Originally published December 2011
Practice environments are increasingly demanding as physicians navigate the transition from paper-based to electronic records, respond to information requests through multiple channels, and fulfill their obligations to privacy legislation amidst the constant technological advances of an increasingly wired — and wireless — world.
Understandably, physicians and their patients have been growing more concerned about privacy issues. A recent survey undertaken by the federal Office of the Privacy Commissioner of Canada1 notes that nearly two-thirds of Canadians identify privacy protection as one of the most important issues. Within the healthcare context, it has been suggested that, because of privacy concerns, patients may withhold critical health information.
Privacy legislation requires that physicians move beyond understanding their professional duty of confidentiality to ensuring compliance with applicable privacy legislation.
Physicians need to apply effective measures to comply with privacy legislation. These measures encompass all facets of a physician's practice, including initial contact, storage of records, exchanging patient information, and managing shared access of electronic medical records. While technological advances can facilitate the exchange of patient information, privacy rules still apply.
While the federal Personal Information Protection and Electronic Documents Act (PIPEDA) may apply in some jurisdictions, most provinces have enacted health specific privacy legislation2. While it can be time-consuming, physicians should be aware of the implications of privacy legislation that apply to their practice and jurisdiction.
Physicians should also be aware of privacy requirements imposed by the medical regulatory authority (College). If unsure of their privacy obligations, members are encouraged to contact the CMPA for advice.
Physicians are responsible for not just their own actions, but those of their staff as well. Privacy policies and their enforcement are the responsibility of the physician in a privately-owned office or clinic. Most health privacy statutes require physicians to assess their information management practices, establish appropriate privacy policies, and designate individuals with specific responsibility for privacy within their practice. Patients who feel that their medical information has been compromised can complain to the privacy commissioner or to the College, or initiate a civil action against the physician. If unsure of privacy obligations, members should contact the CMPA.
Threats and safeguards
A privacy breach is typically described as any unauthorized access, use, or disclosure of personal health information. Privacy breaches can arise from the physical loss or inappropriate disposal of paper records or through the loss of electronic information.
Increasingly common are breaches associated with the theft of unencrypted electronic devices such as laptops, portable storage media such as hard drives and USB sticks, and mobile phones and tablets. Unintended exposure of patient information also occurs because of misdirected faxes and emails, and unprotected computer screens in examining rooms.
Meanwhile, external threats from spyware or malware (malicious software) that invade computer systems add yet another dimension to the need for privacy protection. The use of mobile devices and social media platforms provide other channels through which sensitive patient information can be unwittingly exposed. Adoption of cloud computing and patient portals will create additional privacy and security concerns.
All privacy statutes require that personal health information be protected by security safeguards — such as encryption, firewalls, and physical security — appropriate to the level of sensitivity of the information. Some Colleges have also issued specific guidelines on the use of new technologies.
Managing privacy requirements
Despite privacy risks, the electronic healthcare environment is well advanced and transforming the management of patient care. An increasing number of physicians recognize the opportunities of interconnectivity and are forging ahead, implementing procedures to fit this new age of data collection, use, and storage.
New technologies can have a positive impact on physicians' practice, patients' health, and the medical system generally. Electronic health information systems can improve patient care through better sharing of information with specialists and other healthcare providers within the patient's circle of care, and better coordination and access to services, particularly for patients living in remote areas.
Physicians need to keep abreast of new information practices and ways of implementing and fulfilling privacy obligations. Physicians may want to consider these strategies and management tips.
- Be aware of the privacy legislation that applies to your practice and jurisdiction. Several Colleges have adopted policies related to privacy and the electronic use of patient information. Some privacy commissioners have published guides or assessment tools for safeguarding personal health information.
- Consider undertaking a privacy impact assessment or audit to help identify and minimize privacy risks. While the assessment may not be a legal requirement in every jurisdiction, it is a prudent procedure and may help in shaping protocols for your office.
- Determine how best to inform patients about the use of technology in your practice, including how you manage their personal health information. Often, this can be achieved through a written notice posted in the office. Although consent can usually be implied, patients may appreciate being informed about the implementation of electronic medical records.
- Consider appointing someone in your practice as the privacy officer. While the appointment of a privacy officer is not a requirement in every jurisdiction, it is a good practice. This person would have the responsibility of developing, updating, and monitoring privacy policies for compliance. While the role of a privacy officer may be delegated, ultimately, physicians in private practice are accountable for protecting their patients' personal health information.
- Ensure staff receive training about privacy policies and practices. This is particularly important for new employees who may be unfamiliar with their privacy responsibilities. Training provides clarity on the transmission, use, and storage of patient information by all staff members. Staff should also be asked to sign a confidentiality agreement.
- Establish written agreements with service providers (e.g. EMR vendors, records storage, shredding companies, transcription services) which set out expectations concerning privacy compliance. Ensure electronic security measures are up to date, including the use of password protections and appropriate levels of encryption, and the updating of software and installation of security patches.
- Be aware of the jurisdiction in which the personal health information will be stored and if restrictions prevent information from being stored outside of Canada.
- Understand your responsibilities and accountabilities in the event of a privacy breach and how best to respond. Being proactive and developing a policy or action plan in the event of a privacy breach is considered good practice. In some jurisdictions, privacy legislation requires notification of affected individuals or the privacy commissioner, or both. Members are encouraged to call the CMPA should they believe a breach has occurred.
The CMPA website has several publications, articles, and an online learning activity about confidentiality and privacy. The CMPA has prepared documents on the principles of data sharing (in the Electronic Records Handbook) [PDF] as well as sample data sharing agreements.
When in doubt, members should not hesitate to call the CMPA for advice or guidance.
- Ekos Research Associated Inc., Canadians and Privacy, Final Report, submitted to the Office of the Privacy Commissioner of Canada, 2009. Accessed online, September 2011,
- NYMITY, Privacy Maps, Federal and Provincial Privacy Acts in Canada, accessed September 2011 at: