1

Medical Records - Issues and Guidelines

2

Medical Records - Issues and Guidelines

The guidelines in this document are intended to assist physicians in understanding issues around ownership and control of medical records, and the ways in which these issues affect the administration of medical records within their practice. Each section contains sample contractual terms that physicians may consider when entering into a data-sharing or similar agreement that addresses the issues of ownership, custody, confidentiality, and enduring access of medical records.

This document is not exhaustive—it is for general informational and reference purposes only. The guidelines included do not constitute legal or professional advice, nor are they a substitute for such advice. Each physician or medical practice will need to assess the risks and benefits of the approach they choose to apply to their particular situation.

The sample contractual terms in this document should not be considered a replacement for a legal agreement properly drafted in consultation with legal counsel.

Readers can refer to Appendix A for a list of legal definitions for capitalized terms used in these guidelines, and the Personal Information Protection Act to review the obligations physicians must meet when collecting, using, or disclosing personal information.

Table of Contents

Page 1: Introduction

Page 2: I. Management of Medical Records and Systems

Page 3. II. The Physician’s Control of the Patient’s Medical Record

Page 4. III. Medical Record Issues on Departure or Termination

Page 5. IV. Other Considerations

Appendix A: Sample Contractual Terms - Definitions Appendix B: Sample Contractual Terms - Management of Medical Records and Systems Appendix C: Sample Policies - Sample Responsible Physician Policy Appendix D: Sample Contractual Terms - The Physician’s Control of the Patient’s Medical Record Appendix E: Sample Termination Policy - Medical Record Issues on Departure or Termination Appendix F: Sample Contractual Terms - Medical Record Issues on Departure or Termination Appendix G: Additional Sample Contractual Terms

Introduction – Duties of the Physician

Regardless of the business structure through which a physician practices (e.g. as a sole practitioner, in a shared group practice, or as an employee of a clinic), all physicians have legal, ethical, and professional duties relating to medical records. While privacy laws impose obligations with respect to information contained in a medical record, medical-legal standards are in place to ensure that physicians retain medical records for the periods that are required by law, that regulators can access the records on request, and that the medical records and the systems holding are reliable. The College of Physicians and Surgeons of BC’s Professional Standards and Guidelines on Medical Records require physicians to ensure that “before they create a medical record, they comprehensively address the issues of ownership, custody, confidentiality, and enduring access for themselves and their patients.”

These professional, ethical, and legal duties are fundamental and can’t be overridden for any individual physician by a business arrangement. These duties can also endure long past the date upon which a

3

business arrangement comes to an end. It is therefore important that all physicians take steps at the outset of any business relationship to address medical records issues and to mitigate risk and ensure legal compliance with respect to those issues. In its Medical Records standard, the College prescribes that:

o “[i]n all situations where a physician is creating medical records in a group or shared medical record environment, a data-sharing agreement should be in place which addresses how issues of ownership, custody, and enduring access by individual physicians and patients will be addressed, including following relocation, retirement, or death of the physicians”;

o “[i]n all situations where a physician creating a medical record is not the owner of the clinic and/or of the EMR licence issues of custody, confidentiality, and enduring access by individual physicians and patients must be documented in a formal contract with the owners and/or EMR service providers”; and

o “[f]ailure to address issues of custody, confidentiality, and enduring access of medical records may be considered professional misconduct.”

These guidelines are meant to assist with some of these issues, both during and at the termination of the business relationship. However, these guidelines are not exhaustive and do not constitute legal advice. Every physician should carefully consider his or her own particular situation and seek appropriate legal advice.

I. Management of Medical Records and Systems

Privacy laws and professional standards require physicians to protect patient personal information and to meet the standards for records and systems management prescribed by the College of Physicians and Surgeons.

Contracting with a service provider or acting as an employee doesn’t automatically relieve a physician of the duty to satisfy him or herself that the standards are met.

