The Promise of Personal Health Records

Resolution of Canada’s Privacy Commissioners and Privacy Enforcement Officials

CONTEXT

Personal health records (PHRs) have started to attract attention in Canada with recently announced services from the public and private sectors that will offer online health records for consumers. This has major implications for the development of the pan-Canadian electronic health infostructure. In this context, a PHR is generally an online health record that is initiated and maintained by an individual patient but there are a variety of other models and terms (such as patient portal ).¹

Whether or not PHRs are developed by the private or the public sector, Canada’s Privacy Commissioners want to ensure that they encompass the highest privacy standards. Now is the time to build components of PHRs that enhance patient privacy and control.

The Commissioners recognize that PHR services will be appealing to many people who may want to store their medical records online. If a large majority (84%) of Canadians consistently respond² in favour of being able to access their own health information summary, including medical treatments they have received, they will no doubt be even more interested in the opportunities online PHRs may be able to deliver, as well as the potential for more robust control over their own personal health information.

Privacy Commissioners note that Canada Health Infoway has launched a pre-certification service for “Consumer Health Platforms,³ to define standards and architecture. Regardless of such initiatives, PHRs must conform to applicable Canadian privacy laws.

Developing privacy-enhancing PHRs should be consistent with the original vision for the electronic health infostructure. A decade ago, the landmark Final Report of the Advisory Council on Health Infostructure took a strong position in favour of patient control when it set out its strategic direction on electronic health records. Among other key recommendations, such as logging of all access to a patient’s record, the authors called on ministers of health to develop electronic health records systems that operate “on a need-to-know basis and under the control of patients.⁴

Canada’s Privacy Commissioners see the development of PHRs as an opportunity for the patient empowerment envisioned by the authors of the Final Report. If governments and industry make the right choices now, PHRs could be a key privacy-enhancing technology to improve patients’ control over their own health information. PHRs may be the method patients have been waiting for to engage with their health care providers and to be informed about their options in controlling how the health system makes use of their electronic health record (EHR).

IN THIS CONTEXT, CANADA’S PRIVACY COMMISIONERS AND PRIVACY ENFORCEMENT OFFICIALS  (COMMISSIONERS) RESOLVE AS FOLLOWS:

1. Whether PHRs are developed by the private or public sector, the Commissioners call on all developers to ensure that the applications meet the relevant laws and reflect privacy best practices.
2. The Commissioners encourage the government of Canada, and provincial and territorial governments, to accelerate the integration of PHR services that would allow patients to:
   1. access to their own health information,
   2. set rules for who should or should not be allowed to see their own personal health information,⁵
   3. express their wishes for how their health information is used by health researchers and others,⁶
   4. receive privacy and security breach notification alerts,
   5. see who has accessed their records,
   6. request that errors in their record be corrected, and
   7. gain access to resources and contacts in the health ministries and the privacy oversight offices to better address their privacy concerns.
3. The Commissioners call on Ministries of Health to keep Commissioners and the public informed of their progress toward developing and implementing PHRs.

Notes