Physicians should also be aware of privacy requirements imposed by the medical regulatory authority (College). If unsure of their privacy obligations, members are encouraged to contact the CMPA for advice.

Physicians are responsible for not just their own actions, but those of their staff as well. Privacy policies and their enforcement are the responsibility of the physician in a privately-owned office or clinic. Most health privacy statutes require physicians to assess their information management practices, establish appropriate privacy policies, and designate individuals with specific responsibility for privacy within their practice. Patients who feel that their medical information has been compromised can complain to the privacy commissioner or to the College, or initiate a civil action against the physician. If unsure of privacy obligations, members should contact the CMPA.

Increasingly common are breaches associated with the theft of unencrypted electronic devices such as laptops, portable storage media such as hard drives and USB sticks, and mobile phones and tablets. Unintended exposure of patient information also occurs because of misdirected faxes and emails, and unprotected computer screens in examining rooms.

Meanwhile, external threats from spyware or malware (malicious software) that invade computer systems add yet another dimension to the need for privacy protection. The use of mobile devices and social media platforms provide other channels through which sensitive patient information can be unwittingly exposed. Adoption of cloud computing and patient portals will create additional privacy and security concerns.

All privacy statutes require that personal health information be protected by security safeguards — such as encryption, firewalls, and physical security — appropriate to the level of sensitivity of the information. Some Colleges have also issued specific guidelines on the use of new technologies.

New technologies can have a positive impact on physicians' practice, patients' health, and the medical system generally. Electronic health information systems can improve patient care through better sharing of information with specialists and other healthcare providers within the patient's circle of care, and better coordination and access to services, particularly for patients living in remote areas.

Physicians need to keep abreast of new information practices and ways of implementing and fulfilling privacy obligations. Physicians may want to consider these strategies and management tips.

1. Be aware of the privacy legislation that applies to your practice and jurisdiction. Several Colleges have adopted policies related to privacy and the electronic use of patient information. Some privacy commissioners have published guides or assessment tools for safeguarding personal health information.
2. Consider undertaking a privacy impact assessment or audit to help identify and minimize privacy risks. While the assessment may not be a legal requirement in every jurisdiction, it is a prudent procedure and may help in shaping protocols for your office.
3. Determine how best to inform patients about the use of technology in your practice, including how you manage their personal health information. Often, this can be achieved through a written notice posted in the office. Although consent can usually be implied, patients may appreciate being informed about the implementation of electronic medical records.
4. Consider appointing someone in your practice as the privacy officer. While the appointment of a privacy officer is not a requirement in every jurisdiction, it is a good practice. This person would have the responsibility of developing, updating, and monitoring privacy policies for compliance. While the role of a privacy officer may be delegated, ultimately, physicians in private practice are accountable for protecting their patients' personal health information.
5. Ensure staff receive training about privacy policies and practices. This is particularly important for new employees who may be unfamiliar with their privacy responsibilities. Training provides clarity on the transmission, use, and storage of patient information by all staff members. Staff should also be asked to sign a confidentiality agreement.
6. Establish written agreements with service providers (e.g. EMR vendors, records storage, shredding companies, transcription services) which set out expectations concerning privacy compliance. Ensure electronic security measures are up to date, including the use of password protections and appropriate levels of encryption, and the updating of software and installation of security patches.
7. Be aware of the jurisdiction in which the personal health information will be stored and if restrictions prevent information from being stored outside of Canada.
8. Understand your responsibilities and accountabilities in the event of a privacy breach and how best to respond. Being proactive and developing a policy or action plan in the event of a privacy breach is considered good practice. In some jurisdictions, privacy legislation requires notification of affected individuals or the privacy commissioner, or both. Members are encouraged to call the CMPA should they believe a breach has occurred.