CMPA - Electronic records handbook

CMPA - Electronic records handbook
Dr Robert Schertzer

Dr Robert Schertzer in glaucoma-it-blog

Advice from the Canadian Medical Protection Association on handling the transition to electronic medical records.

Captured on 15 Jul 2010 from www.cmpa-acpm.ca

Electronic Records Handbook
Implementing and using electronic medical records (EMRs) and electronic health records (EHRs)

Important Considerations

  • Selecting an appropriate system will depend on the needs of the physician’s practice as well as any applicable legal and/or regulatory requirements. Advice from a qualified service provider or an experienced and prudent user may be beneficial when selecting and/or setting up an EMR. In some cases, use of a specific EHR system may be required by the hospital, regional health authority, or provincial/territorial government. See Selecting an appropriate system

  • Members are encouraged to review the CMPA’s Data Sharing Principles for detailed information on how to execute an agreement for a shared EMR or EHR. The agreement should address issues such as ensuring continued access to patient records after leaving a group practice or the termination of agreements with external service providers. See Appendix C for Data Sharing Principles

  • Physicians should understand their obligations when participating in or when asked to upload portions of their office EMR to an EHR operated by hospitals, regional health authorities, provinces/territories, etc. Physicians should be aware of the “core data set“ for the particular EHR to which they are contributing. See Data sharing and inter-physician arrangements

  • Members should consider discussing with patients the inclusion of their personal health information in an EMR/EHR. Express consent may be necessary when patient information is shared with others for purposes other than providing health care (i.e. outside the circle of care). See Patient consent and rights to access

  • Reviewing security requirements of EMR/EHR should be a priority. This includes ensuring applicable security and back-up requirements are available, and encrypting personal health information stored in electronic form. Further, EMRs/EHRs should have an audit trail that can appropriately track access to and editing of the record. EMRs/EHRs should allow the physician to control access to patient information, including through the “lock-box“ or “masking“ requests by patients. See Security and privacy issues

  • Members need to consider appropriate security measures and procedures when communicating personal health information via email or other electronic means. See Sending/transferring records

  • Retention periods for medical records are just as important with EMR/EHR as they are for paper records. Once the required retention period for medical records has expired, the information in the EMR/EHR can be appropriately destroyed. See Destroying/disposing of records

  • Relying exclusively on personal health records (sometimes referred to as “patient health records“ or “PHRs“) raises unique issues for physicians. Caution should be exercised given that the patient typically controls what information is included in PHRs. Physicians who use or access personal medical record services or other similar websites on the Internet will want to discuss with the patient the privacy risks of doing so. See Emerging issues

Return to top

Introduction

An EMR is an electronic version of the paper record generally maintained by doctors for their patients. It may be a simple office-based system or a shared record that connects health professionals through a network.

An EHR is maintained by a hospital, regional health authority or provincial/ territorial government and typically includes a wider cross-section of information from a number of sources.

With constant advancements in technology, electronic medical records (“EMRs“) and electronic health records (“EHRs“) have become an integral part of health care delivery in Canada. EMRs/EHRs have the potential to improve the management of individual patient care while bolstering the overall effectiveness of the health care system. Efficiency gains from such advancements are expected to enhance the quality of care, improve access to care and reduce costs.

Recognizing the potential applications and benefits, this handbook aims to provide members with an overview of the issues associated with the implementation and use of EMRs/EHRs, including technological issues and medico-legal risks. It is intended to be a practical resource for physicians.

Distinguishing between EMRs and EHRs

An EMR generally refers to an electronic version of the paper record that physicians have long maintained for their patients. The EMR may be a simple office-based system or a more sophisticated shared EMR accessible to those within a group practice, health care facility, or a network of health professionals (e.g. treating physicians, other health care providers, information managers, etc.).

EHRs are typically maintained by a hospital, health authority or provincial health ministry and generally include a wider cross-section of information from more diverse sources than EMRs. The EHR is a compilation of core health data from multiple sources (e.g. physicians, physiotherapists, pharmacists, laboratories, etc.). It is typically comprised of different records submitted by various providers and organizations and accessible by several authorized parties from a number of places of care, possibly even from different jurisdictions.

Return to top

Selecting an appropriate system

  • Assess the needs of the practice and choose a system/software program that will best meet those needs.
  • Seek professional assistance from the software vendor and/or an information technology consultant, where appropriate.
  • Consult with colleagues who have implemented an EMR, as well as provincial/territorial/national medical associations.
  • Consult personal legal counsel before entering into any equipment lease or purchase agreement.

