Advanced search

Read PDF version

Minimizing medico-legal risk when using technology
An article for physicians by CMPA General Counsel
Originally published June 2008
IS0884-E

Of interest to all physicians

Laptop and desktop computers, the Internet and email are increasingly valuable tools in physicians' practices. In particular, using computers to store patient information (i.e., electronic medical records) has become widespread. While there are advantages to using these technologies, they also create opportunities for patient information to be lost, stolen or inappropriately accessed. A previous article discussed the importance of encryption (see the CMPA article "Protecting Sensitive Electronic Health Information — Think Encryption"). Here are some additional strategies to minimize your medico-legal liability when using computers or mobile computing devices.

Use security measures

It is prudent to ensure all computers in your office, whether desktop or laptop, have strong password protection. Passwords should be required for logging onto the computer, as well as accessing various programs. It is a good idea to pick passwords that are fairly complex, such as short sentences. Choosing obvious passwords, such as your spouse, child or pet's name may defeat the purpose of the password. It is preferable if you memorize your passwords, as opposed to writing them down.

Laptops are particularly vulnerable to loss and theft, so you should use extra security measures for these. Of course, encryption provides an important defence against theft of information. For added protection, consider locking laptops (and personal computers) to a desk or other stationary object with a security cable. If you transport your laptop (or other mobile computing device) from location to location, keeping it under your constant control will reduce the likelihood of theft. Avoid leaving a laptop in an unattended vehicle.

Other reasonable safeguards include installing anti-virus and anti-spyware on the computer or mobile computing device. If you use a wireless network, you will want to consider taking steps to ensure the network is secure. For additional security, it is a good practice to log off from and shut down computers when not in use.

Backup your data

Computer systems can fail, which can lead to the loss of patient information. In some jurisdictions, there are requirements to prepare a backup of patient information. Even if there are no specific regulatory requirements, it is good practice to consider backing up patient information daily or weekly. Taking such measures will allow you to have a full copy of the information on backup media if the computer breaks down, or is lost or stolen.

Permanently delete patient information

If you are disposing of a computer, it is important to consider how to ensure that patient information on the computer is permanently deleted or irreversibly erased. Some privacy commissioners have recommended the physical destruction of the electronic storage device (e.g., hard drive) to ensure the permanent deletion of patient information. The physical destruction may include hammering, drilling holes, obliterating, pulverizing or snapping the electronic storage device into pieces. It may also be sufficient to employ wiping software to delete the information on the hard drive. However, depending on the sophistication of the software, wiping may not irreversibly erase every bit of data on a drive. You should take care not to sell or transfer computers containing patient data to another person.

While email is an efficient way to communicate, you may want to think twice before sending patient information by email. Patients may be using Internet-based free email services that lack critical security features and cannot be considered secure.

Use technology safely

Taking appropriate security measures will help ensure you get the benefits that technology has to offer, while protecting your patient's information and minimizing the risk of medico-legal liability.