Management of Medical Records and Systems
A: Obligations of a Service Provider or a Practice/Clinic
- The Practice will designate a Privacy Officer who is accountable for and has authority to make decisions in respect of the management of Personal Information. Such Privacy Officer will be available to respond to questions from the Physician upon request during regular business hours.
- The Practice will ensure the security of all information contained in Medical Records and shall comply with all applicable privacy laws and records management requirements of the College of Physicians and Surgeons of BC.
- The Practice will ensure the integrity and good working order of its technical infrastructure, hardware and software systems so as not to compromise the system functionality or availability for any other Party.
- The Practice will maintain appropriate physical, technical, and administrative security safeguards that are consistent with the sensitivity of the Patient Information and that are reasonably necessary to prevent unauthorized persons from accessing, collecting, using, disclosing, modifying, disposing, copying, stealing, or committing any other act that could compromise the privacy, security, availability, accessibility, integrity, structure, format, or content of, Patient Information. Such systems, protocols, and practices must meet the requirements of the College of Physicians and Surgeons of BC.
- All electronic data shall be backed up and the security of such backups shall be maintained. Such data shall be located off site at [insert location].
- The Practice will regularly assess system security and undertake any administrative, technical, or physical improvements as necessary to fulfill its obligations in this Agreement and under Applicable Laws.
- The Practice will ensure that all Medical Records are capable of being reproduced promptly, in orderly, legible, written form. The Practice will make Medical Records available to the Physician for inspection and copying upon request, with reasonable notice, during business hours.
- Where there is appropriate evidence of the consent of the Patient, the Practice will cooperate with the Responsible Physician in promptly responding to a Patient’s request:
- for access to his or her Medical Record;
- for correction or notation of his or her Medical Record;
- for provision of a copy of the Medical Record or portion thereof to any third party;
- to designate another physician within the Practice as Responsible Physician for that Patient; or
- to transfer his or her Medical Record to the Responsible Physician, or to another physician or to another clinic.
- The Practice will ensure that no employee or contractor is granted access to Patient Records unless such employee or contractor has a reasonable business need to access the Patient Information based on his or her role, has entered into a confidentiality agreement, and has completed training in accordance with the policies and protocols of the Practice.
- The Practice will ensure that it has policies and procedures in place to respond to complaints in respect of the management of Personal Information and where such complaint involves a Patient, to notify such Patient’s Responsible Physician.
- The Practice will ensure that all staff employed by or under contract to the Practice maintain the accuracy, completeness, and quality of the Patient Information collected, used, or created by them.
- The Practice will ensure that an audit log of all accesses to, and changes to, and transfers of, Medical Records is maintained, which log identifies the date and time of such access, change, or transfer, and identifies the User and any recipients, and that it can make such log available to the other Parties on request.
- Where any change is made to a Medical Record, the Practice will ensure that all employees or contractors and any organizations to whom the prior Patient Information was provided and who need to know the updated information shall be promptly notified, in accordance with Applicable Law.
- In the event of an actual or suspected Privacy Breach, the Practice agrees to ensure that the Privacy Officer promptly notifies the Parties, and implements the Privacy Breach Protocol in accordance with its terms and with Applicable Law.
- The Practice shall maintain a business continuity plan to protect Patient Records from harm due to cyber threats; or to labour action; or to power outage; or to criminal activity including but not limited to theft, vandalism, or mischief; or due to physical damage to hardware or software from fire, flood, gas, explosion, weather, or acts of God.
- The Practice shall provide a current copy of all plans, policies, and procedures related to the management of information, including but not limited to the business continuity plan, privacy policy, and access procedures, to the other Parties at least annually, but also whenever such policies are updated, and on request by a Party.
B. Obligations of Both Parties
- Each Party agrees to:
- keep Patient Information confidential and secure and in any event use no less than a reasonable standard of care;
- comply with the policies and protocols of the Practice and cooperate with the Privacy Officer;
- notify the Privacy Officer as soon as practicable if he or she becomes aware of any Privacy Breach, or potential loss or threat to the security of Patient Information and cooperate to implement the Privacy Breach Protocol in accordance with Applicable Law; and
- use best efforts to ensure the accuracy, completeness, and quality of the Patient Information collected or created by them or on their behalf in the course of and for the purposes of the provision of health care to the Patient.
- No Party will collect, use, or disclose Patient Information if they are aware that the relevant Patient has expressly withheld or withdrawn consent to such transfer.
- No Party will access, use, download, transfer, or copy Patient Information or Medical Records for a purpose other than the provision of health care to the Patient and related billing, quality assurance, regulatory, and medical-legal purposes, except with the notice and consent of the Responsible Physician and the express informed consent of the Patient [in accordance with the policies of the Practice].
- In the event that a Patient makes a formal request for access to his or her Patient Information, the Party in receipt of the request shall comply with the policies of the Practice and promptly notify and cooperate with the other Parties as appropriate in responding to the request for access.
A Party that becomes aware of an error or suspected error in the Patient Information shall comply with the policies of the Practice and promptly notify the Practice and the other Parties as appropriate, and cooperate with them to correct the error or suspected error.