Duties and responsibilities
Managing access to electronic health records
Originally published October 2013 / Reviewed August 2015
One of the most attractive features of electronic health records is ease of access. At the stroke of a key, physicians and other healthcare providers can access a patient's information with the goal of delivering effective, seamless care.
That convenience, however, comes with risks. The privacy of individuals and the security of their personal health information can be compromised by healthcare providers who may view patient information, but are not involved in treating the patient, or by staff members who access patients' personal health information for unauthorized purposes.
If a provider views or accesses the health information of an individual for unauthorized purposes, this is considered a privacy breach. Regrettably, health record privacy breaches in Canada are a reality. Increasingly, audits or patient complaints uncover cases where healthcare providers and staff, including doctors, have viewed patient information for unauthorized purposes. Regardless of whether the information was accessed intentionally or carelessly, patients have an overriding right to the privacy of their health information.
Inappropriate access can prove detrimental to patients
Patients whose privacy has been compromised may suffer discrimination, stigmatization, and economic or psychological harm according to the Information and Privacy Commissioner of Ontario.1 Additional stress is particularly detrimental to patients who are already vulnerable due to health problems. Some patients may also experience anger and disbelief at the offending behaviour. Most importantly, patients whose privacy is breached might lose trust or confidence in the health system.
A survey of Canadian patients confirms that privacy concerns may influence how and when they connect with the health system. Patients concerned about privacy may refrain from seeking tests or treatment, engage in multiple doctoring, or withhold or falsify information, all of which have serious implications for those attempting to treat or provide care. 2
Since doctors are expected to reasonably protect patient health information, privacy breaches may also have negative consequences for physicians. These can include patient complaints to a privacy commissioner, medical regulatory authority (College) investigations, possible sanctions by both, as well as lawsuits.
At the health system level, privacy breaches can consume large amounts of time and resources. Notification and disclosure may be required by law, complaints must be investigated, and breaches contained and remediated. Privacy breaches can also impact public support for sharing health information for research purposes.3
The principles of access
In Canada, physicians, institutions, or clinics own the physical health record, regardless of whether it is paper or electronic. However, the information in the health record remains the patient's and is held in trust for the care and benefit of the patient. With few exceptions, each patient retains a right of access to their health information, including information derived from other sources such as consultants' reports.
Patients also have a right to control access to their health information. Consent is the primary way patients exercise their right to control their personal health information. Consent can be either implied or expressed. Implied consent occurs when it is reasonable to assume in specific circumstances that an individual has given consent. For example, when a patient attends an appointment to see a doctor, it is reasonable to assume the patient is consenting to the physician collecting their personal health information. Implied consent can also be assumed for the sharing of personal health information with other healthcare providers who might be involved in the patient's care. This approach is known as the "circle of care." Disclosing information to individuals or organizations outside the circle of care, however, requires a patient's expressed consent, unless the disclosure is permitted or required by law. Expressed consent is given as a directive, either verbally or in writing.
Even within the circle of care, patients may also choose to place limits or conditions on who may have access to their personal health information. This can be achieved by "masking" or "lock-box requests" or disclosure directives, where the system allows. Further, consent is not a static principle. Patients are entitled to modify or withdraw their consent to the disclosure of their personal health information at any time in the prescribed way.
The challenges with access
The advantages of an electronic record (eRecord) system are ease of access and sharing, and the challenges are similar. While the principles of access are similar to those that apply to the paper record environment, putting them into practise in today's changing healthcare system brings new and unanticipated challenges.
For example, audits have revealed that some physicians who are also patients at healthcare institutions where they practise have taken the opportunity to look at their own eRecords. While physicians can request access to their personal health information, they should do so following the established process. Similarly, doctors should not access information about family members or friends, even if these health records are readily available to them through electronic platforms.
Physicians will also want to ensure that their employees and clinic personnel are familiar with privacy requirements. These individuals should not access records if they are not included within the circle of care, or authorized to access the records for the purposes of performing their duties (e.g. billing, scheduling appointments, etc.).
Managing the risks
Physicians have an obligation to protect their patients' personal health information from inappropriate access. Physicians must have sound policies and processes in place to protect the personal health information in their custody and control from being accessed inappropriately. They must also ensure that everyone within their control, including their employees and other staff, are aware of these policies and procedures and abide by them.
Physicians might also consider equipping their eRecord system with access controls based on each user's role and responsibilities. Finally, breaches must be dealt with promptly and effectively and in compliance with any notification requirements imposed by applicable privacy legislation. Members may contact the CMPA for advice on these requirements.
1. Information and Privacy Commissioner of Ontario, "Unauthorized Access to Electronic Records," Presentation to Ontario Hospital Association, November 28 2012. Retrieved on May 16 2013 from: http://www.ipc.on.ca/images/Resources/2012-11-28-OHA.pdf .
2. Fairwarning, "Canada: How privacy considerations drive patient decisions and impact patient care outcomes," December 2011. Retrieved on May 16 2013 from: http://www.fairwarning.com/Canada/whitepapers/2011-12-WP-CANADA-PATIENT-SURVEY.pdf
3. National Research Council, Institute of Medicine, Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research, National Academies Press, 2009 334pp. ISBN 0-309-12500-6. Retrieved on July 17 2013 from: http://books.nap.edu/openbook.php?record_id=12458