To have patient wishes at the center without the patient themselves carrying the technical and logistical burden requires new capabilities, such as delegation and a trusted governing entity, to support it.
Current laws only require information to be provided directly to the patient— not delegated to third parties, such as a health agency or a primary care provider, in accordance with the patient's wishes. In fact, a recent amendment in PHIPA, which has not yet come into force, clarifies that if a provider of a web app seeks access to a patient's record, with the patient's authorization and consent, a health information custodian (government or private) does not have to provide access to the web app provider, but the custodian does have to provide access to the patient directly. This deviation from a patient's wishes (i.e., delegated access) occurs because there isn't a system or process by which a health information custodian can trust the validity of such authorizations. However, a governing entity empowered by the government could play that role and imbue trust in the system.
We recommend that laws and regulations include the right of consumers to delegate their access to specific third parties, in an ongoing manner at the consumer's request and direction. Furthermore, and importantly, we recommend that such laws allow proactive delegation to a group of third parties specified by criteria and changing over time, to meet the patient's wishes.
With trustworthy criteria and a trustworthy process or system, the two forms of delegation can meet the guidelines for informed consent \cite{PrivacyCommissionerofCanada2018}. This can be achieved with a trusted governing entity, with privacy competency similar to privacy ambassadors, that collects, manages and enforces patients' wishes. With a trustworthy system we cannot doubt a person's wishes, or how informed they are, in the name of protecting them from their own mistakes. Information is never perfect and decisions are not risk-free, but trustworthy systems mitigate risk. We don't need to consult patients on how much privacy they need because the answer differs for each person--some want a lot of privacy, others do not--we only need to accommodate the many different choices of patients, knowing that one patient's choice does not affect another's.
Proactive delegation does not just meet the patient's needs it creates a more effective and efficient system for sharing data in matters of public health and research. That is, if proactive delegation creates a legal mandate or obligation on custodians to share data, then it removes the need to negotiate data-sharing agreements between the data custodian (the company or public entities that either hold or make applications that hold patient data) and third parties. Custodians often hold data hostage in the name of liability and risk causing immense delays in data sharing.