Investigator Determined Physicians Disclosed Health Information Without Appropriate Agreements in Place

July 31, 2013

An investigator with the Office of the Information and Privacy Commissioner has found that the physicians working at the Didsbury Medical Clinic contravened the Health Information Act (HIA) when they disclosed health information to an electronic medical record (EMR) vendor without a proper agreement in place.

One of the two physicians working at the Clinic decided to move her practice from the Didsbury Medical Clinic to a new clinic in Didsbury. When she asked the EMR vendor to transfer records she had created while practicing at the Didsbury Medical Clinic to her new clinic, the vendor refused, stating that it had no contractual relationship with her. The physician then notified the Office of the Information and Privacy Commissioner that she believed she had lost custody and control of her records and therefore she had suffered a possible privacy breach under the HIA.

The HIA requires that physicians, as “custodians” of health information, enter directly into agreements with information technology service providers, such as EMR vendors. These agreements are known as “information manager agreements.”

The investigation revealed that the non-physician owner of the clinic had signed the agreement with the vendor, rather than the physicians. Neither physician working at the clinic had signed an agreement directly with the EMR vendor, contravening the HIA.

Information and Privacy Commissioner Jill Clayton commented, “The HIA allows custodians to disclose health information to IT service providers, such as EMR vendors, under an appropriate information manager agreement. When custodians do not sign these agreements, they may find themselves in the unfortunate position of losing control over the health information they need to provide health services.”