Electronic health records raise identity theft concerns

The discussion, Securing Canada’s Medical Records, also included Gail Crook, CEO and registrar of the Canadian Health and Information Management Association (CHIMA), and Michael Collins, VP, Sales Canada at Shred-It, a document destruction company, which sponsored the event.

Smaller medical organizations tend to be less aware of new legislation regulating accountability than are large institutions, said Johnson, senior lecturer and HIM instructional coordinator at the University of Ontario Institute of Technology. In contrast, in facilities such as hospitals and long-term care facilities, there’s a real push to implement new regulations regarding security processes as soon as they come out.

“In doctors’ and dentists’ offices, there is not the same type of push about new legislation. There’s a lack of awareness of what’s required of them and an unfamiliarity with their own professional practices and codes of ethics,” he said.

Crook agreed, saying acute care hospitals have many robust polices in place. Privacy and security are written into each professional’s codes of ethics. “Everyone must sign an oath of confidentiality and there’s rigorous training. When there’s a breach, it’s a big deal. It’s taken very seriously,” she said.

The advent of electronic health records has also made developing effective and standardized procedures more difficult, Crook said. In Canada, the transition to an electronic medical record (EMR) system has been slow — the last 10 years has been spent just developing infrastructure. As a result, most medical workers are dealing with three sets of records: paper, electronic and hybrid, part paper and part electronic.

“Most hospitals are in a hybrid state. Only 10 to 30 per cent of records are electronic,” she said.

While government-funded facilities across Canada know about and follow the Freedom of Information Act and the Personal Information Protection and Electronic Documents Act (PIPEDA), they are having trouble knowing how to handle the hybrid and electronic records.

“They’re really struggling. There’s no good legislation in place for electronic records, nor are there polices or procedures. Some of this is being made up as we go along, and standards are being developed,” she said.

“But it’s more the private community sector in health, the physicians’ offices. They don’t have time to review the legislation, understand it and train their staff.”

Most GPs are reluctant to switch to e-records, she added, mainly because of the cost and complexity involved. She estimates it may take as long as 50 years to make the transition from a paper to a completely electronic system.

As with paper records, medical facilities have different ways of handing e-health records. Security standards relating to patient records are set by the ISO, the International Standards Organization. These principles are then adopted by Canada Health Infoway, a government-funded corporation set up in 2001 to direct the development of a national electronic health record system (EHR), which, in turn, helps provinces and territories adapt them to their facilities.

But while the principles are there, the mechanisms created to establish universal standards have been underfunded and understaffed, Crook said. For example, federal law requires every health agency and organization to have a Chief Privacy Officer, but no money was provided for training or staff.

“It looks good on paper. Every province has an e-health office, which in theory disseminates [the principles] to all health facilities. But we’re nowhere near that. Every province, every hospital has its own way,” she said. “It’s a huge undertaking to implement privacy and security.”

Generally, thieves go after health records not to get medical information, but to steal identification, panellists said. With one or two pieces of information, a person has an identity. And the move to electronic records is likely to make theft easier. However, Crook noted, there’s far less incentive in Canada for a person to target medical records than in the United States.

“ID theft is the crime of the info age. It’s rampant in the U.S. because there’s no universal health care and people don’t have money,” she said.
Crook noted that e-records make it easier for a person who wants to steal an ID to search for a particular demographic. “That couldn’t be done with paper because everything was filed alphabetically.”

“E-records are a double-edged sword. The advantage is you have the ability to do audit trails, so you can determine who has seen a document. But it’s easier to move things around, and things get lost,” he said. “It all comes down to how we’re going to handle it.”

Medical facilities must make clear who has access to patients’ records and what level of access they have, panellists agreed. By law, Johnson said, patients have the right to see everything in their records. But medical staff should have access to only as much as they need to know. “That could mean someone doesn’t get access at all.”

Access is often determined by the “circle of care,” Crook said. Everyone within the circle gets full access. But sometimes, she added, “people push the borders of the circle of care. That’s where things get challenging.”
Hospitals and clinics must also require staff to sign an oath of confidentiality, Johnson said, and they must show they’re going to back it up with sanctions.

“The protocol that works best is scare tactics. Procedures have to have teeth, and people have to understand that there will be serious consequences. All you have to do is fire two or three people, and that will put an end to that kind of thing. It’s unfortunate, but that’s what it takes,” he said.

Collins agreed the main problem with e-records is that they allow a person to transfer files. They are also exposed to far more people than are paper records. Protocol differences among provinces create further difficulties, and he urged the creation of a national body charged with regulating procedures.

“From a vendor’s standpoint, we would appreciate it if there was some centralization so that protocols would be standardised.” he said.   
But Crook and Johnson said every organization must remain completely responsible for its own staff and for maintaining confidentiality.

“There are 14 different legislatures in Canada dealing with security. But to have one body across the country regulating it, I don’t think that’s necessary. Each organization is ultimately responsible for what goes on between its four walls,” Johnson said.

Every hospital has a process for maintaining and destroying medical records, Johnson said. In Ontario, documents are kept for at least 10 years after the patient’s last visit, or, in the case of children, 10 years after they turn 18. But most records are kept longer than that, sometimes in perpetuity.

And, he added, there are strict rules governing when a hospital can destroy records. It can outsource storage and destruction, but if the contractor destroys data without authorization, the hospital is still accountable.
But destroying patient data is a problem that won’t exist with e-records, he noted.

“With e-records we won’t have to destroy anything,” he said.