Electronic Health Records – Privacy and Security Issues

January 27, 2010

Electronic health records offer significant advantages to effective health care. However, they pose challenges to the security of personal health information (PHI). Locks and pass-keys, though potentially sufficient in a paper-based system, are inadequate in an electronic environment. Further, in a computerized environment the risks posed by unauthorized access are magnified. Computerized databases of personally identifiable information are more vulnerable than paper-based systems because they may be accessed, changed, viewed, copied, used, disclosed or deleted more easily and by many more people than paper-based records. The technological means to secure or render unidentifiable PHI do exist. The challenge is not to invent the technology, but rather to ensure that the law has done all that it can to protect the individual's reasonable expectation of privacy and security of PHI.

A wide diversity of organizations and networks of organizations within Canada are now using EHRs.  Within Ontario, for example, a number of regional health centres as well as individual hospitals have adopted EHRs.

Distinctive characteristics of an EHR include the following:

  • it replaces hard copy medical records pertaining to the individual;

  • as a single document or record it can perform a cumulative function, encompassing all medical information generated over time, and potentially from a diverse range of sources, regarding the individual;

  • an EHR enables persons (e.g. medical professionals) in remote locations to provide information to the record, via networks or other access systems;

  • conversely, an EHR enables persons (e.g. other medical professionals, care giving institutions) to access the record from remote locations;

  • when used within a network of health care organizations or practitioners, an EHR can serve as a single data record of all medical information, including assessments, test results, treatment recommendations and drug information respecting the individual;

  • when used across a jurisdiction that is responsible for providing health care to individuals residing within the jurisdiction (e.g. a province), an EHR may be conceived as a "single EHR" or an "interoperable EHR" serving as a single, integrated record of all health information respecting an individual within the jurisdiction.

How Do the Privacy Laws Address Electronic Health Security?

It is primarily under the privacy laws that security of PHI is addressed. The  Personal Information Protection and Electronic Document Act (PIPEDA) provides substantial guidance in this area; however, it only applies to commercial entities (and the commercial activities of other entities) and, therefore, has certain limitations in scope when dealing with the health sector. Four provinces have adopted specific health-sector privacy legislation (Ontario, Manitoba, Saskatchewan and Alberta).Furthermore, all of these laws address, with greater or lesser specificity, the security requirement. All of the provincial laws, except Ontario's, mandate health information custodians to address the three categories of safeguards identified in PIPEDA: administrative, physical and technological.

However, only Manitoba has addressed with any specificity electronic security. In that province's statute and regulations, protection respecting unauthorized interception, secure destruction and mobile devices is addressed and user logs and audit trails are required. The rules stipulated are quite general in nature but can be contrasted with the other provincial statutes and PIPEDA, which at present contain no rules specifically addressing EHRs and the use of electronic systems by custodians.

In the absence of legislative guidance, the Ontario Information and Privacy Commissioner has articulated certain criteria through her order-making power and through informal guidelines. For example, the Commissioner in her recent  Personal Health Information Protection Act (PHIPA) Order H0-007 has reiterated the requirement that all PHI maintained on portable electronic devices, including USB memory sticks, be emptied. The Commissioner's Order recommends procedures for protecting access to PHI held on such devices. The Order mandates effective encryption of such information, and it identifies alternative encryption methodologies and strong encryption standards.

The question that may be posed is the following: Should Canada's laws reflect a pro-active leadership role in establishing basic principles for EHR security, or should we rely on general legal precepts of security to ultimately generate a set of rules, through a more circuitous process? If we believe that privacy laws should be instructive and preventative, not reactive, then providing guidance for users to avoid pitfalls is preferable to penalizing them for breaches. More importantly, compliance and breach avoidance protects those who would suffer injury; that is, the individual users of the system.

David Young is a partner, Co-Chair of the Privacy Group and a member of the Environment, Energy & Emissions Trading Group in Toronto. Contact him directly at 416-307-4118 or dyoung@langmichener.ca.