Physicians and other healthcare providers need to access personal health information in the course of providing care for patients. Indeed, timely access to relevant information is essential for clinical management. The information may also be needed for quality improvement and educational purposes, or to provide evidence in the event of medical-legal difficulties. While there are potentially many valid reasons to access patient health information, that access has limits. Accessing a patient’s personal health information for unauthorized purposes or by unauthorized individuals is a breach of patient privacy, which may result in a privacy commissioner investigation or complaint to a regulatory authority (College) or a hospital.
Dr. Dennis Desai, a senior physician advisor at the CMPA, understands the information needs of physicians, while cautioning them to be aware of the requirement to respect patients’ privacy rights. “There is, quite understandably, a fair amount of confusion among physicians and others about what exactly constitutes a privacy breach with regard to patient health records. As physicians, it’s a challenge to provide effective medical care and at the same time keep up with evolving privacy requirements,” says Dr. Desai. But, he adds, there is some good news: “While physicians run the risk of criticism and sanctions for improperly accessing patient information, privacy commissioners are more interested in improving the system and preventing recurrences than in issuing penalties.”
When is viewing a medical record a breach of patient privacy?
Viewing a patient record to provide care and doing so out of curiosity are not equal propositions. For example, accessing your daughter’s friend’s medical history out of parental curiosity would generally be considered “snooping” and would likely constitute a privacy breach.
Physicians may at times have an interest to follow up with patients for the purposes of learning and professional development. Consider, for example, an emergency physician who treats a patient with head trauma but does not have any further involvement in the patient’s ongoing care. Several weeks later, she accesses the patient’s chart to review the subsequent treating information and to confirm whether she had provided appropriate care. In this scenario, the emergency physician is no longer in the patient’s circle of care and has no apparent need to know this information. “This is where some confusion often comes in. While this may not be an instance of snooping, such access might contravene privacy rules in some, though not all, provinces,” says Dr. Desai. Indeed, the legislation in some provinces, such as Ontario, permits access to patient health information for specified purposes such as quality improvement reviews. Nevertheless, physicians may wish to consult with the CMPA prior to accessing past patients’ records when there is no ongoing treating relationship or authorization from either the hospital or the patient.
Who controls access to patient health information?
Physicians may regard patient health information as theirs to use in the course of providing clinical care, guided by their professional judgment to determine what constitutes appropriate use of such information. Unfortunately, this approach overlooks the fact that individual patients have the right to determine who may access their health information and under what circumstances. Patients can go further, placing conditions or restrictions on which health providers or others can access their information.
“The electronic medical record has put information at our fingertips, which is good, but also brought about new concerns around privacy and information security. The ease of access must be balanced against the health information privacy legislation at the federal level and in each province and territory. These rules impose limits on access to and control of information in medical records,” Dr. Desai observes.
Information will likely be handled differently depending on whether a physician is working in a solo office practice or hospital, and how group or clinic practices are set up (i.e. whether individual patients are associated with the practice generally or with each physician). In any case, the custodian (trustee) of the information, whoever that is, is generally obliged to acquiesce to the patient’s wishes unless other legal authorization for the release of information applies.
Office practice
In a solo office practice, the physician is the information custodian and therefore controls access to medical records. The physician has a duty to protect patients’ privacy and maintain the confidentiality of patients’ personal information. These obligations also extend to a physician’s office staff.
As part of managing office staff, consider the following safeguards:
- Require each staff member to sign a confidentiality agreement that details responsibilities concerning patient privacy. It is a good idea to renew the agreement on a regular basis.
- Have in place a written privacy policy pursuant to the relevant provincial or territorial legislation, and ensure appropriate training is provided to staff, electronic medical record (EMR) vendors, and others on privacy procedures.
- Communicate to staff that they must obtain a patient’s or substitute decision-maker’s consent before releasing personal health information to the patient’s family members or a third party.
- Remind staff that they may access a patient’s record only if they have a need to know, such as supporting the provision of healthcare services or for other approved purposes including quality improvement reviews.
Shared practice
In a shared practice such as a hospital or clinic, the organization is typically the information custodian with access control over medical records. Alternatively, if the physicians maintain patient rosters and records separately, the individual physicians may be the custodians of their patients’ records in a manner similar to a solo office practice.
Institutions typically grant physicians access to patients’ medical records for the purposes of providing clinical care. If physicians wish to access a patient’s information after their involvement in providing care has ended, these physicians should request access from the institution if such access is not already allowed. These purposes can include quality improvement reviews as well as teaching and self-directed learning. If the institution does not allow access to a medical record for a desired purpose, the physician or other care provider may turn to the patient for the necessary consent. Physicians may want to encourage their institution or clinic to develop a privacy policy, if one does not already exist, that clarifies permitted access to patient records for quality improvement purposes, teaching, or for responding to a College or hospital complaint.
Consider the following before accessing records outside of an existing doctor-patient relationship or other authorized purpose:
- Seek permission from the institution, and be forthcoming about your reasons for requesting access to a patient’s chart.
- If access to records is ongoing and recurrent, such as for M&M rounds, ensure the institution is aware and approves of this use, and determine whether it is permitted by privacy legislation in your province or territory.
- Do not assume that past consent for the provision of care extends to consent to access a patient’s chart indefinitely, particularly if you are no longer involved in the care of the patient.
- Be aware that built-in audit controls of EMR systems may automatically detect each instance of access to a record. Be prepared to justify any access that is not required for the provision of clinical care.
- Become familiar with any legal contract (e.g. data sharing agreement, or inter-physician agreement among a group of physicians) that applies to your use of an EMR system. (See the Electronic Record Handbook for more information.)
- While legislation generally allows you to access relevant medical records in the event you receive a College or hospital complaint or a legal action, discuss your information needs with your institution or clinic, and contact the CMPA before accessing the records.
The bottom line
Before you access the medical record of a patient for whom you are not currently providing care, ask yourself: “Does the information custodian approve of the access for my purposes?” and “Is access legally permissible according to the health information legislation in my province or territory?” Your risk of breaching the patient’s privacy will be reduced if you can answer both of these questions in the affirmative. If you have questions or concerns, contact the CMPA for individual advice.
