Language selection


Electronic Health Records and the Personal Information Protection and Electronic Documents Act

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.


University of Alberta and Victoria




This report examines the issues of privacy, confidentiality and security in the context of personal health information and electronic health records (EHRs). It notes that “the call for speedy progress [in EHR systems] may be somewhat premature until adequate discussion has occurred in regard to privacy, confidentiality and security issues”.

Part 1 surveys some of the issues surrounding EHR systems, including the challenges of establishing such systems, the concepts of privacy, confidentiality and security within the health care framework, the status of EHR systems in Canada and the complexity of the Canadian privacy landscape. This part ends with a comment by Professor Elaine Gibson that protecting personal information should not be viewed as a barrier to the deployment of a pan-Canadian Health Infostructure, but that “strict privacy and security regimes must be understood as essential to maintaining the trust of members of Canadian society that our personal health information is receiving the highest of protection”.

Part 2 is a detailed review of PIPEDA’s rules in the EHR context, as well as rules regarding EHRs in health information-specific laws in Manitoba, Saskatchewan, Alberta and Ontario.

Particular attention is paid to the issue of consent in PIPEDA in the EHR environment. The authors explore the challenges of obtaining informed consent from patients for future use or disclosure of information on an EHR, noting the problem that future information uses cannot be foreseen when the individual’s personal information is first put into the system. The concept of the “circle of care” and the ability to rely on implied consent for treatment-related uses or disclosures of personal information is also discussed, as is the notion of what, in fact, constitutes “informed consent”. There is also some discussion of secondary research uses, including reference to studies on patients’ acceptance of secondary use of EHRs for research.

The review of provincial health privacy laws contains detailed analyses of EHR provisions, including how some of these provisions have changed over time. This section concludes with the observation that health sector entities that are subject to provincial health information statutes may also have to comply with PIPEDA if they engage in commercial activities, but there are few situations in which an organization will find it impossible to comply with requirements of both. The authors add that, if such situations arise, the organization should seek further guidance from provincial commissioners or the federal commissioner and, if legislative rules impede delivery of health care to patients, those experiences ought also to be reported to privacy commissioners as well as relevant government departments overseeing the legislation.

Part three is a detailed examination of EHR initiatives in Australia, the United Kingdom and the United States, the legislative environments and the issues to be resolved, including such issues as data linkage and function creep and declining physician support (in the U.K.) for electronic records systems.

There are three appendices:

  1. a legislative table of current public sector, private sector and health sector laws and where they apply;
  2. case summaries of EHR use by four agencies – BC Cancer Agency, the Alberta Capital Health Region, the Saskatchewan Pharmacy Information Project, and the Nova Scotia Hospital Information System; and
  3. a list of best practices in developing an EHR system, based on CSA privacy principles. For health information policymakers, this appendix may be one of the most important components of the report.

This document is available in the following language(s):

English only

  • This project is not available online. Please contact the funded research organization for more information.

OPC Funded Project

This project received funding support through the Office of the Privacy Commissioner of Canada’s Contributions Program. The opinions expressed in the summary and report(s) are those of the authors and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada. Summaries have been provided by the project authors. Please note that the projects appear in their language of origin.

Contact Information

University of Alberta
Department Name
Building Room and Number
Attention: Contact Person
116 St. and 85 Ave.
Edmonton, Alberta T6G 2R3

Tel: (780) 492-3111


University of Victoria
PO Box 1700 STN CSC
Victoria BC V8W 2Y2

Tel: (250) 721-7211
Fax: (250) 721-7212

Report a problem or mistake on this page
Error 1: No selection was made. You must choose at least 1 answer.
Please select all that apply (required):


Date modified: