The discussion, Securing Canada’s Medical Records, also included Gail Crook, CEO and registrar of the Canadian Health and Information Management Association (CHIMA), and Michael Collins, VP, Sales Canada at Shred-It, a document destruction company, which sponsored the event.

Smaller medical organizations tend to be less aware of new legislation regulating accountability than are large institutions, said Johnson, senior lecturer and HIM instructional coordinator at the University of Ontario Institute of Technology. In contrast, in facilities such as hospitals and long-term care facilities, there’s a real push to implement new regulations regarding security processes as soon as they come out.

“In doctors’ and dentists’ offices, there is not the same type of push about new legislation. There’s a lack of awareness of what’s required of them and an unfamiliarity with their own professional practices and codes of ethics,” he said.

Crook agreed, saying acute care hospitals have many robust polices in place. Privacy and security are written into each professional’s codes of ethics. “Everyone must sign an oath of confidentiality and there’s rigorous training. When there’s a breach, it’s a big deal. It’s taken very seriously,” she said.

The advent of electronic health records has also made developing effective and standardized procedures more difficult, Crook said. In Canada, the transition to an electronic medical record (EMR) system has been slow — the last 10 years has been spent just developing infrastructure. As a result, most medical workers are dealing with three sets of records: paper, electronic and hybrid, part paper and part electronic.

“Most hospitals are in a hybrid state. Only 10 to 30 per cent of records are electronic,” she said.

While government-funded facilities across Canada know about and follow the Freedom of Information Act and the Personal Information Protection and Electronic Documents Act (PIPEDA), they are having trouble knowing how to handle the hybrid and electronic records.

“They’re really struggling. There’s no good legislation in place for electronic records, nor are there polices or procedures. Some of this is being made up as we go along, and standards are being developed,” she said.

“But it’s more the private community sector in health, the physicians’ offices. They don’t have time to review the legislation, understand it and train their staff.”

Most GPs are reluctant to switch to e-records, she added, mainly because of the cost and complexity involved. She estimates it may take as long as 50 years to make the transition from a paper to a completely electronic system.

As with paper records, medical facilities have different ways of handing e-health records. Security standards relating to patient records are set by the ISO, the International Standards Organization. These principles are then adopted by Canada Health Infoway, a government-funded corporation set up in 2001 to direct the development of a national electronic health record system (EHR), which, in turn, helps provinces and territories adapt them to their facilities.

But while the principles are there, the mechanisms created to establish universal standards have been underfunded and understaffed, Crook said. For example, federal law requires every health agency and organization to have a Chief Privacy Officer, but no money was provided for training or staff.

“It looks good on paper. Every province has an e-health office, which in theory disseminates [the principles] to all health facilities. But we’re nowhere near that. Every province, every hospital has its own way,” she said. “It’s a huge undertaking to implement privacy and security.”

Generally, thieves go after health records not to get medical information, but to steal identification, panellists said. With one or two pieces of information, a person has an identity. And the move to electronic records is likely to make theft easier. However, Crook noted, there’s far less incentive in Canada for a person to target medical records than in the United States.

“ID theft is the crime of the info age. It’s rampant in the U.S. because there’s no universal health care and people don’t have money,” she said.
Crook noted that e-records make it easier for a person who wants to steal an ID to search for a particular demographic. “That couldn’t be done with paper because everything was filed alphabetically.”