Guidelines Physicians should take steps to inform themselves of the information management procedures of the organization in which they practice, and satisfy themselves that such practices meet the minimum legal and professional standards. It is good business practice to create and maintain a business continuity plan to ensure that medical records and other records containing Patient Information are protected from loss through (or corruption by) a range of possible external threats, acts of God, or error. The Practice should have policies that address confidentiality, access, privacy, security, and employee and health care provider rights and responsibilities. Use and disclosure of Patient Information for research should also be addressed in a policy document. Legal advice as to the requirement for notice to the patient should be obtained, if medical records are used in the course of research.

4

It is important to create a retention policy to ensure that medical records are not destroyed prematurely. Care should be taken to refer to legal limitation periods. The physician may also wish to consult their insurer. The Practice should ensure that prior to disposal of any electronic device that contains or may contain Personal Health Information, the device is securely electronically wiped (consider the Government of Canada standards for Clearing and Declassifying of Electronic Data Storage Devices) or the memory physically destroyed, in order to eliminate any risk of a Privacy Breach. Finally, it is recommended that the Practice implement security protocols to protect personal information held in an electronic system. Such protocols could include:

The use of a unique user name and password. Password rules regarding minimum length and complexity. Ongoing authentication and monitoring of user names and password use. Role-based access, and access tracked by credentials. Firewalls, secure back-up and recovery processes, and intrusion detection tools. End-to-end encryption including encrypting backup data, and electronic transmissions

where remote access to the system is provided. Maintenance of a secure processing environment including but not limited to the timely

application of upgrades, patches, fixes, and updates to operating systems and applications.

Timely audits of physical and network systems logs, including user credentials. Ensure that no Patient Information can be downloaded and/or stored on any mobile

computing device [unless such device is enabled with software that automatically encrypts the Patient Information upon being downloaded].

Reasonable and effective administrative and procedural security for any paper-based records throughout their life cycle, including locked cabinets, secure shredding and secure storage and archiving.

A Privacy Breach protocol that provides for a timely response to any suspected or actual Privacy Breach, and where required by Applicable Law, for timely notification to any Patient whose personal information is involved in same.

Appropriate training, user support, and discipline for breach of policy.

Appendix B contains sample contractual terms that are based on best practices for ensuring the privacy and security of personal information. They should be modified as necessary to describe the physician’s particular context.

II. The Physician’s Control of the Patient’s Medical Record Traditionally, the patient medical record was owned by the physician who created the record. However, electronic medical record systems—which might be shared among many health care providers in a clinic—have made it less clear who owns and controls the medical record. Guidelines

In a multi-physician practice setting, physicians should (and in some cases, must) document their agreement on issues of ownership, custody of, and access to medical records by way of a data sharing agreement. Failure to do so may be considered professional misconduct by the College. The College’s medical records standard stipulates that “[i]n all situations where a physician is creating medical records in a group or shared medical record environment, a data-sharing agreement should be in place which addresses how issues of ownership, custody and enduring access by individual physicians and patients will be addressed, including following relocation, retirement or death of the physicians.” In

5

cases where a physician is not the owner of the EMR license or the clinic, the College mandates that a formal contract be entered into between the physician and the clinic/EMR vendor addressing issues of custody, confidentiality, and enduring access. The Practice or clinic should consider implementing a “Responsible Physician Policy” to assist physicians with clarifying their rights and responsibilities, both with respect to medical records and patient care. The Walk-In, Urgent Care and Multi-Physician Clinics Standard of the College of Physicians and Surgeons of BC establishes requirements for the medical administration of a clinic. It makes every physician working in the clinic responsible for ensuring that systems are in place to provide appropriate continuity and follow-up care. In circumstances where a patient may be cared for by more than one physician or allied health care provider, each provider is generally responsible for the care that they provide within their scope of practice. Medico-legal risk can result when the division and scope of responsibilities are not clearly established in policy. Hospitals often deal with this issue by having policies that set out the responsibilities of the “most responsible physician.” The concept of “most responsible physician” can be adapted to clinics and group practices to assist physicians in clarifying their rights and responsibilities with respect to both medical records and patient care. When a Responsible Physician Policy is adopted, the rights and obligations of the parties can also be more easily documented in the data sharing agreement referred to above. Appendix C contains a sample Responsible Physician Policy and Appendix D contains sample contractual terms relating to the rights and responsibilities of the most responsible physician.

III. Medical Record Issues on Departure or Termination Increasingly, physicians are working in arrangements where they share access to a medical record that is maintained by a group practice, a clinic, or an office management service provider. Sometimes the physician works under contract to the group practice or clinic. Sometimes the clinic is operated by a non-physician. What happens when the physician decides to leave the practice/clinic or if the physician’s relationship with the practice/clinic is terminated for other reasons (e.g., the clinic closes)? Guidelines

The departure or termination of a physician from a practice can be a complicated process if all aspects of severing the professional relationship are not understood by the parties involved. Basic matters including the length of the notice period may or may not be addressed in a contracting arrangement. Failure to deal with administrative issues such as ongoing rights to payments, billings, and collections; access to emails and contact lists; and the right to staff assistance during the notice period may create real challenges to a smooth departure. Issues surrounding ownership of patient medical records may make matters even more complex—specifically, the intersection of a physician’s professional and legal obligations with the contractual rights of a non-physician owner of a clinic. A physician may require a copy of the patient’s medical records in order to provide continuity of care, but there may be technical, staffing, or timing issues for the clinic.

Physicians should be mindful of the various record-related issues that could arise upon termination of their relationship with that practice or clinic, and consider these issues at the outset of entering into a working agreement. Issues to consider include:

Can the physician, in the first place, take any patients of the clinic with him or her?

Who owns the patient record in that case, the physician or the clinic?

Can the clinic charge the physician a fee to provide the records?

Can the clinic withhold records altogether?

6

Is the clinic obligated to provide the records in a particular format (e.g., transfer the EMR itself if technically compatible or simply provide a PDF) and at what cost, if any?

What if the clinic closes? How can the physician ensure that he/she or the patient can get access to the records at the clinic?

Physicians who fail to document their expectations in advance may find that terminating an arrangement has unexpected costs and real potential for medico-legal risk. Clarifying expectations in a policy and documenting them in a contract can reduce risk and assist physicians in complying with professional duties (and, as stated above, failure to do so may be considered professional misconduct by the College).

Appendix E contains a sample Termination Policy and Appendix F contains sample contractual terms relating to the parties’ rights and obligations pertaining to medical records upon termination of the parties’ relationship.

IV. Other Considerations In addition to the medical record-related issues discussed above, physicians may wish to ensure that any data-sharing or other agreement they enter into with a group practice or clinic addresses certain general legal obligations of the parties, if not already addressed in another agreement between them. Some areas that have emerged as problematic include how to deal with the ongoing requirements of the management of the organization, and how to manage the potential conflict between the one party’s legal obligations and another party’s legal or ethical obligations. Physicians may wish to consider drafting clauses that address the extent of their duty to cooperate with each other and to refrain from interfering. If the agreement (or any of its obligations), was assigned or subcontracted, or if a lien or security interest was placed on the clinic’s assets, these factors may also have an impact on the physician’s duties.

Additionally, physicians may wish to consider the following:

Details of the services provided by the Clinic:

o Hours, office/administrative support, staffing levels. o Data location. o Documentation provided.

Details of the services to be provided by the physician.

Roles and responsibilities of the parties to the agreement, including oversight and structure of the Practice (i.e., name/title of executives who are accountable for legal compliance).

Financial terms.

Vendor ownership.

Performance expectations of the service providers.

Service levels (uptime/downtime; attendance etc.), to provide a minimum uptime of 95% or better, to provide support services during business hours/24 hours.

Consequences of failure to meet service levels.

Systems security and support and maintenance obligations.

Reporting requirements, frequency, type of reports.

Data back-up frequency, type, and location.

Details of contingency plan/disaster recovery plan.

Hardware requirements.

Software requirements.

Providing secure computer hardware and software facilities to receive, store, and transmit Patient Information.

Providing a virtual private network to enable secure remote access to such medical records and secure communication between the physicians and staff within the group/division.

