Physicians, dentists and other health practitioners have professional, legal and ethical responsibilities to keep the personal health information of their patients confidential and private. These obligations are governed and imposed by the regulatory body of each profession as well as various legislation including the Personal Health Information Protection Act (PHIPA).
PHIPA imposes obligations on Health Information Custodians with respect to collecting, using and disclosing “personal health information”. A Health Information Custodian is someone who has custody or control of personal health information as a result of that person’s duties for work. This includes physicians, dentists and other healthcare practitioners.
Not only are Health Information Custodians responsible for upholding the legal, professional and ethical obligations of privacy, the Health Information Custodian is also responsible for ensuring that its staff and other agents acting on their behalf are aware of requirements for maintaining confidentiality of patients’ personal health information.
The majority of physicians and dentists use and maintain electronic medical and dental records in their practice. For the purposes of this blog, these records will be referred to as electronic records. The use of electronic records facilitates a positive effect on patient care and the work lives of practitioners, and the benefits are numerous;
- reduction of space so that clinics don’t have to store and retrieve paper records,
- optimization of workflow,
- better organization and ease of access to information within the record,
- help to assist with the coordination and continuity of care among various providers.
But for as many benefits that electronic records provide, there are an equal or greater number of associated risks, including the risk of a breach of privacy of patient information. Although paper-based records also have their own challenges with respect to privacy and security, for the purposes of this blog, we will focus on electronic records. It is very important that practitioners are aware of the risks associated with electronic records and ensure that various safeguards are in place to limit or prevent a privacy breach.
These risks are present for a variety of reasons, including;
- staff may not be adequately trained to use the electronic records management system used by the clinic,
- converting existing paper records to electronic format may require more frequent access to records by more people than usual,
- it may be necessary for third-party service providers to be involved, which creates additional complexity regarding the management of privacy risks.
Ensure proper safeguards are in place
If practitioners are using an electronic records management system (“ERMS”), it is necessary to employ a variety of safeguards or controls that regulate who may gain access to the system, and limit authorization to modify the records. Generally, there are two types of safeguards that can be implemented: physical access controls and logical access controls.
Physical access controls
These access controls serve to restrict a person’s ability to access certain areas of the premises and control access to electronic records. Physical access controls may include the following;
- security systems to restrict after-hours entry to the clinic,
- arranging workstations and servers in secure areas of the clinic,
- shielding monitors so that the display is not visible by anyone not authorized to have access to the electronic records,
- automatic timeout/logout at idle workstations.
Logical access controls
These access controls are often designed directly into the computer and network operating systems, or are incorporated into various software applications. They enable certain people (ie. staff members) to have access to the information needed to carry out their duties, while controlling and restricting their access to certain information.