Duties and responsibilities
Encryption just makes sense
Originally published December 2010 / Revised August 2017
Privacy legislation, regulatory policies and professional obligation require that CMPA members take reasonable measures to protect the privacy of their patients' personal health information. With the advent of electronic records and mobile devices, members should be cognizant that encryption can help secure personal health information and may be required by law.
In physicians' offices and healthcare institutions across Canada, healthcare professionals continue to employ electronic systems and mobile devices to use and store health information. Their expectation is to be more efficient and improve the quality of patient care. Electronic systems offer the benefits of increased accessibility, portability, and transferability of electronically stored information. It is these benefits, however, that also create an environment where large amounts of sensitive information, if not properly secured, are susceptible to breaches of privacy and physicians' duty of confidentiality.
Encryption is a sensible way to ensure the protection of electronically stored patient information. Physicians and healthcare organizations (and their vendors and service providers) need to recognize the importance of implementing encryption on all devices used to store patient information.
Encryption as a requirement
Privacy commissioners, ombudsmen, and review officers across Canada generally promote the use of encryption software. Ontario, New Brunswick and Alberta mandate that personal health information be encrypted when stored electronically on mobile devices.
Unfortunately, despite these requirements and recommendations, privacy commissioners, ombudsmen, and review officers continue to receive reports of lost or stolen laptops, office systems, or other devices where patient information was left unencrypted.
When setting up an electronic record system, physicians often rely on their vendors and service providers to properly protect patient information. Such reliance is not a guarantee of compliance. Physicians should take the necessary steps to ensure that vendors appreciate the unique nature of patient information and fully comply with privacy obligations. These obligations include appropriately protecting the information against theft, loss, and unauthorized use and disclosure.
Electronic medical records = Think encryption
Password protection does not equal encryption
Physicians are encouraged to speak with the privacy commissioner, ombudsman, or review officer in their jurisdiction about the appropriate level of encryption. Some privacy commissioners (e.g., Ontario) publish guides on the required encryption standards and the need for secure authentication of users for viewing personal health information by way of passwords, biometrics, or security tokens. Physicians can also get valuable advice from other sources including technically capable colleagues and professional organizations such as provincial or territorial medical associations, regulatory authorities (Colleges) and the CMPA.
Physicians should be aware that the theft of desktop systems is as common as the theft or loss of mobile devices. Without adequate protection of the information, theft or unauthorized access would, as a minimum, be considered a privacy breach and likely reportable.
Privacy commissioners, ombudsmen, and review officers generally agree that when hardware is secured by strong encryption, there is no actual loss of information, even if the hardware contained sensitive patient information. When there is no actual loss of patient information, there is no need to consider notifying patients. On the other hand, when a device containing unencrypted patient information is lost or stolen, it could be necessary to provide notification of the privacy breach to the affected individuals or the privacy commissioner, or both, depending on the jurisdiction. Contact the CMPA for further guidance.
Not only will the loss of sensitive information be distressing to patients, but the physician will likely incur considerable cost and inconvenience dealing with the breach. The CMPA strongly encourages physicians to encrypt all patient health information stored electronically.
While physicians and other healthcare providers have long been committed to protecting patient information, the electronic storage of information requires new protective measures. Products that provide password protection and encryption are commonly available and widely used. Considering the benefits of properly securing patient health information, encryption is a valuable risk management tool.
When storing patient information electronically, physicians should consider:
- using products that permit adequate password protection and encryption
- ensuring that suppliers and service providers appreciate the unique nature of the information and comply with the associated privacy, regulatory, and professional obligations including encryption
- knowing and complying with privacy legislation in their jurisdiction, including what patient notification is required or recommended if there is a potential privacy breach
- contacting the CMPA for advice if patient information is inappropriately accessed, lost or stolen