7

Using reasonable efforts to schedule any planned outages or system downtime to minimize or eliminate interference with patient care and to provide at least four business days’ notice of such outages or downtime.

Ensuring sufficient insurance coverage.

Appendix G contains sample contractual terms addressing some of these general legal obligations as well as additional issues to consider when entering into an agreement with a practice or a clinic.

8

Appendix A: Sample Contractual Terms - Definitions

These definitions define the capitalized terms used in these guidelines, and are included for clarity and as guidance only. These definitions may not be appropriate in all circumstances. Legal counsel should be consulted to advise as to whether these definitions are appropriate in each clinic’s particular circumstances. "Applicable Laws” includes federal, provincial, or municipal laws, and any bylaws, regulations, professional standards, guidelines, or regulatory codes applicable to the Parties or any of them and for greater clarity includes any standard, guideline, or professional obligation required by the College of Physicians and Surgeons of British Columbia. “Patient” means an individual who receives health care from the Practice or one or more of the Parties and, where appropriate, includes the Patient’s legally authorized substitute decision maker under Applicable Law. “Patient Information” means information in any form that can identify a Patient and includes the Patient’s Personal Health Information. “Personal Health Information” means personal information in any form about a Patient that relates to the physical or mental health and health history of the Patient or to the provision of health care to the Patient including without limitation (i) information relating to the Patient’s eligibility for health care or health care coverage or payments, or (ii) samples from the patient’s body or bodily substances; (iii) information, reports, results, or data derived from such samples or from the testing of same, or (iv) information about the Patient’s family, or (v) any professional opinions, consultation reports, and any other information about the Patient that may be contained in the Patient’s Medical Record. “Practice” means the shared health care practice or clinic through which the Parties provide health care to Patients. “Responsible Physician” means the physician who is designated as the Patient’s most responsible physician [see the associated policy: the Responsible Physician Policy of the Practice]. “Privacy Breach” means the loss or theft of Patient Information and the unauthorized access, use, disclosure, modification, or destruction of such information. “Privacy Officer” means an individual who is designated by the Practice to be accountable for protecting the privacy and security of Patient Information in the custody of the Practice “Medical Record” means the record created and maintained by the Practice that contains the

comprehensive documentation of clinical care provided to the Patient.

9

Appendix B: Sample Contractual Terms

Management of Medical Records and Systems

A: Obligations of a Service Provider or a Practice/Clinic

1. The Practice will designate a Privacy Officer who is accountable for and has authority to make

decisions in respect of the management of Personal Information. Such Privacy Officer will be

available to respond to questions from the Physician upon request during regular business hours.

2. The Practice will ensure the security of all information contained in Medical Records and shall

comply with all applicable privacy laws and records management requirements of the College of

Physicians and Surgeons of BC.

3. The Practice will ensure the integrity and good working order of its technical infrastructure,

hardware and software systems so as not to compromise the system functionality or availability

for any other Party.

4. The Practice will maintain appropriate physical, technical, and administrative security safeguards

that are consistent with the sensitivity of the Patient Information and that are reasonably

necessary to prevent unauthorized persons from accessing, collecting, using, disclosing,

modifying, disposing, copying, stealing, or committing any other act that could compromise the

privacy, security, availability, accessibility, integrity, structure, format, or content of, Patient

Information. Such systems, protocols, and practices must meet the requirements of the College of

Physicians and Surgeons of BC.

5. All electronic data shall be backed up and the security of such backups shall be maintained. Such

data shall be located off site at [insert location].

6. The Practice will regularly assess system security and undertake any administrative, technical, or

physical improvements as necessary to fulfill its obligations in this Agreement and under

Applicable Laws.

7. The Practice will ensure that all Medical Records are capable of being reproduced promptly, in

orderly, legible, written form. The Practice will make Medical Records available to the Physician

for inspection and copying upon request, with reasonable notice, during business hours.

