, or “HICs”, including medical professionals, –as well as in certain cases non-HICs). The transmission and maintenance of PHI within EHNs is governed by general rules under the personal health information laws, , (PHIPA) as well as in certain instances by rules specifically applicable to service provider organizations that provide the network systems such as are found in PHIPA Regulation s.6 (health information network providers or “HINPs”). However, as yet, there exists no public or government-mandated comprehensive EHN that parties may simply log into for purposes of communicating PHI data. Consequently sector- or function-specific networks have been established. Almost all these networks rely on a contract structure among participants and the network providers in order to function effectively and ensure mutual compliance with statutory rules and to set procedural requirements and standards for maintaining the integrity and security of information. Certain sector-specific, government-mandated or operated networks such as the Ontario Laboratory Information System are exceptions to this general rule.
The primary contract framework supporting these sector- and function-specific EHNs is a Data Sharing Agreement (DSA) among the EHN’s participants (HICs and in some cases non-HICs). The function of the DSA is to provide a mutually-adopted framework setting out both legal responsibilities and operational procedures, focused on the PHI, and sometimes other personal information, communicated within the network and maintained within the separate systems of each participant.
A DSA must be supported by an agreement between the network system service providers (i.e. HINPs) and the participants. In Ontario this agreement is mandated by PHIPA regulation s.6, and titled a Network Services Agreement (NSA). The NSA recognizes the service provider as an agent of the participants for PHIPA purposes and a HINP, and provides for compliance with the requirements of the PHIPA regulation, such as the keeping of logs, performing threat risk assessments, and providing a plain-language statement of its services available to the public, and states its obligations to maintain the security of the PHI residing on and communicating over its network.
The NSA addresses the provider’s obligations under the law and, as may be stipulated by the contract, for protecting PHI. It may serve as an umbrella framework to enable one or more EHNs, established by DSAs, as well, if so determined, by separate contract, information systems service level agreements or service level objectives. Both the DSA and the NSA should be viewed as technical support documents addressing specific statutory and other legal requirements or compliance expectations. Substantive provisions reflecting the operational rationale and objectives of a particular EHN, as well as any detailed information systems service functionalities should be addressed in one or more appropriate separate agreements among the participants or between the participants and their service providers, as is appropriate.
In Ontario, PHIPA is proposed to be amended to specifically regulate EHNs – see the Electronic Personal Health Information Protection Act, 2013; Ontario Bill 78 http://www.ontla.on.ca/web/bills/bills_detail.do?locale=en&Intranet=&BillID=2801