Privacy and a wired world — Protecting patient health information
Practice environments are increasingly demanding as physicians navigate the transition from paper-based to electronic records, respond to information requests through multiple channels, and fulfill their obligations to privacy legislation amidst the constant technological advances of an increasingly wired — and wireless — world.
Understandably, physicians and their patients have been growing more concerned about privacy issues. A recent survey undertaken by the federal Office of the Privacy Commissioner of Canada1 notes that nearly two-thirds of Canadians identify privacy protection as one of the most important issues. Within the healthcare context, it has been suggested that, because of privacy concerns, patients may withhold critical health information.
Privacy legislation requires that physicians move beyond understanding their professional duty of confidentiality to ensuring compliance with applicable privacy legislation.
Physicians need to apply effective measures to comply with privacy legislation. These measures encompass all facets of a physician's practice, including initial contact, storage of records, exchanging patient information, and managing shared access of electronic medical records. While technological advances can facilitate the exchange of patient information, privacy rules still apply.
Physicians should also be aware of privacy requirements imposed by the medical regulatory authority (College). If unsure of their privacy obligations, members are encouraged to contact the CMPA for advice.
Physicians are responsible for not just their own actions, but those of their staff as well. Privacy policies and their enforcement are the responsibility of the physician in a privately-owned office or clinic. Most health privacy statutes require physicians to assess their information management practices, establish appropriate privacy policies, and designate individuals with specific responsibility for privacy within their practice. Patients who feel that their medical information has been compromised can complain to the privacy commissioner or to the College, or initiate a civil action against the physician. If unsure of privacy obligations, members should contact the CMPA.
Increasingly common are breaches associated with the theft of unencrypted electronic devices such as laptops, portable storage media such as hard drives and USB sticks, and mobile phones and tablets. Unintended exposure of patient information also occurs because of misdirected faxes and emails, and unprotected computer screens in examining rooms.
Meanwhile, external threats from spyware or malware (malicious software) that invade computer systems add yet another dimension to the need for privacy protection. The use of mobile devices and social media platforms provide other channels through which sensitive patient information can be unwittingly exposed. Adoption of cloud computing and patient portals will create additional privacy and security concerns.
All privacy statutes require that personal health information be protected by security safeguards — such as encryption, firewalls, and physical security — appropriate to the level of sensitivity of the information. Some Colleges have also issued specific guidelines on the use of new technologies.
New technologies can have a positive impact on physicians' practice, patients' health, and the medical system generally. Electronic health information systems can improve patient care through better sharing of information with specialists and other healthcare providers within the patient's circle of care, and better coordination and access to services, particularly for patients living in remote areas.
Physicians need to keep abreast of new information practices and ways of implementing and fulfilling privacy obligations. Physicians may want to consider these strategies and management tips.
The CMPA website has several publications, articles, and an online learning activity about confidentiality and privacy. A summary article providing links to specific advice on confidentiality and privacy topics ranging from consent, to encryption, to social media. The CMPA has prepared documents on the principles of data sharing as well as sample data sharing agreements.
When in doubt, members should not hesitate to call the CMPA for advice or guidance.