Managing Access to Electronic Health Records

MDconsultants is a predominantly physician network of talented consultants who solve diverse and challenging problems in various specialties across Canada and the United States. Our company is led by 3 physician partners who graduated from the University of Toronto and is supported professionally by a full-time managerial staff. Our current range of capabilities include healthcare & startup consulting, health services delivery, providing professional second opinions, and occupational & organizational health.

One of the benefits of electronic health records (EHR) is ease of access. Physicians and other healthcare providers have quick and easy access to a patient’s personal health information with the stroke of a key.

Privacy breaches are a risk that may occur if a provider accesses the personal health information of an individual for unauthorized purposes. More and more patient complaints and audits uncover cases where healthcare providers have viewed patients’ health information for unauthorized purposes.

Patients whose privacy has been compromised may face discrimination, stigmatization, and economic or psychological harm. Most importantly, the loss of trust or confidence in the health system from patients whose privacy has been breached is a reality. 

For physicians some of the negative consequences can include patient complaints to a privacy commissioner, medical regulatory authority (College) or hospital/health authority, and possible sanctions, as well as lawsuits. 

Principles of access

The information in the health record always remains the patient’s and is held in trust for the care and benefit of the patient. Consent is the main way patients exercise their right to control their personal health information and can be either implied or expressed. Implied consent occurs when it is reasonable to assume in specific circumstances that an individual has given consent. An example of this can be seen when a patient chooses to visit a doctor for an appointment. One can assume the patient is consenting to the physician collecting their personal health information. Implied consent is known as the “circle of care.”: the sharing of personal health information with other healthcare providers who are involved in the patient’s care. Outside the circle of care, however, requires a patient’s express consent which is given as a directive, either verbally or in writing.

Patients may choose to place limits or conditions on who may have access to their personal health information within the circle of care through a process called a lockbox or masking. An EHR system provider will  be able to help physicians address requests for limiting access to personal health information. Physicians will explain to the patient that there are risks and benefits of placing limitations and document that the discussion took place in their record.

Managing risks

Physicians are obligated to protect their patients’ personal health information from inappropriate access through sound policies and processes.

Physicians must also ensure that their employees and staff members are aware of these policies and procedures and abide by them. Physicians are urged to require that their employees and staff members sign a confidentiality or non-disclosure agreement as well as provide yearly office training sessions on privacy. No one in the office or clinic should access records if they are not included within the circle of care. 

Furthermore, physicians are encouraged to equip their EHR system with access controls based on the user’s roles and responsibilities. 

Lastly, if breaches do occur they must be dealt with immediately and effectively and in compliance with any requirements imposed by applicable privacy legislation. 

Looking for more information on liability and protection for physicians? Check out:
Disability Insurance for Physicians
Medical Liability Protection for Physicians
Medical Expert Witness: Dos and Don’ts