8. Where there is appropriate evidence of the consent of the Patient, the Practice will cooperate with

the Responsible Physician in promptly responding to a Patient’s request:

a. for access to his or her Medical Record;

b. for correction or notation of his or her Medical Record;

c. for provision of a copy of the Medical Record or portion thereof to any third party;

d. to designate another physician within the Practice as Responsible Physician for that

Patient; or

e. to transfer his or her Medical Record to the Responsible Physician, or to another

physician or to another clinic.

9. The Practice will ensure that no employee or contractor is granted access to Patient Records

unless such employee or contractor has a reasonable business need to access the Patient

Information based on his or her role, has entered into a confidentiality agreement, and has

completed training in accordance with the policies and protocols of the Practice.

10. The Practice will ensure that it has policies and procedures in place to respond to complaints in

respect of the management of Personal Information and where such complaint involves a Patient,

to notify such Patient’s Responsible Physician.

10

11. The Practice will ensure that all staff employed by or under contract to the Practice maintain the

accuracy, completeness, and quality of the Patient Information collected, used, or created by

them.

12. The Practice will ensure that an audit log of all accesses to, and changes to, and transfers of,

Medical Records is maintained, which log identifies the date and time of such access, change, or

transfer, and identifies the User and any recipients, and that it can make such log available to the

other Parties on request.

13. Where any change is made to a Medical Record, the Practice will ensure that all employees or

contractors and any organizations to whom the prior Patient Information was provided and who

need to know the updated information shall be promptly notified, in accordance with Applicable

Law.

14. In the event of an actual or suspected Privacy Breach, the Practice agrees to ensure that the

Privacy Officer promptly notifies the Parties, and implements the Privacy Breach Protocol in

accordance with its terms and with Applicable Law.

15. The Practice shall maintain a business continuity plan to protect Patient Records from harm due

to cyber threats; or to labour action; or to power outage; or to criminal activity including but not

limited to theft, vandalism, or mischief; or due to physical damage to hardware or software from

fire, flood, gas, explosion, weather, or acts of God.

16. The Practice shall provide a current copy of all plans, policies, and procedures related to the

management of information, including but not limited to the business continuity plan, privacy

policy, and access procedures, to the other Parties at least annually, but also whenever such

policies are updated, and on request by a Party.

B. Obligations of Both Parties

1. Each Party agrees to:

a. keep Patient Information confidential and secure and in any event use no less than a

reasonable standard of care;

b. comply with the policies and protocols of the Practice and cooperate with the Privacy

Officer;

c. notify the Privacy Officer as soon as practicable if he or she becomes aware of any

Privacy Breach, or potential loss or threat to the security of Patient Information and

cooperate to implement the Privacy Breach Protocol in accordance with Applicable Law;

and

d. use best efforts to ensure the accuracy, completeness, and quality of the Patient

Information collected or created by them or on their behalf in the course of and for the

purposes of the provision of health care to the Patient.

2. No Party will collect, use, or disclose Patient Information if they are aware that the relevant

Patient has expressly withheld or withdrawn consent to such transfer.

3. No Party will access, use, download, transfer, or copy Patient Information or Medical Records for

a purpose other than the provision of health care to the Patient and related billing, quality

assurance, regulatory, and medical-legal purposes, except with the notice and consent of the

Responsible Physician and the express informed consent of the Patient [in accordance with the

policies of the Practice].

11

4. In the event that a Patient makes a formal request for access to his or her Patient Information, the

Party in receipt of the request shall comply with the policies of the Practice and promptly notify

and cooperate with the other Parties as appropriate in responding to the request for access.

A Party that becomes aware of an error or suspected error in the Patient Information shall comply with the

policies of the Practice and promptly notify the Practice and the other Parties as appropriate, and

cooperate with them to correct the error or suspected error.

12

Appendix C: Sample Policies

Sample Responsible Physician Policy

The Patient’s Responsible Physician has overall responsibility for directing and coordinating the care and management of that Patient within the Practice including:

o Ensuring they are satisfied that systems are in place to ensure that there is appropriate continuity and follow-up of medical care and laboratory tests ordered, regardless of who provided the care or ordered the test;

o Ensuring that they are satisfied that systems are in place to ensure the creation, maintenance, and security of Medical Records and compliance with legal obligations in respect of Patient Information; and

o Ensuring that the Patient is offered longitudinal care, appropriate periodic health examinations, and any plans of care as appropriate.