Choosing an electronic record system

In choosing an appropriate system, members should assess the needs of their practice and select a system that will meet their expectations. Members are encouraged to seek professional assistance from a variety of possible sources, including a technology vendor, an information technology consultant, provincial/territorial/national medical associations and/or their local physician technical support program, if available. Colleagues who have implemented an EMR may provide useful feedback on the selection process. Some jurisdictions have a preapproved vendor list to facilitate the selection process and might also have funding available to offset some or all of the acquisition and implementation costs.

Members should be aware of the legal and regulatory requirements applicable in their jurisdiction and ensure the chosen system can fulfill applicable requirements. In addition, if linking to an EHR, members should be aware of compatibility requirements that may be prescribed by health authorities, health care institutions or facilities.

The system vendor will likely require the physician/group to sign a software license, which is a legal agreement governing the use and distribution of the copyright-protected EMR software. While granting the physician/group permission to use the software, license agreements also impose certain obligations and restrictions on the use of the product. Members should be aware of the terms of the software license agreement and are strongly encouraged to contact their personal legal counsel and/or provincial/territorial/national medical associations for advice before signing the license agreement.

The system vendor may provide computers, tablets, PDAs (personal digital assistants), servers or other equipment to be used with the particular EMR/EHR system. Such equipment might be purchased or leased by the physician/group. If the equipment is leased, members should be aware of the terms of the lease, including any early termination payments or penalties. If the equipment is purchased, members should be familiar with the terms of the purchase agreement, including any applicable warranties. Physicians are encouraged to consult their personal legal counsel before entering into any equipment lease or purchase agreement.

In addition to choosing the right system (including software and hardware), there are a number of practical considerations that should be taken into account, including:

  • How will workflow be maintained while the EMR is being installed and records are being converted? How will patient care and record-keeping be managed during the transition stage? What should be done with paper records converted to electronic format or records that are partially converted? Is a privacy impact assessment required?
  • What training will be conducted for the physician and his or her staff, and who will provide ongoing technical support?
  • What systems will be put in place, both from a technical standpoint and from an office policy point of view, to ensure security and privacy of patient records?
  • How will data integrity be ensured (e.g. audit trails, back-up and recovery systems, quality assurance procedures such as audits, etc.)?
  • What system will be in place to ensure the appropriate destruction of records after the required retention period?
  • What are the necessary duplication agreements to be signed? These may include agreements with a health authority (i.e. local, regional or provincial) or government ministry operating an EHR. In addition, agreements may be required with service providers who will offer information technology services. Where the EMR is being introduced in a group practice it may be advisable to have an agreement with the members of the group practice.

These issues, among others, will be discussed in the following chapters.

Working with decision support systems

Decision support sheets or algorithms are commonly used by physicians to analyze clinical facts to assist them with treatment decisions or diagnoses. Some EMRs/EHRs are equipped with decision support tools embedded in the software that prompt the user to consider certain factors and/or possible decisions in response to the inputted data. The presence of a decision support tool within an EMR/EHR gives rise to unique and challenging issues that should be considered before acquisition.

For example, members should determine if the system permits individual users to disable or disregard the decision support tool. If this is the case, members will want to consider the availability of a robust audit trail that tracks the advice that is accepted or rejected by individual users. Although each system will function differently, users should be aware in advance how the particular decision support tool operates and whether the information generated is reliable.

Decision support tools must not be used as a replacement for a physician’s own judgment. Each suggestion offered by the decision support tool should be assessed based on the individual circumstances of the case.

Members will want to consider documenting in the patient’s chart their reasons for following or ignoring a suggestion provided by the decision support tool. If the diagnosis suggested by the software was ignored and proves in hindsight to be accurate, the physician may be required in the course of a legal action or College complaint to justify why the information was disregarded. Documentation of the physician's rationale for disregarding a suggestion would be helpful under these circumstances. Similarly, if the decision support tool is disabled, physicians will want to document their rationale for doing so.

Return to top

Regulation of electronic records

  • Become familiar with applicable regulatory authority (College) requirements, legislation, regulations or other expectations regarding the use of electronic records.
  • Review privacy legislation as, in some provinces, it may contain specific provisions or expectations regarding EMRs/EHRs.

Existing regulations and guidelines regarding the creation, maintenance, retention and destruction of traditional paper medical records generally extend to EMRs and EHRs. There may be additional requirements that apply specifically to records in an electronic format. These will be determined primarily by regulatory authorities (Colleges) and provincial, territorial or federal governments.

