Privacy laws and professional standards require physicians to protect patient personal information and to meet the standards for records and systems management prescribed by the College of Physicians and Surgeons.
Contracting with a service provider or acting as an employee doesn’t automatically relieve a physician of the duty to satisfy him or herself that the standards are met.
Guidelines
Physicians should take steps to inform themselves of the information management procedures of the organization in which they practice, and satisfy themselves that such practices meet the minimum legal and professional standards.
It is good business practice to create and maintain a business continuity plan to ensure that medical records and other records containing Patient Information are protected from loss through (or corruption by) a range of possible external threats, acts of God, or error.
The Practice should have policies that address confidentiality, access, privacy, security, and employee and health care provider rights and responsibilities.
Use and disclosure of Patient Information for research should also be addressed in a policy document. Legal advice as to the requirement for notice to the patient should be obtained, if medical records are used in the course of research.
It is important to create a retention policy to ensure that medical records are not destroyed prematurely. Care should be taken to refer to legal limitation periods. The physician may also wish to consult their insurer.
The Practice should ensure that prior to disposal of any electronic device that contains or may contain Personal Health Information, the device is securely electronically wiped (consider the Government of Canada standards for Clearing and Declassifying of Electronic Data Storage Devices) or the memory physically destroyed, in order to eliminate any risk of a Privacy Breach.
Finally, it is recommended that the Practice implement security protocols to protect personal information held in an electronic system. Such protocols could include:
- The use of a unique user name and password.
- Password rules regarding minimum length and complexity.
- Ongoing authentication and monitoring of user names and password use.
- Role-based access, and access tracked by credentials.
- Firewalls, secure back-up and recovery processes, and intrusion detection tools.
- End-to-end encryption including encrypting backup data, and electronic transmissions where remote access to the system is provided.
- Maintenance of a secure processing environment including but not limited to the timely application of upgrades, patches, fixes, and updates to operating systems and applications.
- Timely audits of physical and network systems logs, including user credentials.
- Ensure that no Patient Information can be downloaded and/or stored on any mobile computing device [unless such device is enabled with software that automatically encrypts the Patient Information upon being downloaded].
- Reasonable and effective administrative and procedural security for any paper-based records throughout their life cycle, including locked cabinets, secure shredding and secure storage and archiving.
- A Privacy Breach protocol that provides for a timely response to any suspected or actual Privacy Breach, and where required by Applicable Law, for timely notification to any Patient whose personal information is involved in same.
- Appropriate training, user support, and discipline for breach of policy.
Appendix B contains sample contractual terms that are based on best practices for ensuring the privacy and security of personal information. They should be modified as necessary to describe the physician’s particular context.