■ Duties and responsibilities:

Expectations of physicians in practice

Protecting patient health information in electronic records

3 minutes

Published: October 2013 /
Revised: September 2019

The information in this article was correct at the time of publishing

Electronic medical records offer advantages for storing and accessing patient health information, which may improve the management of patient care. However, the features that make electronic records desirable—accessibility, transferability, and portability of patient health information—also present privacy risks.

In keeping with regulatory requirements and policies from the medical regulatory authorities (Colleges), physicians are required to use appropriate measures to safeguard the privacy of patients' personal health information.

  • Be aware of and follow relevant standards and guidance from your College, as well as requirements under the privacy legislation in your jurisdiction.
  • Use a data sharing agreement to clarify obligations about sharing patient information via electronic medical records. Information about data sharing principles is available in the CMPA’s Electronic Records Handbook.1

Electronic and physical safeguards

The theft or loss of desktops, notebooks, smartphones, tablets, USB keys, or portable hard drives, and the inappropriate disposal or transmission of patient files are among the common sources of privacy breaches. Computers and storage devices can also be compromised.

To reduce the risk of privacy breaches consider the following:

  • Install encryption software on any devices you use to access or share electronic records including USB keys and smartphones. Encryption transforms electronic information into a form that is unintelligible, such as a muddled stream of seemingly random symbols. Only those who are authorized to decrypt such information are able to do so. Privacy commissioners across Canada generally promote the use of encryption software, while some jurisdictions, including British Columbia, Ontario, New Brunswick, and Alberta specifically mandate that personal health information be encrypted when stored electronically on mobile devices.
  • In addition to the use of encryption software, computers and devices should be appropriately protected using physical and electronic measures. Examples include safeguards such as robust passwords, firewalls, virus protection, and physical security.

Cloud storage

Cloud storage allows data to be stored on an off-site server operated by a third party, though information custodians (e.g. physicians, hospitals, etc.) remain accountable for the confidentiality of the information.

Consider security and privacy issues before entering into a cloud service agreement. Considerations include restrictions to access, data security, data back-ups, and service reliability.

  • Be aware of the jurisdiction in which the personal health information will be stored and whether restrictions prevent information from residing on servers outside of Canada. For example, in Québec, privacy legislation requires that a privacy impact assessment be conducted before personal information is communicated or stored outside the province.
  • While responsibility for privacy of medical records maintained by hospitals rests primarily with the institution as the custodian, if you are a staff physician you should be familiar with any obligations you may have under the institution's policies, access or data sharing agreements, or your role as an agent or affiliate of the institution under privacy legislation.
  • The Office of the Privacy Commissioner of Canada2 provides further information on security issues related to cloud computing. Provincial and territorial privacy commissioners may also offer guidance for your jurisdiction.

Disposal of information

  • When computers or other electronic devices are being upgraded or when the applicable retention period for a medical record has been reached, it is important to appropriately transfer or dispose of the information stored on the device. Either transfer the information, physically destroy the hardware, or use data wiping software to permanently and securely delete electronic files.
  • Avoid selling or giving away electronic storage devices that once contained personal health information.


  1. Canadian Medical Protective Association [Internet]. Ottawa (CA): CMPA; 2014. Electronic Records Handbook [cited 2019 Jan]. Available from: www.cmpa-acpm.ca/en/advice-publications/handbooks/electronic-records-handbook
  2. Office of the Privacy Commissioner of Canada [Internet]. 2012 June. Cloud Computing for Small and Medium-sized Enterprises [cited 2019 Jan]. Available from: www.priv.gc.ca/en/privacy-topics/technology-and-privacy/online-privacy/cloud-computing/gd_cc_201206/

DISCLAIMER: The information contained in this learning material is for general educational purposes only and is not intended to provide specific professional medical or legal advice, nor to constitute a "standard of care" for Canadian healthcare professionals. The use of CMPA learning resources is subject to the foregoing as well as the CMPA's Terms of Use.