Duties and responsibilities
Protecting patient health information in electronic records
Originally published October 2013
The proportion of doctors using electronic health records is growing rapidly. The most recent figures estimate that between half and three-quarters of all doctors in Canada now use electronic records. Electronic records offer real advantages in accessing and storing patient health information, and have the potential to improve the management of individual patient care while bolstering the overall effectiveness of the healthcare system.
Physicians, however, remain responsible for ensuring their patients' health information — whether in paper or electronic form — is stored and maintained in a secure manner, in keeping with legal requirements and according to relevant policies from provincial and territorial medical regulatory authorities (Colleges).
Privacy of eRecords
Electronic records (eRecords) and other advances in health information technology can enhance and facilitate access to information, clinical investigations, diagnosis, treatment, and patient outcomes. More and more doctors are embracing these technologies with the ultimate aim of providing better, safer care. However, the features that make electronic records desirable for enhancing healthcare — better accessibility, transferability, and portability — also introduce risk from a privacy perspective.1 Physicians must therefore take appropriate measures to restrict access, prevent loss and theft, and maintain the privacy of patients' personal health information.
As is the case for paper-based records, doctors are ultimately responsible for ensuring their patients' electronic records are stored and maintained in a secure manner. Doctors should be familiar with the privacy legislation in their jurisdiction, as well as the policies and expectations of their College for protecting patient information.
The 2012 CMPA membership survey found that 75% of respondents use electronic records, 78% say they understand the privacy and security issues related to these records, and 28% believe electronic records will increase their medico- legal risks.
Instilling confidence in patients
Patients take seriously the privacy and security of their health information. In fact, a 2012 Canada-wide survey found that 43% of respondents would withhold information from their care provider based on privacy concerns, and 90% stated healthcare providers should monitor who looks at medical records to detect unauthorized access to personal information.2 A separate survey by Ipsos Reid for the Canadian Medical Association found that while Canadians are more familiar with and positively inclined toward eRecords, they expect their physician to play a crucial role in preserving their privacy and confidentiality.
These and other studies highlight the importance of taking appropriate security measures to protect patient information. As well, patients appreciate being informed about the use of technology in their physician's practice, including how personal health information is managed through electronic medical records. Sharing information about the measures that have been adopted to protect the information will help to instill confidence in patients and encourage them to share the health information doctors need to effectively and safely provide care.
Preventing privacy breaches
The theft or loss of desktops and laptops, smartphones and tablets, USB keys, or portable hard drives, and the inappropriate disposal or transmission of patient files, are among the common sources of privacy breaches. The increased use and convenience of mobile devices must be balanced against the risk of privacy breaches.
To reduce the risk of privacy breaches, devices used to access or share electronic medical records need to be equipped with secure encryption software. Encryption is a valuable risk management tool. It converts information from a readable state to an unreadable state, and is a sensible way to protect electronically stored patient information. While privacy commissioners (including ombudsmen and reviewers) in each province and territory promote encryption, some jurisdictions have gone further and have mandated that personal health information be encrypted when stored on mobile devices. Moreover, most privacy commissioners agree that when hardware containing sensitive patient information is lost but secured by strong (i.e. hard to decipher) encryption, there is no actual loss of information and no need to notify patients.
Desktop computers and storage devices can be compromised, and computers can be stolen. In addition to the use of encrypted software, all computers, whether desktop or laptop, should be appropriately protected. This includes both physical and electronic measures. External threats from viruses, spyware, or malware (malicious software) also need to be addressed. All privacy statutes require that personal health information stored electronically is appropriately protected. Examples include safeguards such as strong encryption, robust passwords, firewalls, and physical security.
In addition, when upgrading desktop computers or other electronic devices, or when disposing of eRecords after the required retention period, doctors should adequately transfer or dispose of patient information stored on the computer or on a device being replaced. For example, when disposing of a laptop or any hard drive containing patient data, it's important to ensure that information is permanently deleted. This may require the physical destruction of the electronic storage device or the use of wiping software. Selling or giving away electronic storage devices that once contained personal health information should be avoided. Physicians are encouraged to seek technical assistance and advice on the secure transfer and disposal of eRecords.
