Better protections are needed for Canada’s electronic medical records

By Tony Poland, LegalMatters Staff • More needs to be done to protect Canadians’ electronic health records from being accessed and potentially used by foreign entities, says Ontario disability insurance lawyer Courtney Mulqueen.

 Mulqueen, principal lawyer of Mulqueen Disability Law Professional Corporation, pointed to a recent report in the Canadian Medical Association Journal (CMAJ) which cited concerns about Canadian privacy laws.

The report noted that while electronic medical records systems from clinics and hospitals are encrypted and primarily stored on Canadian cloud servers, those servers are often owned and controlled by American companies and subject to American laws.

“The value of Canada’s health data is immense,” the CMAJ states. “The sovereignty risks associated with these data are real. If Canada is to lead in the health AI [artificial intelligence] space, it must move quickly to establish long-overdue privacy and technology safeguards.”

Michael Geist, law professor and Canada Research Chair in internet and e-commerce law at the University of Ottawa and co-author of the paper, told CBC that “Canadian privacy law is badly outdated.”

“We’re now talking about decades since the last major change,” he says.

Privacy more than a legal detail

Mulqueen says her firm’s commitment to trauma-informed, client-centred care makes privacy more than a legal detail ­– “it’s a critical part of protecting dignity in the claims process.” She says clients shouldn’t bear the entire burden of guarding their privacy.

“We need laws that close the foreign-access loophole. That means encryption under Canadian control, a clear ban on obeying foreign data demands and investing in homegrown systems so we don’t have to rely on foreign infrastructure in the first place,” Mulqueen tells LegalMattersCanada.ca. “Our clients – already fighting to prove their disabilities – shouldn’t have to fight to keep their health data safe, too.”

The CMAJ notes that “health data are critical to health systems in Canada, but the potential of these data to be accessed and used by foreign entities for surveillance purposes without consent is concerning.”

“Advances in artificial intelligence have increased the economic value of these data, creating new risks,” the CMAJ states. “Serious privacy, security, and economic risks arise when companies in other countries hold and use Canadian data. Given the rapidly changing political climate in the United States, preserving the sovereignty of Canada’s health data – notably, ensuring that the data are subject to Canadian laws and legal systems – requires renewed focus.”

Mulqueen explains that many hospitals and clinics use cloud services owned by U.S. tech giants such as Amazon, Google, and Microsoft to store electronic health records. 

Data could be accessed under U.S. law

“Even in instances where servers are physically located in Canada, American ownership means the data could still be accessed under U.S. laws such as the Patriot Act and the Clarifying Lawful Overseas Use of Data Act,” she says “These laws may allow U.S. authorities to demand the data, potentially without the patient’s consent or a Canadian court order.

“For LTD clients, these records often contain the most sensitive information: diagnoses, treatment notes, psychological assessments, and sometimes personal details you would never want shared outside a confidential legal and medical setting.”

In Canada, health information for most private-sector organizations is protected federally by the Personal Information Protection and Electronic Documents Act (PIPEDA) or the Privacy Act (for federal institutions), Mulqueen says. Most provinces, including Ontario, have their own health-specific privacy laws, which require informed consent, limit collection and disclosure, allow patient access, and impose penalties for breaches.

“However, these laws don’t always prevent foreign access when Canadian data is stored with a U.S.-owned company,” she says. “That is the gap privacy experts are calling on lawmakers to close.”

LTD claimants face privacy risks

Mulqueen says if you are a long-term disability claimant, you face several privacy risks, including:

Insurer Access: If records are improperly disclosed, insurers could access more than they are entitled to, potentially affecting the outcome of your claim.

Surveillance Overlap: In combination with insurance company surveillance, uncontrolled access to health data can give insurers a broader, and potentially biased, picture of your life.

Chilling Effect: Clients may hesitate to be fully open with their doctors or lawyers, fearing sensitive details might be exposed.

• Consider workplace decisions carefully in tough economic times
• Trump tariffs threaten to impact long-term disability claimants
• AI ‘must be tempered with the human perspective’

The CMAJ suggests “a multipronged approach that includes encrypting health data by design, requiring health data be hosted on Canadian soil (inserting a blocking statute into privacy laws, and investing in the development of Canadian sovereign cloud servers to host health data.”

“Canada needs to ensure that health data are secure by requiring encryption, converting data from their standard accessible format to a format that needs a secure key to decode the data,” the report states. “Encryption by default will provide technological safeguards that may be missing in some cases.”

Updated laws suggested

The authors suggest federal and provincial privacy laws should incorporate data residency or data localization requirements to keep data stored within the region from where they originated. 

“Data localization does not provide a guarantee that Canadian law will apply to data held by foreign entities, but it does enhance the enforcement powers of Canadian authorities,” according to the report.

Rules against disclosure without consent of data to foreign authorities must be also implemented, the CMAJ states. 

“PIPEDA must be strengthened, including stronger penalties for unauthorized disclosure of personal information without consent and guidance that foreign court orders related to Canadian data are unenforceable in Canada,” the authors explain.

Canada should also “invest in and support the development and growth of sovereign Canadian cloud servers to ensure that data are held in Canada by Canadian providers,” the report notes.

Patients have a part to play

While tougher legislation is needed, patients also have a part to play, says Mulqueen.

“Your health story is yours – and the law says it stays that way unless you choose otherwise,” she says. “Every clinic, insurer, and government body must follow strict rules on when, why and how they use your records. You have the right to say no, to see what they have, and to call them out if they step over the line. And if your information ever leaves Canada, we want you to know what that means and what can be done to protect yourself.”

Mulqueen suggests the following practical steps:

• Ask your provider where your records are stored and whether a U.S. company has ownership or control.
• Limit consent forms to only the information necessary for your LTD claim.
• Request copies of what your insurer has received and compare it with what you authorized.
• File a complaint with your provincial privacy commissioner if you believe your data was accessed or disclosed improperly.

Mulqueen says until new laws are enacted, patients must keep their guard up.

“Protecting health data isn’t just a technology issue – it is a human rights issue, she says. “For LTD claimants, where the stakes include both financial survival and personal dignity, the need for airtight privacy protections has never been greater. Until Canada updates its laws, clients must remain vigilant, ask the difficult questions and exercise their legal rights to control who sees their medical story.”