The Responsible Physician has the following administrative responsibilities: o to ensure that he or she has the consent of the Patient to be that Patient’s

Responsible Physician; o to ensure that he or she has sufficient insurance coverage, and is duly licensed by

the College of Physicians and Surgeons of BC; o to ensure that his or her practice is operated in compliance with any limits or

restrictions on his or her license to practice; o to ensure that he or she has a succession plan that ensures that in the event he or

she is unable to fulfill the obligations of the Responsible Physician due to his or her unexpected disability or death, there is a physician who is designated to act as his or her successor.

The Responsible Physician has a right to take a copy of the Patient’s Medical Record with him or her upon departure from the Practice.

The Responsible Physician and his or her authorized representatives may, upon at least twenty-four (24) hours’ notice, during normal business hours, enter upon any premises maintained or contracted by the Practice, including the premises of any third party contractor, in order to inspect and audit the adherence by the Practice to its contractual duties including in respect of its security standards and procedures. The Practice has a duty to cooperate with any such audit or inspection and likewise cause any such contractor to cooperate.

The Intake Form of the Practice shall have a space to indicate who the Patient’s Responsible Physician is.

The Patient has the right to choose who their Responsible Physician shall be.

13

Appendix D: Sample Contractual Terms The Physician’s Control of the Patient’s Medical Record

1. The Parties acknowledge and agree that in order to ensure clarity in respect of the rights,

responsibilities, and management of Medical Records, it is necessary to designate a Responsible

Physician for each Patient. The Parties will cooperate in determining who shall be so designated.

No Party may be so designated without their own prior knowledge and consent [and the Patient’s

prior knowledge and consent].

2. A Party is designated in the Patient’s Medical Record as the Responsible Physician for any

Patient who that Party brings with him or her upon joining the Practice, unless otherwise

instructed by the Patient.

3. For new Patients, a Party shall be designated as a Patient’s Responsible Physician in

accordance with the Patient’s consent indicated on the [as appropriate: Intake form or Patient file

Opening form or in accordance with the Responsible Physician Policy attached as Schedule to

the Agreement].

4. The Responsible Physician has the right:

a. to access to the Medical Record at any time;

b. to authorize or refuse to authorize who may access their Patient’s Patient Information;

c. to be given notice of any access, use, or disclosure of any Patient Information held by the

Practice in any form whether in the Medical Record or otherwise, upon request;

d. to require the Practice to transfer a complete copy of the Medical Record into the custody

of the Responsible Physician, or to the custody of any third party as directed by the

Responsible Physician; and

e. [insert any other right as agreed ]

5. The Responsible Physician shall cooperate with the Practice in promptly responding to a Patient’s

request:

a. for access to his or her Medical Record;

b. for correction or notation of his or her Medical Record;

c. for provision of a copy of the Medical Record or portion thereof to any third party;

d. to designate another physician within the Practice as Responsible Physician for that

Patient; or

e. to transfer his or her Medical Record to another physician or clinic.

6. In the event that a Party wishes terminate his or her designation as the Responsible Physician in

respect of a Patient, he or she shall notify the Patient and provide the Practice [# days] written

notice.

7. In the event that a Party is unable to fulfill the obligations of the Responsible Physician due to

illness, disability, or death, he or she shall, if reasonably possible, cooperate with the Practice and

the other Parties to facilitate transfer of his Patients to his or her designated successor.

14

Appendix E: Sample Termination Policy

Medical Record Issues on Departure or Termination

[Note that these deadlines are examples only and physicians should ensure that the deadlines in any

Termination Policy adopted by their Practice are practical and promote effective compliance and

cooperation between the parties.]

Notice of termination shall be given in writing, no less than [insert number] days prior to the intended date of termination.