Remember that the greatest advantage of laptops and other mobile devices such as USB keys — portability — is also their greatest vulnerability, making them easily susceptible to loss and theft.3
The primary cause of data breaches in healthcare organizations is a lost or stolen computing device.4
The implications of using cloud computing for storing medical records
Data clouds are increasingly being considered by doctors as a way of storing medical records electronically. While there are different service models, clouds allow data to be stored on an off-site server run by a third party. Hospitals may be the more likely users of cloud technology, but doctors in both small practices and large clinics may see cost and portability benefits in leveraging this approach. Advantages for physicians include easy access to the data from any computer with an Internet connection.
Cloud computing has also raised significant security and confidentiality concerns among doctors. These privacy and security issues are manageable when there is proper planning, design, and selection of cloud models (including careful consideration of cloud infrastructure, service, and deployment).5 Physicians remain accountable for the information transferred to a cloud service provider. Security and privacy concerns should be addressed in advance of signing a cloud service agreement. Attention must be paid to issues such as restricted access, encryption, and procedures to ensure back-up and continued access in the event of an outage.
If physicians are thinking about using cloud-based technology, they should take the time to learn about data clouds and whether these would be valuable for the electronic storage of their patients' medical records. Physicians also need to be aware of the jurisdiction in which the personal health information will be stored and if restrictions prevent information from being stored on servers outside of Canada. For doctors working in institutions that are using or moving towards data clouds, the responsibility for the privacy of the medical records rests primarily with the institution as the custodian of the records. However, physicians should be familiar with any obligations they may have under the institution's policies, any access or data sharing agreements, or their role as agents or affiliates of the institution under privacy legislation.
The Office of the Privacy Commissioner of Canada has published 2 helpful documents to generally guide individuals and organizations contemplating the use of cloud services. These articles are titled "Fact sheet: Introduction to Cloud Computing" and "Cloud Computing for Small- and Medium-Sized Enterprises: Privacy responsibilities and considerations". The commissioner provides specific guidance on the risks and benefits of cloud services, contracts with cloud service providers, security issues that should be addressed, and restrictions on use, consent, and cross-border considerations.
Tips for protecting electronic records
To help protect patient information and avoid medico-legal risk, the CMPA suggests doctors consider the following tips when using electronic records and other technologies:
- Be aware of and follow relevant guidance from Colleges or other authorities, as well as the privacy legislation that applies to their practice and jurisdiction.
- Use a data sharing agreement to clarify obligations when sharing patient information. For more information, see "Data sharing principles for EMR/EHR agreements (in the Electronic Records Handbook) [PDF]".
- Refrain from removing unencrypted, identifiable personal health information from the healthcare institution's premises and from storing identifiable personal data on unencrypted mobile devices.
- Use encryption for patient health information stored on a desktop, a laptop, or a mobile device. Determine if better protection is needed for any mobile devices containing patient health information, including the ability to remove data remotely should the device be lost or stolen.
- Refrain from using public wireless networks (hotspots) and free email services to access or share patient health information.
- Remember to update electronic security measures including password protection, encryption software, and any required security patches.
- When disposing of any device, ensure patient information is permanently deleted or irreversibly erased.
Physicians are eager to make the most of the technological advances offered by electronic health records and other health information technologies. Doctors are also responsible for the security and privacy of patient health information. Taking appropriate security measures will help ensure doctors derive the benefits technology offers, while protecting patient information and minimizing risk.
1. Information and Privacy Commissioner of Ontario, "Unauthorized Access to Electronic Records," Presentation to Ontario Hospital Association, November 28 2012. Retrieved on May 16 2013 from http://www.ipc.on.ca/images/Resources/2012-11-28-OHA.pdf.
2. Canadian HealthcareNetwork,"Privacy concerns adversely affect patient care outcomes, survey finds," February 22 2012. Retrieved on July 17 2013 from http://www.canadianhealthcarenetwork.ca/healthcaremanagers/news/hospitalinstitutional/privacy-concerns-adversely-affect-patient-care-outcomes-survey-finds-13209.
3. Ontario Hospital Association, "Protecting personal health information," webinar broadcast May 7 2013. Retrieved on July 2013 from http://ohaeducation.discoverycampus.com/elms/en/login.
4. Ponemon Institute, Third Annual Benchmark Study on Patient Privacy & Data Security, December 2012. Retrieved on October 3 2013 from http://lpa.idexpertscorp.com/acton/attachment/6200/f-0033/1/-/-/-/-/file.pdf.
5. Canada Health Infoway. "Cloud computing in health care" webinar broadcast February 13 2013. Retrieved on July 17 2013 from https://www.infoway-inforoute.ca/index.php/events/past-events-highlights/cloud-computing-in-health-webinar.