Electronic medical records (EMR) are now common to most nursing practices. To protect the privacy of patients’ personal health information, nurses should be aware of the unique privacy issues related to the use of EMR.
An increasing number of privacy breach cases involve unauthorized and inappropriate access by employees into their employer’s EMR system. Employees typically have broad access to patient charts to provide health services in accordance with their employment duties. This unfettered access is normally permitted so that relevant personal health information is readily accessible to care providers, especially in emergency situations.1
Unauthorized and/or inappropriate access to personal health information may lead to serious consequences, including discipline and monetary fines. In one case, a clerk who was having a personal relationship with the partner of a cancer patient repeatedly accessed the patient’s health information through the provincial electronic health records system without reasonable justification. The clerk was charged with illegally accessing the patient’s laboratory results, biopsy results and CT scans 17 times on six different days. The clerk, who was not a regulated healthcare professional, was fined $10,000 for violation of the provisions in Alberta’s Health Information Act.2 Note that a healthcare professional who breaches a patient’s privacy in this way may face even more serious consequences, including discipline by their nursing regulator.
The inclusion of more than one person’s health information within a medical record can result in inadvertent and unauthorized disclosure of personal information. Requests for health information must be carefully reviewed to ensure that only the concerned individual’s information is being released. References to any other patients or individuals should be identified and redacted.
For instance, inadvertent disclosure of a third party’s information occurred when a patient requested a copy of their own medical record from a records management company after their care provider’s practice had closed. This individual received a data file containing their personal health information as well as the personal health information of three other patients. The information that was erroneously disclosed included registration information, diagnostic, treatment and care information, and health services provider information. The investigation by the provincial information and privacy commissioner’s Office revealed that, prior to closing their practice, the physician had sent the records to a company to convert the files to a more easily retrievable format. The physician’s EMR system included a safety mechanism that maintained a backup copy of any files that were ever misfiled or deleted from charts. These files were accidentally included in the data provided to the patient, even though they no longer formed part of the patient file.3
The theft or loss of computers and portable devices such as laptops, tablets, USB keys, external hard drives, and cell phones can result in the inappropriate disclosure of personal health information. While the mobility of these devices makes them convenient, it also makes them vulnerable to theft or loss. Where these devices contain personal health information, it is important to verify that the employer permits the use of these devices, and that they have implemented adequate safeguard measures. Such measures should include user authentication, encryption, malware protection, and remote wiping capabilities to ensure that personal health information is not accessible in the event of device loss.
In one case, a physician left the hospital with a laptop computer loaded with the unencrypted personal health information of approximately 2,900 identifiable patients involved in research studies. The physician parked their car in a parking lot and placed the laptop computer under a blanket between the front seats. When the physician returned to the van, the front passenger window was broken and the laptop computer was missing.4 As a result, the hospital, who was the health information custodian in this case, was ordered to change their policies and procedures to ensure that PHI is safeguarded at all times, and to prohibit the removal of identifiable PHI from the hospital premises.5
A lack of secure procedures for the disposal of records containing personal information can result in a privacy breach. While specific obligations vary from jurisdiction to jurisdiction, privacy legislation generally requires the safe and secure disposal of personal health information.
Key Takeaways: Risk Management Considerations
The following risk management considerations could decrease the likelihood of a privacy breach:
- Implementing and updating organizational policies and procedures related to the access to and collection, use, disclosure, secure storage, and disposal of personal health information;
- Ongoing training for all employees, contracted staff, volunteers and students about privacy issues, the role of the organization’s Privacy Officer, and the applicable privacy legislation;
- Having all employees, contracted staff, volunteers, students and agents who have access to personal information enter into a confidentiality agreement;
- Having adequate technical safeguards, including strong password protection and/or encryption on all computers and mobile devices;
- Implementing security measures to prevent theft or loss as much as reasonably possible;
- Limiting access to personal health information on a need-to-know basis for patient care or for purposes authorized in privacy legislation;
- Monitoring of access to, use and disclosure of personal health information on an ongoing basis;
- Securely and permanently destroying personal health information once it is no longer needed for the purposes for which it had been collected, and in accordance with legislative record retention obligations.
Should you have questions relating to privacy issues, the following resources may be of use: your organization/employer’s Chief Privacy Officer, federal/provincial/territorial Information and Privacy Commissioners’ Offices, or your professional nursing regulator or college.
CNPS beneficiaries can contact CNPS at 1-800-267-3390 with specific questions related to their practice to speak with a member of CNPS legal counsel. All calls are confidential.
- PHIPA Order HO-010, Office of the Information and Privacy Commissioner of Ontario, 2010.
- Health Information Act, R.S.A. 2000, c. H-5; Alberta Court of Queen’s Bench Docket number 061362778P1, 13 April 2007 (oral judgment).
- Investigation Report H2008-IR-002, Office of the Information and Privacy Commissioner of Alberta, 2008.
- Order HO-004, Office of the Information and Privacy Commissioner of Ontario, 2007.
Reviewed August 2021.
THIS PUBLICATION IS FOR INFORMATION PURPOSES ONLY. NOTHING IN THIS PUBLICATION SHOULD BE CONSTRUED AS LEGAL ADVICE FROM ANY LAWYER, CONTRIBUTOR OR THE CNPS. READERS SHOULD CONSULT LEGAL COUNSEL FOR SPECIFIC ADVICE.