Regulatory authorities (college) requirements

Several Colleges have adopted policies, bylaws, rules or regulations concerning EMRs/EHRs that include some or all of the following requirements:

  • The system is capable of visually displaying and printing the recorded information for each patient promptly and in chronological order;
  • The system provides a means of accessing the record of each patient according to the patient's name and medicare health number (if applicable);
  • The system maintains an audit trail that:
    • records the date and time of each information entry for every patient,
    • indicates any changes in the recorded information,
    • preserves the original content of the recorded information when changed or updated, and
    • is capable of being printed separately from the recorded information for each patient.
  • The system requires robust security features (including encryption, use of passwords, and access controls) to protect against unauthorized access; and
  • The system automatically backs up files and allows the recovery of backed up files or otherwise provides reasonable protection against information loss, damage and inaccessibility.

While not all of these requirements may necessarily apply in every jurisdiction, they should be considered when setting up an EMR in a medical office.

Respecting privacy legislation

Privacy legislation governing the collection, use and disclosure of personal information is applicable in all provinces and territories. In many provinces, the legislation includes provisions that apply specifically to the privacy of electronic health records. Legislation governing electronic commerce may also be applicable and typically deems electronic records to be equivalent to paper records, regulates the use of electronic signatures and addresses certain evidentiary issues.

Most privacy statutes impose obligations on physicians and other custodians of patient information to take all precautions to minimize the risk of loss, theft or unauthorized access or use of that information. Some privacy legislation further requires custodians to implement specific safeguards when maintaining patient information in electronic form.

Return to top

Patient consent and rights to access

  • Consider notifying patients that their health information will be stored in an EMR/EHR, even if notification is not strictly required. Personal health information can generally be shared within the “circle of care“ for the purpose of providing health care.
  • Consider whether express consent is required, such as when disclosing patient information from an EMR/EHR to a third party for purposes other than providing health care.
  • Consider a written agreement with service providers documenting privacy obligations.
  • Members may wish to discuss with their College whether it is necessary to obtain consent from patients prior to uploading their health information in the core data set.
  • Patients may be permitted to restrict access to their personal health information contained in an EMR/EHR (e.g., lock-boxes, masking, disclosure directive/opt-out).
  • Where appropriate, provide patients with access to their health information contained in an EMR/EHR in a suitable format.

As with any patient information, physicians generally do not need a patient's express consent to include his or her health information in an EMR/EHR, or to share patient information with other health care providers for the purpose of providing treatment. Physicians can generally rely on a patient's implied consent to share information within the “circle of care,“ which includes those health care professionals who “need to know“ the information for the purpose of providing care.

Privacy legislation also generally permits custodians to share personal health information with an “agent“ (such as a service provider or company assisting with a physician’s medical practice) on the basis of implied consent. As a custodian, the physician hiring the agent remains accountable for the personal health information in the hands of the agent. As such, members should ensure that the service provider understands the necessity of protecting personal health information and takes appropriate steps when performing its functions. Members are encouraged to enter into a written agreement to confirm the agent understands his/her obligations. In some jurisdictions, a written agreement may be required by the privacy commissioner.

Although consent can usually be implied, it may be prudent in some circumstances to notify patients that their health information will be stored electronically, particularly if stored in a shared EMR or an EHR through which a number of people will have access to the patient's personal health information. Privacy legislation in some jurisdictions requires patient notification in these circumstances by speaking with them individually, sending them a letter, or placing a poster in the office.

Express consent should be obtained whenever a physician is asked to disclose patient information from an EMR/EHR:

a) To a third party outside of the circle of care (e.g. an insurer or employer) and who is not an agent of the physician; or

b) Where the information will be used for a purpose other than providing health care to the patient and it is not permitted or required by law.

Disclosure in the latter case is often referred to as a “secondary use“ of personal health information. Other examples of “secondary uses“ include marketing, conducting research or providing personal health information to an organization or government body for the purpose of health system planning. Some privacy statutes expressly permit the use of health information for these secondary purposes. Members will want to familiarize themselves with the exemptions contained in the relevant privacy legislation. Where appropriate, patient information should be de-identified to the extent possible before it is used for purposes other than providing health care.

When express consent is required, it is generally prudent to ask the patient to execute a consent form. If verbal consent is obtained, it should be documented in the patient's medical record. Regardless of the approach used, the patient's consent should be informed.

Core data set

The term “core data set“ typically refers to the portion of a patient’s record that is also accessible by non-primary care professionals or health care facilities. It can be viewed as a subset or, in some cases a summary or overview, of the patient's complete medical record. Since it is created for the purpose of sharing specific data between health care providers and others involved in the delivery of health care, it is generally included only within an EHR.

Members may wish to discuss with their regulatory authority (College), health authority, or privacy commissioner whether it is necessary to obtain consent from patients prior to uploading their health information in the core data set. Clarity should also be obtained from the relevant authority on the extent of information that must be included.

Patient requests regarding access to their information by others

Patients may request that access to their health information contained in an EMR/EHR be limited, even if it is for health care purposes. This can be done through a process commonly referred to as a “lock-box“ or “masking.“ Members with EMRs should consider whether their system permits masking, how they will manage lockbox/masking requests, and what obligations exist to inform recipients that the information may be incomplete. If storing patient information in a shared EMR or an EHR, members should also ask those responsible for the shared system how these lock-box/masking requests should be handled.

In jurisdictions with provincial EHRs, “disclosure directive/opt-out“ processes that permit individuals to control information may apply. Although the scope and restrictions on the directive or opt-out may vary, they can relate to the type of personal health information contained in the EHR, the purposes for which personal health information may be disclosed from the EHR, and the persons or classes of persons who may access the personal health information in the EHR. Where such a disclosure directive/opt-out process exists and is recognized by law, it may serve to restrict a health care provider's access to the information, except in certain circumstances such as incapacitation, in an emergency, or with the person’s express consent.

Patient access

Patients generally have a right to access their own health information. Physicians must have a means to provide patients with access to their health information contained in an EMR/EHR in an appropriate format. Physicians may charge a reasonable fee for providing copies of records to patients.

Despite this obligation, there are circumstances when physicians may be concerned about providing access to certain information. For example, a psychiatrist may believe it would be harmful for a patient to review information related to the psychiatrist's impressions or analysis of the patient's mental health status. Although, in exceptional circumstances, a patient may be refused access to portions of his or her medical record, the general expectation is that the potentially harmful information be segregated from the record, rather than refusing patient access to the entire record.

Return to top

Security and privacy issues

  • Make sure the EMR/EHR system is equipped with robust security features, including access controls based on the user's role and responsibilities.
  • Consider implementing encryption protection on all computer systems and portable data storage devices containing personal health information. Some privacy commissioners and Colleges have stated that physicians and other custodians must encrypt patient information stored on mobile devices.
  • Consult with the privacy commissioner/ ombudsman on how to conduct a privacy impact assessment.
  • It is prudent for members to conduct periodic privacy audits of the EMR system once it is implemented.

As with paper records, physicians have an ethical and legal obligation to keep all patient information confidential. However, when patient information is stored in an EMR/EHR, it is likely accessible to a greater number of people than a traditional paper record and the protection of the information is therefore more complex.

Robust security features and policies must be implemented to ensure information maintained in an EMR/EHR is only accessible within the circle of care to provide adequate patient care, or for other purposes authorized by law or with express patient consent. This can be achieved through the use of user identification and passwords for logging on. In addition to having security mechanisms that limit access to authorized persons only, where possible, it is prudent to consider equipping the EMR/EHR system with controls that restrict access based on the user's role and responsibilities. Locating printers in areas with restricted access is another way to protect patient information.

The CMPA strongly recommends that physicians consider implementing encryption protection on all computer systems (including desktops and laptops) containing personal health information. Members who store patient information on portable data storage devices such as personal digital assistants (PDAs), USB flash drives, portable hard drives, etc. should also consider installing encryption software on these devices. Indeed, some privacy commissioners and Colleges have stated that physicians and other custodians must encrypt patient information stored on mobile devices.

When using a wireless network to access and send patient information contained in the EMR/EHR, members will want to consider steps to ensure that the network used is secure. Additional requirements may apply when transmitting a patient’s personal health information outside of the province/territory where it was collected. For example, patient notification may be required when using a service provider outside of Canada (e.g. for transcription of dictation).

Privacy impact assessment/audit

Some jurisdictions require a privacy impact assessment prior to implementing or making changes to an EMR system. While the assessment may not be a legal requirement in every jurisdiction, it is a prudent and valuable procedure. Privacy impact assessments identify and minimize the privacy risks associated with the implementation of the EMR system. Members are encouraged to consult with their respective privacy commissioner/ombudsman on how to conduct a privacy impact assessment. Some privacy commissioners have published guidelines in this regard. In some jurisdictions, it may be necessary to submit the completed privacy impact assessment to the privacy commissioner.

It is also prudent for members to conduct periodic privacy audits of the EMR system once it is installed. Routine audits ensure that access to patient records in the EMR/EHR has been restricted to authorized individuals for authorized purposes. Conducting these audits on a regular basis allows for the early identification and management of any unauthorized access.

Transportation of data

There may also be risks associated with the physical transportation of electronically stored personal health information. The Canada Border Services Agency and some foreign governments have issued statements declaring their unequivocal authority to search and potentially seize electronic devices that a traveller may be attempting to bring into the country. In some cases, the information obtained in a border search may be broadly shared. This raises obvious concerns regarding the privacy and security of patients' personal health information when it is stored on a device that is subject to a border search.

Members are encouraged to contact the CMPA prior to physically transporting or electronically transmitting health information across borders.

Return to top

Maintaining data integrity

  • Ensure the EMR/EHR has an audit trail with corrections clearly indicated but not obscuring the original record.
  • Consider backing-up electronic patient information on a daily or weekly basis.
  • Patient requests to correct/alter another health provider's entry should be directed to the other health provider.
  • If a member becomes aware that the EMR/EHR to which he or she has access contains outdated, incomplete or inaccurate information, it is prudent to immediately alert other users of the EMR/EHR so that patient treatment is not compromised.
  • All health care providers using the EMR/EHR should make reasonable efforts to know who contributes to it, how often it is being accessed, and how information they have added should appear on the screen or printout.
  • In the event of a potential future legal proceeding, a member employing an electronic signature device will want to be able to explain how the device works and attest to its reliability.

Physicians have a duty to their patients to keep records that are accurate, complete and up-to-date. With electronic record systems, physicians must ensure the authenticity and integrity of both the electronic data and the process by which it was created. Some measures may be required by legislation and/or by the member's regulatory authority (College).

Audit trails

An EMR/EHR should have an audit trail detailing user access and alterations to the record. An audit trail assists in demonstrating the information contained in the EMR/EHR is authentic and reliable. It also assists with continuity of patient care, especially where multiple health care providers have access to the record.

The audit trail system should enable the physician to:

  • Demonstrate that the chain of custody of the record or entry is sound;
  • Identify what, if any, alterations have been made to the record;
  • Determine who made a specific alteration, and when;
  • Print and view a copy of the unedited original version of the record (any amendments should be separately visible without permanently deleting the original entry).

Editing/deleting/correcting

Physicians have a responsibility to maintain accurate records. Fulfilling this responsibility includes complying with requests from patients seeking access to their record. A patient has the right to access his or her record and to request a correction. Physicians are generally entitled to refuse requests to correct medical opinions or information that is necessary for clinical purposes. The decision must be made on a case-by-case basis and in keeping with any applicable legislation or College requirements. For example, privacy legislation may set timelines for responding to patient requests, establish parameters for granting or refusing correction requests, identify how the record is to be corrected and require certain steps be taken once a request is granted or refused. Members should be familiar with those provisions and comply with them.

Members should also be aware that, with an EMR/EHR, there might be multiple health care providers treating the patient and making entries into the record. If a patient requests that the physician correct or alter an entry made by another health care provider, it would be prudent to direct the patient's request to that provider. Alternatively, the member may consult with the other health care provider if the entry is relevant to the treatment the member is providing or has provided the patient, in order to determine whether the change should be made and by whom.

If a member refuses a patient's request for a change, the member should retain on the chart a copy of the patient's request, the letter of refusal setting out the reasons for refusal, including any communications received or sent via email or other electronic means. Some privacy legislation also requires physicians to retain copies of any letters of disagreement the patient sends upon learning of a refusal.

Physicians also have a general duty to correct inaccurate information in a patient’s record, especially where the information is vital to the patient's treatment.

If a member believes a change to the record is required, the amendment should be made in a manner that is as consistent as possible with applicable College requirements for paper records. The amendment should not obscure or delete the original entry. In an electronic environment, changes can usually be made using an addendum or digital strikeout. The date, time and initials (or electronic signature) of the person making the alteration should be visible on the electronic record. A “track changes“ function (commonly found in most word processors to monitor changes to documents) could be used for this purpose or where this is not available an addendum should be placed in the record, preferably next to the original entry if possible, explaining what change is needed.

Notifying other users of erroneous or outdated information

If a member becomes aware that the EMR/EHR to which he or she has access contains outdated, incomplete or inaccurate information, it is prudent to immediately alert other users of the EMR/EHR so that patient treatment is not compromised. Efforts should then be made to correct the erroneous information as soon as possible, in the manner discussed above. Members should also be aware that privacy legislation generally requires custodians who correct records to notify others to whom the relevant information has been disclosed.

The data sharing agreement (an agreement setting out the terms for the sharing of electronic health information) should ideally contain a provision that addresses the procedures for correcting the EMR/EHR and requiring notification of previously accessed erroneous or outdated information. Members should refer to applicable requirements and the specific data sharing agreement when considering making a correction.

Receiving data/records from other health care providers

A unique challenge with EHRs (and shared EMRs) is that other health care providers have access to the data and may contribute to the EMR/EHR directly. A physician may also receive data or records from other health care providers that are incorporated into a patient’s EMR. These physicians may be unfamiliar with each other's practices and may not consult with each other regularly, if at all.

The importance of accuracy is increased in these circumstances and all health care providers using the EMR/EHR should make reasonable efforts to know who contributes to it, how often it is being accessed, and how information they have added should appear on the screen or printout (e.g. initialed/signed and dated entries, strikeouts/addendums for changes to original entries, etc.).

Converting paper records to electronic form

If members choose to adopt an EMR, they might wonder whether their existing paper records should be transferred to an electronic format and whether, once scanned, the original records can be destroyed.

While transferring paper records to an electronic format can yield enormous benefits to physicians in terms of increased efficiency and improved patient care, members should nonetheless be aware that documents converted into electronic format are considered copies (otherwise referred to as “secondary evidence“) but may be admissible in legal proceedings if certain steps are followed. The rules concerning the admissibility of copies have been modified in most Canadian jurisdictions to take into account the reality of electronic record-keeping.

Responding to a legal request to produce an electronic record can be challenging. It may be necessary to produce the “metadata“ embedded in all electronic documents. Specialized technical assistance may be required to ensure that all the required data is included. Upon receiving a subpoena or a court order to produce medical records (in paper or electronic form), physicians are encouraged to contact the CMPA for advice.

Some Colleges permit the destruction of paper records once they have been scanned. However, the CMPA encourages its members to consider the following guidance to ensure paper records converted into electronic format meet evidentiary requirements:

  • An experienced and reputable commercial organization may be of assistance in establishing procedures for the conversion;
  • The conversion should take place in a consistent and careful manner, with appropriate safeguards so as to ensure the digital copies are sufficiently reliable;
  • Written procedures should be established and consistently followed for the conversion process (including a record of the type of conversion process used), with the member keeping a copy of these procedures; and
  • The process should involve some form of quality assurance (e.g. comparing the digital copy to the original to ensure the information has been accurately converted), and a record should be kept of the quality assurance steps taken with respect to each document.

Digital records should be kept in “read-only“ format so they cannot be altered or manipulated after conversion. Members should be aware of the differences between “scanning“ and “Optical Character Recognition“ (“OCR“). Scanning simply generates a noneditable digital representation of an image whereas OCR is a technology process that converts an image of handwritten or typewritten text into machine-editable text. Once an image has been converted using OCR, the text can be changed, searched, or otherwise manipulated. OCR may be used in conjunction with scanning. However, OCR alone should not be used when converting paper records to electronic form, unless the original paper records will also be scanned or will be maintained in paper form.

Where the appropriate steps have been taken, it may be reasonable for the member to destroy the original record. However, in exceptional cases, such as when the quality of the paper records makes the converted document difficult to read, it may be prudent to retain the paper records for the period of retention recommended by the CMPA: at least 10 years from the date of the last entry or, in the case of minors, 10 years from the date on which the minor reaches the age of majority. The eventual destruction of the paper records should be in keeping with the physician's obligation of confidentiality as well as any applicable legislative and College requirements.

Data migration

Physicians who are already using an EMR and wish to switch to a new EMR software or vendor will need to consider how to maintain the integrity of the patient data as entered in the old EMR system. Options may include migrating the data from the old system into the new system or archiving the data in the old system. Regardless of the process, physicians will want to ensure they have continued access to their patients’ data for the applicable retention period and that the information including the metadata is not compromised or otherwise changed in the process.

Back-up and recovery

It is not uncommon for computer systems to fail, which can lead to the loss of patient information contained in an EMR. In some jurisdictions, legislation and/or regulatory authority (College) policies require that physicians ensure electronic files are routinely backed-up and that the system allows for the recovery of such files.

Even if there are no specific regulatory requirements in a particular jurisdiction, it is good practice to back-up patient information on a daily or weekly basis and to ensure the back-up files are encrypted. Members may also want to regularly test the restore process for these backed-up files. Furthermore, members may wish to use an off-site back-up system to protect patient records, in the event that an office computer is stolen, lost or destroyed. Physicians should consult with their vendor or service provider for more information about the back-up and recovery capabilities of the particular system being used.

Electronic signatures

The critical function of a signature is to associate the signatory with the contents of the document. Can an electronic signature effectively serve the same purpose in an EMR/EHR? In fact, it can legally serve the same purpose. An electronic signature, although not tangible in nature, can still be evidence of the association of the signatory with the document and its contents.

“Electronic signature“ is a generic term that refers to a wide variety of non-manual signature options, including digital signatures. It is commonly defined as electronic data created or adopted by a person to sign a document. The data is then attached to or associated with the document.

A “digital signature“ is a technology-specific type of electronic signature. It is one of the many techniques that satisfy the functions sought to be performed by electronic signatures. A common misconception is that electronic signatures are merely a digital version of a handwritten signature. While a signature entered on a touchpad is one example of an electronic signature, a more common example are those consisting of one or more letters, characters, numbers or symbols that are attached to or associated with an electronic document.

Although electronic signatures are generally recognized as being as valid as manual signatures, they cannot yet be used in all circumstances. For example, a physician may not be able to use an electronic signature for prescriptions in some provinces and territories.

Where they are permissible, electronic signature devices must meet certain reliability requirements. In the event of a potential future legal proceeding, a member employing such a device will want to be able to explain how the device works and attest to its reliability. Without this assurance of reliability, a court or tribunal may not allow the electronically signed document to be admitted as evidence or it may be given reduced weight.

It is therefore important to be able to demonstrate the electronic signature was properly associated with the document in question (e.g. report, consent form, etc.). Without this assurance of reliability, the other side in a dispute could argue that the patient did not know what document to which he or she was affixing a digital signature when signing with a stylus on a digital signature pad. Alternatively, it could be argued the physician's signature was not associated with the correct report and the physician did not, in fact, review the relevant document.

In order to be in a position to effectively respond to such arguments, members should consider a system with the following characteristics:

  • The person signing the document electronically is able to verify the electronic signature on the screen.
  • An audit function exists that permits the physician to ascertain the date and time the signature was made and to what document it was associated at that time.
  • Individuals are able to enter their own electronic signature.

Members are encouraged to explore the various electronic signature options with an information technology consultant.

Return to top

Sending/transferring records

  • Consider appropriate security measures when sending patient information electronically to the patient or another health care provider.

Electronic records facilitate the quick transmission of patient information to other health care providers or to the patient. In a shared EMR or an EHR, it is likely other health care providers involved in the patient's care will have direct, independent access to the patient's record and the information necessary to provide treatment. In these circumstances, the treating physician has a limited role in making the patient information available.

If uploading patient information from an EMR to another EMR/EHR, members should consider whether the network they are using is sufficiently secure. Again, members should consult with their respective College concerning any applicable policies or guidelines in this regard. Similarly, when a physician receives a request from another treating health care provider for patient information contained in an EMR that is not shared, the physician should choose a secure means to transmit the information through various electronic means, such as fax, email or another EMR/EHR.

Communicating electronically with patients and others

Colleges may have policies or guidelines on communicating with patients through email or fax. Prior to communicating with patients through email or fax, members should discuss the risks and obtain the patient's consent to transmit their health information in this manner. Any discussions with the patient should be documented in the patient's medical record and the use of a written consent form is advisable (see the Information Letter (March 2009) entitled “Using email communication with your patients: Legal risks“ with the attached template consent form).

Email

Emailing with patients raises unique legal issues. At least one provincial privacy commissioner has suggested physicians avoid communicating personal health information via email unless the email service is secure and offers strong encryption. Members should establish policies and procedures for the handling of email communications. Employees should be informed (through a policy or otherwise) of the risks associated with inappropriate email communication.

If employed by (or hold privileges within) an organization, institution or hospital, it may be difficult to protect sensitive email correspondence from being accessed by the organization. For example, a member working from a hospital might be vulnerable to the hospital administration accessing email correspondence that has been prepared on a hospital computer or transmitted over the hospital system. If it is necessary to use email to communicate sensitive personal matters, consider using a personal email account accessed from a computer you personally control such as at your office or home. This caution is especially pertinent for members who are being assisted by counsel with a legal matter.

Fax

Members should also implement standard procedures when faxing patient information to minimize the possibility of misdirected faxes. For example, depending on the recipient and the sensitivity of the information being faxed, it may be prudent to consider contacting the recipient prior to sending the information by fax to confirm the fax number and ensure the recipient is present to receive the document.

Return to top

Destroying/disposing of records

  • When destroying patient information in electronic form, ensure the EMR/EHR is permanently deleted or irreversibly erased. This may require physical destruction of the electronic storage device.

As with paper records, procedures are required to ensure adequate disposing of electronic records. The following are some key points to keep in mind when considering the retention and destruction of EMRs:

  • The required retention period for medical records – whether print or electronic – generally varies significantly depending on the jurisdiction. The CMPA recommends that members maintain clinical records for at least 10 years from the date of the last entry, or for at least 10 years from the age of majority in the case of minors.
  • Beyond the required retention period, patient information contained in an EMR/EHR should normally only be maintained for as long as is necessary for the purpose for which the information was collected.
  • Once the retention period has been exhausted, the information in the EMR/EHR should generally be destroyed in a manner that maintains confidentiality.
  • Physicians should be familiar with all applicable rules or obligations for destroying medical records.

Some privacy legislation requires physicians to keep a record of:

  • The individual whose personal health information is destroyed and the time period to which the information relates; and
  • The method of destruction and the person responsible for supervising the destruction.

Effective destruction requires the EMR/EHR be permanently deleted or irreversibly erased. When destroying the information, members must consider whether it is necessary to destroy not only the “original“ records, but also any copies of these records, including back-up files.

Some privacy commissioners have recommended the physical destruction of the electronic storage device (e.g. hard drive) to ensure the permanent deletion of patient information stored on these devices. This may include physically destroying the electronic storage device, or it may be sufficient to employ wiping software to delete the information contained on the hard drive. However, depending on the sophistication of the software, wiping may not irreversibly erase every bit of data on a drive. Selling or giving away electronic storage devices that contain or once contained patient information should be avoided.

Given the technological expertise required to effectively destroy electronically stored information, it is preferable to engage an accredited service provider to destroy patient information maintained in EMRs. Some privacy commissioners have stated that when engaging a commercial service provider to dispose of patient information, physicians must enter into a written contractual agreement with that service provider. The agreement should clearly spell out the responsibilities of the service provider to securely destroy the health information records, how the destruction will be accomplished, under what conditions, and by whom. While not currently a requirement in all jurisdictions, this is a prudent practice for all members who engage the services of a records disposal company.

Return to top

Data sharing and inter-physician arrangements

  • Review the CMPA/CMA Data Sharing Principles (Appendix C), including issues of privacy and confidentiality.
  • Exercise “due diligence“ and be sure to understand the agreement with a vendor of an EMR/EHR system.
  • Where no information management agreement exists for an EHR system established by a health authority, or when linking an EMR to the EHR, consider entering into a data sharing agreement.
  • Make sure the inter-physician agreement addresses accessibility to patient records, including after a physician departs the practice.

Storing electronic health information data with third parties

With the advent of new forms of recordkeeping come new formats for storing and maintaining the data contained in electronic records. Even the most technologically savvy physician is likely to engage the assistance of an outside service provider for implementing, maintaining and storing electronic medical records. In addition, many provinces, health authorities and hospitals are seeking to set up their own EHRs that may integrate physicians' EMR systems. Accordingly, there are a number of different scenarios and structures that will see a physician contracting with a third party to implement an EMR/EHR system.

Some of the potential contracting arrangements that a member may consider entering into for the purposes of an EMR/EHR system include:

  • A data sharing/management agreement with a vendor or other service provider (e.g. for software, hardware, hosting, etc.);
  • A data sharing/manageme

Responses

Please Login to respond

Get Gleanr!

What is Gleanr?

Gleanr is the networking engine for digital-age professionals. Get impact (& income!) in the information streams you care about.

How does it work?

Your custom Gleanr channels automate information flow relevant to you. All you do is "click" - we do the rest (instant capture, indexing, and networking).

What is the value?

Gleanr is the only web service where professionals can manage and monetize their expertise.

Is this more web 2.0?

Yes, but for work. Now you can capitalize on your unique ability to filter and enrich professional information streams.

Show me!

Explore the public parts of professional information streams here, or take the Gleanr Tour.
Gleanr Tour

Sign me up!

Join Now