In the course of advising regional organizations on the adoption of Electronic Health Records (EHR), we have gained expertise in privacy laws across Canada and their application in an EHR context. Based on our study of policy and practices across the provinces, we have developed a seven-step process for the development of EHR privacy policy. In each step, we help our clients to translate jurisdictional privacy laws, regulations, and guidelines into policy requirements directly applicable to their organizations.


We begin by defining the clinical and non-clinical reasons for which health information custodians collect, use, retain and disclose personal health information.


A key next step to ensuring privacy protective information sharing is the definition of a custodianship model; as defined in Ontario’s PHIPA, custodians are healthcare providers responsible for the management of personal health information. These include: individual healthcare practitioners and group practices;  community service providers under the Long-Term Care Act, 1994; community care access centres; public or private hospitals; psychiatric facilities under the Mental Health Act; institutions under the Mental Hospitals Act; and independent health facilities under the Independent Health Facilities Act.


In the context of an EHR initiative, a steward will be designated to review and revise policies, processes, and procedures and to ensure the proper operation of shared records.


Liability is defined as a legal obligation, due at present or at some time in the future. By establishing liability, we help to define the roles, responsibilities, and accountabilities of EHR participants.

>Power and authority

In conjunction with liability, we define different EHR participants’ right and ability to manage (collect, retain, disclose, and correct) personal health information.

Data Management

We help our clients to develop policies for management of data quality, records management, assurance of accuracy, retention and archiving, and secondary use of data.


We work with our clients to define policies for the application of legislative requirements, including management of information safeguards, compliance auditing, identity validation and management, implementation of consent rules, breach management, and proactive and reactive monitoring of technology assets.

>Templates for Participant Roles

Controls include frameworks such as provider agreements, patient disclaimers, and mandatory and discretionary requirements that define the roles of EHR participants.


Here we apply privacy policy to workflows and interactions throughout care delivery processes, including service model, delivery model, management of consent, reporting procedures, circle of care management, and incident management.


In this final step we begin high-level planning for the implementation of privacy policy during the adoption and ongoing development of EHR, through instruments such as provider agreements, patient disclaimers, mandatory and discretionary requirements, and system feedback.

%d bloggers like this: