Advanced search

Read PDF version

Protecting sensitive electronic health information — think encryption
An article for physicians by physicians
Originally published September 2007
IS0771-E

Office computerization of health information introduces opportunities for increased efficiencies. However, the inadvertent loss or theft of computer hardware containing unsecured patient information may cause great distress to patients. It can also generate considerable cost and inconvenience, especially since the introduction of privacy legislation in all Canadian jurisdictions.

New privacy legislation

Subsequent to many reports of the loss of electronic devices containing sensitive personal health information, primarily as a result of theft, the Information and Privacy Commissioner/Ontario recently issued an order that goes beyond earlier prudent advice. Ontario’s Commissioner now insists on strong password protection and encryption for sensitive personal health information stored on electronic devices. In the order, the Commissioner stated that if hardware containing sensitive personal information was lost, but was secured by strong password protection and appropriate encryption then it would not be considered a potential privacy breach. Otherwise, it would be considered a potential privacy breach, and any patients involved would have to be notified.

While the Privacy Offices in many jurisdictions suggest and encourage notification in the event of a potential privacy breach such as the theft of a computer containing patient information, currently Ontario is the only jurisdiction where notification of patients is obligatory by law.

Consequences of potential privacy breach from computer theft

We’ve all heard stories of the fallout from computer thefts at institutions such as governments, banks and hospitals, but here’s an account of the experience of one of our members at her small Ontario clinic:

“On October 23, amongst other items, three computers were stolen from our clinic where three family physicians practise. The total number of patients cared for was difficult to estimate since it would not only include regular patients but those seen short-term in various hospital and institutional settings, during cross-coverage on call, and those that were on record but recently deceased or moved. The best estimate was no less than 4,500 to 5,000 persons.

The CMPA was contacted October 25 to inquire about implications regarding the Personal Health Information Protection Act. The Office of the Information and Privacy Commissioner/Ontario was subsequently contacted on October 26. By December 6, interactions with that office were completed to the point that (patient) notification could formally commence. Interactions consisted of a number of long distance calls to Toronto (estimated at 1½ to 2 hours in total) then submission of a written report to this office addressing all items requested by this office so that they might commence their investigation. Subsequently a draft letter of notification was submitted then reviewed and edited by their office. Telephone discussion included negotiation regarding the extent of notification required given particular patient populations that would be difficult to trace.

Once the notification letter met their approval, enlarged laminated copies were made and posted in every room of the office and copies of the letter were printed in bulk for distribution to affected patients. It is estimated that approximately 12 to 14 physician hours were dedicated to generating a computer database of individuals that would have attended the practice during the notification period which was negotiated to be the previous two years and eliminate those that were deceased or relocated with an unknown address.

Subsequently, a minimum of 70 hours of staff time was devoted to confirming patient notification, explaining the notification letter and why it was necessary, providing details regarding the event, addressing patient concerns and listening to patients’ own stories and opinions regarding criminal action and the justice system. Each initial patient/physician interaction over the ensuing 3 ½ months included an additional 20 second to several minute discussion regarding the event and the letter.

Approximately 900 letters were mailed to persons and families who did not come through the office during the notification period. Approximately 15 hours of additional time was devoted to addressing, stamping, stuffing and sealing the envelopes. Physician family members also assisted in a volunteer capacity.

A summary letter was then submitted to the Office of the Information and Privacy Commissioner/Ontario to confirm that the notification process had been completed by the deadline they had set.”

Physicians and the health-care community-at-large have long appreciated and placed great importance in the protection of sensitive patient information. Products that provide appropriate password protection and encryption are now commonly available, simple to install, user-friendly and inexpensive. At the CMPA, we now routinely use these measures to protect your personal information and strongly recommend you consider employing these products to further protect your patient information.

The bottom line

With respect to electronic devices containing patient information, it would be prudent to:

• Be familiar and compliant with privacy legislation in your jurisdiction, including the requirements or recommendations related to patient notification in the event of a potential privacy breach.
  
• Use products that permit adequate password protection and encryption. For information and advice on encryption, one useful source is the fact sheet prepared by the Information and Privacy Commissioner/Ontario entitled “Encrypting Personal Health Information on Mobile Devices.”
  
• Establish office procedures to safeguard these electronic devices from loss or theft.
  
• Contact the CMPA for advice in the event of loss or theft.