Electronic Health Records: Legal Questions

Electronic Health Records

The development of Electronic Health Records (EHR) systems raises new questions with regard to privacy and creates a need for new approaches to the management of processes related to consent, access controls, and system operations. Ki Consulting provides expertise on legal questions related to EHR, defines major concepts for clients, and offers in-depth knowledge of relevant initiatives across Canada. Based on our research and experience, we provide answers to questions such as these:

Circle of Care Information Management

Who should have access to records?

How do different provinces manage disclosure of personal health information within a circle of care?

Audit Logging

Across Canada, do EHR participants delegate their logging responsibilities to the EHR provider?

Can participating health information custodians rely on the EHR system to satisfy record keeping duties?

What constitutes the source of truth for clinical data – the source systems or EHR?

Audit Log Monitoring

What are the audit log monitoring responsibilities for shared records in Canada?

What is the retention period for audit logs?


How is accountability of EHR contributors and viewers managed across Canada?

What legal accountability is associated with clinicians viewing and contributing to records?

Risk Management

How is the increased risk of a privacy breach with EHR (due to large size of data) managed across Canada?

What are the legal and other repercussions of privacy breaches?

Liability and Roles

How do system features (e.g., alerting, notifications, security) affect clinical liability and roles?

What are the accountabilities of MDs with respect to response time – that is, taking action on newly available data?

What is the accountability for system/data availability?

What is the user liability for corrections made to existing records?

What are the legal implications if data is not retained? For example, are there any legal ramifications if a user is unable to query all information sources?


How should permission settings be designed based on users’ different roles and responsibilities?

What user types are required?

Do EHR implementations typically require eSignature for clinicians to access and enter information?

How do other provinces maintain traceability of a shared record with multiple editors?

Will EHR access be revoked in response to regulatory college or law enforcement suits against clinicians?

Data Retention

What are the data retention requirements in different provinces?

How do different provinces define the start of the data retention period?