Originally published October 2013
Physicians' practices are undergoing unprecedented change. Some of these changes stem from new or amended legislation, evolving electronic records systems, technological advancements, and contractual obligations. Many of these changes have important privacy implications that require physicians' understanding and attention.
Despite the complicated nature of these developments, physicians can take practical steps to achieve compliance with their privacy obligations.
As a first step, physicians must understand their privacy-related obligations in today's evolving practice environment. Most provinces and territories have enacted health-specific privacy legislation that governs the collection, use, and disclosure of personal health information. In the few jurisdictions without health-specific legislation, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) applies to personal health information. Doctors should familiarize themselves with the legislation in their jurisdiction and take steps to comply. The CMPA, privacy commissioners, medical associations, and provincial and territorial regulatory authorities (Colleges) may have resources available to assist physicians in becoming privacy compliant.
Prudent administrative and management practices
Physicians who familiarize themselves with their privacy obligations, identify potential issues which may arise in their practice, and take steps to address concerns will be better prepared to successfully navigate today's complex administrative and regulatory environment.
There are a number of administrative and management practices that can help doctors comply with privacy requirements. CMPA members are encouraged to consider the following.
As a first step, physicians must understand their privacy-related obligations in today's evolving practice environment.
Data sharing agreements
As the name implies, a data sharing agreement is an agreement setting out the terms for the sharing of electronic health information between a healthcare provider or group of healthcare providers and an institution, health authority, or service provider. The agreement normally establishes which type of data is being shared, the obligations involved, permissions required, and how the data can be accessed and used. The principles commonly referred to in data sharing agreements are data management, confidentiality, privacy, security and access, data quality, indemnification, termination, and dispute resolution.
Data sharing agreements are valuable to physicians using electronic medical record (EMR) or electronic health record (EHR) systems that have a single or multiple centralized electronic repository of medical records and pre-defined access rights. Each provider of healthcare services, or custodian, may have access to portions or all of the record to support the delivery of care to the patient.
In the context of a group medical practice, physicians may have a shared electronic records system for use by all the physicians in the group. In these circumstances, the physicians may consider an inter-physician agreement that governs their use of the records. Because multiple users will have access to the records, it will be important that the agreement ensures that patient records are accessible only by authorized users for authorized purposes.
Some physicians, depending on their practice arrangement, may want to establish a data sharing agreement with other physicians or with an EMR service provider or the physician may be asked to sign a data sharing agreement with a hospital, clinic, or health authority. In any case, these agreements often contain indemnification clauses which specify who is responsible in the event of loss or damage relating to the agreement.
Confidentiality and non-disclosure agreements
A physician is ultimately responsible for ensuring staff members also respect the confidentiality of patients' personal information. When privacy breaches occur, physicians may be found vicariously liable for their employees' actions in a legal proceeding. Further, physicians are ultimately responsible under privacy legislation for breaches caused by agents or affiliates, such as employees, staff, or service providers retained to assist physicians in their duties as custodians of patients' personal health information.
To minimize the risk of potential privacy breaches, physicians should have their employees and staff sign confidentiality and non-disclosure agreements and these should be renewed yearly. Doing so helps to ensure employees understand their obligations, and encourages the respectful and lawful handling of patient health information.
Proper disposal of records
The proper disposal of records is another important aspect of privacy compliance. Records may be disposed of after the required retention period or after the transition from paper to electronic records. Effective destruction requires the permanent deletion of electronic records or the shredding or incineration of paper records. However, paper records scanned into electronic format should only be destroyed if there is a read-only electronic version of the records that cannot be altered or manipulated after conversion. To minimize risk, physicians should develop written procedures for the conversion process and train their staff on proper disposal techniques before any transition. Physicians should also engage a reputable service provider to dispose of old records. Finally, the conversion process should involve some form of quality assurance, and a record should be kept of the actions taken.
Privacy impact assessments and privacy officers
Some jurisdictions require a privacy impact assessment prior to implementing or making changes to shared eRecord systems. These assessments help to identify and minimize the privacy risks associated with implementing eRecord systems. Although these assessments are not required in every jurisdiction, they can be a valuable tool for physicians. Members can consult their respective privacy commissioner to learn more about conducting a privacy impact assessment for their practice.
An audit capability is seen as a necessary component of any electronic records system. Periodic audits are recommended in many jurisdictions to help ensure privacy of the patient health information. These help to confirm patient records stored in electronic systems are accessed by authorized individuals and only for approved purposes. Regular audits will allow physicians to identify and address any unauthorized access at the earliest opportunity.
Given the increasingly complex nature of privacy issues that may arise in medical practice, most institutions have hired privacy officers. These individuals focus on developing, monitoring, and updating privacy policies. They also respond to access requests. Even physicians in smaller practices can appoint privacy officers to help mitigate the existing and emerging medico-legal risks associated with privacy requirements. Doctors in private practice who delegate this responsibility should remember that they are ultimately accountable for their patients' personal health information. Privacy policies, mandatory in some jurisdictions, can be of great assistance in meeting these obligations.
All physicians and healthcare institutions need to comply with complex privacy-related requirements. Physicians who take steps to mitigate risk will be well positioned to meet these challenges within today's rapidly evolving practice environment. The CMPA and other organizations are available to help physicians.