■ Duties and responsibilities:

Expectations of physicians in practice

Managing access to electronic health records

EHR systems can aid healthcare delivery – but they also carry medico-legal risks

A young doctor using a computer

5 minutes

Published: October 2013 /
Revised: April 2022

The information in this article was correct at the time of publishing

One of the most attractive features of electronic health records (EHR) is ease of access. At the stroke of a key, physicians and other healthcare providers can access a patient's personal health information with the goal of delivering effective, seamless care.

That convenience, however, comes with risks. The privacy of individuals and the security of their personal health information can be compromised by healthcare providers who may view the patient’s personal health information even though they are not involved in treating the patient, or by staff members who access patients' personal health information for unauthorized purposes.

If a provider views or accesses the personal health information of an individual for unauthorized purposes, this is considered a privacy breach. Regrettably, health record privacy breaches in Canada are a reality. Increasingly, audits or patient complaints uncover cases where healthcare providers and staff, including doctors, have viewed personal health information for unauthorized purposes. Regardless of whether the information was accessed intentionally or carelessly, patients have an overriding right to the privacy of their personal health information.

Inappropriate access can prove detrimental to patients

Patients whose privacy has been compromised may suffer discrimination, stigmatization, and economic or psychological harm. Additional stress is particularly detrimental to patients who are already vulnerable due to health problems. Most importantly, patients whose privacy is breached might lose trust or confidence in the health system. They may refrain from seeking tests or treatment, engage in multiple doctoring, or withhold or falsify information.

Since doctors are expected to reasonably protect personal health information, privacy breaches may also have negative consequences for physicians. These can include patient complaints to a privacy commissioner, medical regulatory authority (College) or hospital/health authority, and possible sanctions, as well as lawsuits. Additionally, privacy breaches can consume large amounts of time and resources.

The principles of access

In Canada, physicians, institutions, or clinics own the physical health record, regardless of whether it is paper or electronic. However, the information in the health record remains the patient's and is held in trust for the care and benefit of the patient. With few exceptions, each patient retains a right of access to their personal health information, including information derived from other sources such as consultants' reports.

Patients also have a right to control access to their personal health information. Consent is the primary way patients exercise their right to control their personal health information. Consent can be either implied or express. Implied consent occurs when it is reasonable to assume in specific circumstances that an individual has given consent. For example, when a patient attends an appointment to see a doctor, it is reasonable to assume the patient is consenting to the physician collecting their personal health information. Implied consent can also be assumed for the sharing of personal health information with other healthcare providers who are involved in the patient's care. This concept is known as the "circle of care." Disclosing information to individuals or organizations outside the circle of care, however, requires a patient's express consent, unless the disclosure is permitted or required by law. Express consent is given as a directive, either verbally or in writing.

Even within the circle of care, patients may choose to place limits or conditions on who may have access to their personal health information. This can be achieved through a process called a lockbox or masking, or through disclosure directives, depending on applicable privacy legislation and the functionalities of the EHR system. An EHR system provider should generally be able to help physicians address requests for limiting access to personal health information. Physicians will want to explain the risks and benefits of placing limitations on access to personal health information to the patient, and document this discussion in the record. Note that consent is not a static principle. Patients are entitled to modify or withdraw their consent to the disclosure of their personal health information at any time in the prescribed way.

Access for quality improvement reviews, teaching, and learning

Institutions typically grant physicians access to patients’ medical records for the purposes of providing clinical care. If physicians wish to access a patient’s information for non-clinical purposes, these physicians should request access from the institution if such access is not already allowed. These purposes can include quality improvement reviews as well as teaching and self-directed learning. If the institution does not allow access to a medical record for a desired purpose, the physician or other care provider may turn to the patient for the necessary consent. Physicians may want to encourage their institution or clinic to develop a privacy policy, if one does not already exist, that clarifies permitted access to patient records for quality improvement purposes, teaching, or for responding to a College or hospital complaint.

The challenges with access

While the principles of access are similar to those that apply to the paper record environment, putting them into practise brings new and unanticipated challenges.

For example, audits have revealed that some physicians who are also patients at healthcare institutions where they practise have taken the opportunity to look at their own EHRs. While physicians can request access to their personal health information, they should do so following the established process. It is also important to follow the established process when accessing the personal health information of family members or friends, even if these health records are readily available to them.

Physicians will also want to ensure that their employees and clinic personnel are familiar with privacy requirements. A yearly office training session on privacy can be useful. No one in the office or clinic should access records if they are not included within the circle of care or authorized to access the records for the purposes of performing their duties (e.g. billing, scheduling appointments, etc.).

Managing the risks

Physicians have an obligation to protect their patients' personal health information from inappropriate access. Physicians must have sound policies and processes in place to protect the personal health information in their custody and control from being accessed inappropriately.

Physicians must also ensure that their employees and staff members are aware of these policies and procedures and abide by them. Physicians are urged to require that their employees and staff members sign a confidentiality or non-disclosure agreement to ensure everyone understands their obligations in keeping personal health information secure and confidential. For more information on this topic, see the CMPA's Electronic Records Handbook.

Physicians might also consider equipping their EHR system with access controls based on each user's role and responsibilities. Finally, breaches must be dealt with promptly and effectively and in compliance with any notification requirements imposed by applicable privacy legislation. Members may contact the CMPA for advice on these requirements.

DISCLAIMER: The information contained in this learning material is for general educational purposes only and is not intended to provide specific professional medical or legal advice, nor to constitute a "standard of care" for Canadian healthcare professionals. The use of CMPA learning resources is subject to the foregoing as well as the CMPA's Terms of Use.