By [5pm on the termination date], the departing Party will:

o transfer all Patient-related documents, materials and emails into the electronic system of the Practice;

o ensure all billings for work done have been completed in accordance with the billing procedures of the Practice;

o remove all personal belongings from the office; o for Patients being retained by the Practice, send letter to Patients advising of the

name and contact information of the Physician proposed as the new Responsible Physician;

o prepare [patient transfer memos/forms] for all Patient Records retained by the Practice and ensure that all required consents and authorizations required for such transfer have been obtained; and

o for Patients being retained by the departing Party, send letter to such Patients advising of the Party’s new practice and contact information.

By [5pm on the termination date], the Practice will:

o provide the departing Party with an electronically readable and practically usable copy of personal contact lists and emails (if any);

o provide the departing Party with an electronically readable and practically usable copy of the electronic Medical Records for every Patient for whom the departing Party is the Responsible Physician and who is leaving with the departing Party.

At 5 pm on the termination date, the Practice shall terminate the departing Party’s access to the Practice’s IT system and the departing party shall return all keys and entry fobs.

The Practice will, for six (6) months following termination, forward the departing Party’s emails for matters unrelated to Patients retained by the Practice.

The departing Party will be invoiced at the rate of [insert agreed rate] per hour for support staff work related to the transition that is outside the normal course of business. These fees will be payable for any work required to facilitate the transition, regardless of whether such work is during the notice period or after termination.

The fees for transfer of electronic Patient Medical Records shall be as follows [insert fee structure].

Other matters that could be addressed in a policy include use of staff time, service provider costs, transferring to other formats, boxing paper files, and copying costs and time.

15

Appendix F: Sample Contractual Terms Medical Record Issues on Departure or Termination

1. In the event of the termination of this Agreement, the Parties agree to follow the termination policy [consider: as set out in Schedule **of this Agreement].

2. All Patients for which a Party is designated as the Responsible Physician as at the date of the notice of termination, will remain the Patients of such Party after termination.

3. Subject to the Patient’s instructions and Applicable Law, the Party wishing to transfer the Medical Records of those Patients for whom the Party is designated the Responsible Physician into his or her custody and control, shall send a request in writing to the Practice, identifying each such Patient by name and providing details as to the person or place where the Medical Records are to be transferred.

4. Within 10 days of receipt of a written request from a Responsible Physician, a. a copy of the electronic Medical Record and of any paper Medical Record associated

with the Patients of such Responsible Physician shall be transferred to him or her, in a readable format, [consider: in accordance with the procedures in Schedule **;]

b. in respect of paper Medical Records, the receiving Party will, upon receipt, be solely responsible for the confidentiality, security, access, retention, and destruction obligations and for those additional obligations that arise upon sale, closure, or other termination of such Party’s practice.

5. The Parties will cooperate to facilitate the response to a written request by a Responsible Physician. The Parties agree that any fees for the costs associated with such transfer shall be [paid by the Practice] or [paid by the departing physician] or [in accordance with the fee structure attached at Appendix **]

6. During the [XX day notice period] or [notice period as provided in the Main Agreement] prior to termination, the Parties will cooperate on a best efforts basis to facilitate the transition of Patient Medical Records to the person or place as instructed by the Patients’ Responsible Physician, including ensuring that:

a. any Patient Medical Records transferred in electronic form can, after being transferred to the Responsible Physician, reasonably be accessed, used, stored, and printed in a manner that facilitates the continued use in electronic form of the Medical Records, including converting the record into a format readable by software to be used by the departing Physician; and

b. ensuring that such transition can be accomplished promptly and in a manner that ensures the integrity, accuracy, and completeness of each Patient’s Medical Record.

7. Until custody and control of each and every Medical Record has been transferred, or until the date that the ultimate retention period for the Medical Record has lapsed, whichever is later, the Practice shall ensure that:

a. any electronic system used to access, retrieve, hold, store, archive, or maintain Medical Records shall continue to operate after this Agreement terminates (including any renewals or extensions), in a manner that preserves the original Medical Record, facilitates access to and transfer of Medical Records in readable form, and ensures the creation and maintenance of an audit trail;

b. any necessary reporting to patients or regulatory bodies in relation to the termination of this Agreement and the Main Agreement can be done in accordance with Applicable Law;

c. in the event of a medical-legal matter, the Medical Records can be, and are, made available in readable form to the Parties or their agents or insurers, and to regulatory bodies, for inspection and copying, upon reasonable notice;

d. the Party who was designated as the Patient’s Responsible Physician as at the date this Agreement is terminated, is notified promptly and in any event within [1 day], of any request by any person for access to a Medical Record; and

e. the quality, integrity, accuracy, security, and privacy of the Medical Record is maintained in a manner consistent with the terms of this Agreement and Applicable Law.

16

8. During the term of this Agreement and after any termination or expiry thereof, the Practice may retain a copy of any Medical Records as is necessary to satisfy the requirements of this Agreement and [the Main Agreement and] its obligations under Applicable Law and shall not destroy any Medical Record in its custody except in accordance with the terms of this Agreement and Applicable Law.

9. The Practice shall ensure that any system used to archive Medical Records is compliant with Applicable Law.

10. Certain terms survive the termination or expiration of this Agreement and [any other relevant agreement]. [consider: Management of Medical Record on Termination; No Interference; Indemnities, cooperation terms, storage, retention, access, transfer.]

17

Appendix G: Additional Sample Contractual Terms

Cooperation and Non-Interference 1. The Parties shall cooperate in developing any business continuity, succession, and contingency

plans, or other policies, procedures, or protocols, as are reasonably necessary. 2. No Party shall do any act or thing, or exercise any right under this Agreement or the Main Agreement,

during or after the term or termination of this Agreement, if to do so would have the effect of limiting, restricting, or interfering with:

a. a physician’s [or other health care provider’s] ability to comply with their own legal or ethical or contractual duties or to seek medical/legal advice from an insurer or legal counsel;

b. a regulator’s ability to exercise any power or authority in respect of any regulated professional; or

c. a Patient’s rights in respect of his or her Personal Information under Applicable Law.

No Assignment 1. No Party shall assign, outsource, or subcontract this Agreement or their obligations hereunder without

the prior written approval of the other Parties. Subject to this, the Agreement is binding upon the Parties, their successors, and permitted assigns.

2. Each Party shall ensure that any subcontractor shall be bound by contract to comply with the restrictions, terms, conditions, and safeguards applicable to such Party as if such subcontractor were a party hereto.

3. No Party shall assign, transfer, convey, or otherwise encumber any of its rights to, or grant any right, title or interest in or to any of, or allow any liens to be placed on or levied against, the hardware or software or systems used to access, use, disclose, hold, manage, store, transmit, or manipulate Patient Information or Medical Records. [or; shall not, without notice and approval…and in any event shall ensure that no such encumbrance/lien/interest etc., interferes with the rights and obligations of the Parties and others, in accordance with paragraph 27 above.]

Representations and Warranties 1. Where Patient Information is to be transferred into the Practice, the Party transferring such Patient

Information represents and warrants that it has obtained the Patient’s prior express written consent for such transfer, and for the collection, access, use, and disclosure of such Patient’s Patient Information as necessary for the purposes of providing health care to such Patient.

2. The Practice represents and warrants that it has developed and implemented policies and procedures necessary to ensure the confidentiality, security, and privacy of the Patient Information in its custody, in compliance with Applicable Law; and that no system or tool used in the operation of the Practice violates any intellectual property or other property right.

Acknowledgements and Agreements 1. Each Party acknowledges and agrees that:

a. it is subject to and will comply with all Applicable Laws. b. the Patients of the Practice reasonably expect that their Personal Information is collected,

used, and disclosed for the purposes of providing them with health care services, which includes billing and quality improvement, and accordingly all Parties will collect, access, use, and disclose Patient Information solely for such purposes except where the Patient has provided express written consent for another purpose; and

c. regardless of who is designated the Responsible Physician, each Party owes independent legal, ethical, professional, and fiduciary duties and duties of care to each Patient, and nothing in this Agreement is intended to prevent or interfere with a Party’s ability to comply with any such duties.