CMPA: Practically Speaking

Accessing EMRs: How to avoid breaching privacy rules

Episode Summary

When is access to EMR deemed inappropriate? In this episode, Dr. Bellemare and Dr. Madarnas offer key considerations on how to avoid breaching privacy rules when accessing electronic medical records. The hosts review how privacy legislation, the circle of care, and custodianship of medical records affect how and when physicians can access medical records.

Episode Notes

CMPA Perspective article:

Why do you need to know? A balancing act for accessing personal health information

www.cmpa-acpm.ca/en/advice-publications/browse-articles/2020/why-do-you-need-to-know-a-balancing-act-for-accessing-personal-health-information

Episode Transcription

Podcast: CMPA: Practically Speaking

Transcript for episode 6: Accessing EMRs: How to avoid breaching privacy rules

Announcer: You are listening to CMPA, Practically Speaking.

Dr. Yolanda Madarnas: Hello everyone, welcome. Hi, Steven.

Dr. Steven Bellemare: Hi Yolanda, how are you?

Yolanda: I'm well, thank you. Steven, I wonder if having a user ID and a password for an EMR gives us the right of access to any information at any time?

Steven: Well I think the way you are asking your question is going to force me to say no. Any information at any time I think is the problem. Let's consider some examples: a celebrity is admitted to a hospital and someone looks them up in the EMR. Is that all right?

Yolanda: What about a friend who asks you to look up their MRI results because they can't get in to see their family doctor?

Steven: What about telling a learner or a colleague, “hey you know what you should follow up this patient in the record to see how they evolve”?

Yolanda: How about accessing a record to remind yourself of the care you provided when you are notified about a complaint or legal action?

Steven: So what is the common thread in all of these scenarios?

Yolanda: Inappropriate access to the EMR.

Steven: You know what, when is access deemed inappropriate? There are some pretty clear examples of inappropriate access, but it can be difficult to slice and dice on that subject in a number of different circumstances.

Yolanda: So today's podcast builds on the Perspective article regarding access to personal health information. So we are going to try and shed a bit of light on this for you and keep you apprised of the latest from the privacy world.

Steven: Let's go to our take-home points then, shall we Yolanda? The first one is that privacy legislation is designed to put a patient's right of privacy first. So in that framework, are other societal objectives, like quality improvement and education, secondary to patient privacy?

Yolanda: The second point is that of the circle of care. This circle of care includes health care providers, providing care to the patient who require information but on a need-to-know basis in order to provide health care to the patient.

Steven: The third point is that physicians, whether they be staff or trainees, really need to understand the custodianship of medical records. And that means that they really should always be seeking permission from their hospital or clinic before accessing patient records after they are no longer involved in patient care. 

Yolanda: So let's go back to the first point, about privacy legislation. Let's remind ourselves that privacy is legislated provincially. For example, in Ontario, PHIPA regulates the use and access to personal health information. 

Steven: The PHIPA is the Personal Health Information Protection Act.

Yolanda: Yes, so regardless of where we practice, it is important to familiarize ourselves with the legislation applicable in the jurisdiction you are practicing in.

Steven: That's right, because each province or territory has different guidelines to regulate the collection, the use, and the access of physicians or other people to personal health information. They also have criteria for what constitutes a privacy breach and criteria to guide us in reporting privacy breaches. So not everything is a privacy breach and not everything that is a privacy breach is necessarily reportable to the patient. It may just be reportable to an institution for instance.

Yolanda: So all of this information is generally available through your College, your hospital, your institution and you can call us at the CMPA for added information as well.

Steven: I would certainly echo that Yolanda because it's complicated. So, let's use an example to explore this though. You are a well-intended physician who sees someone in the Emergency Department and you want to follow up in their chart for your own education. Look, we have all done that, right and it's a noble thing. It may not technically be allowed and if we happened to do it and the hospital runs an audit, we will have to answer for it.

Yolanda: This illustrates the privacy laws were not drafted with actual medical practice in mind. Their focus is really to protect the privacy of the individual and we need to revisit and rethink our practices within the discipline of medicine as to how they fit into that framework.

Steven: That's right. That's not to be critical of privacy laws; it's just the reality of how things have evolved. So, it's understandable in this age of E-communication and all the privacy breaches that are out there, that we need to pay attention to that.

Yolanda: Such well-intentioned and justifiable access to the EMR may actually constitute inappropriate access to personal health information when you are not in that circle of care.

Steven: Now Yolanda some laws allow access to personal health information for purposes of quality improvement. Whether or not education is quality improvement is going to be a matter of interpretation based on the law at hand and the viewpoint, the policy, of the institution that you work in.

Yolanda: Yeah.

Steven: So asking your hospital or clinic to draft a clear policy to allow access for quality improvement and learning may actually be well worth it. So that you are actually promoting clarity within your institution as to whether or not this practice of accessing patient's medical records to follow up on their condition after you’ve admitted them, is actually allowable or not. But, before you do that, it's actually important to know the provincial laws that might actually affect the drafting of that policy.

Yolanda: So this is a great time to introduce the concept of the circle of care, our second take home message.

Steven: Right. So physicians can generally rely on the patient's implied consent to share personal health information within the circle of care. So that’s what allows me, the pediatrician, to share information with you, the oncologist, about a mutual patient that we have, without actually having to seek their parent's formal permission to do so.

Yolanda: It's implied.

Steven: Yeah. That's right. The health care professionals who need to know the information to provide care are the ones that are included in the circle of care. It's not this “willy nilly” sharing just out of interest of course and the information you can share is actually limited to what's necessary to provide health care to the patient.

Yolanda: Once a physician is no longer in that circle of care, it's important that they consider whether access to the records subsequent to that is A), permissible and whether the custodian has approved or allows the access.

Steven: So at what point though is one "no longer" providing care and I'm waving my fingers in the air doing my quotations marks. Isn't following-up on your patient good medicine?

Yolanda: Absolutely. I don't think anyone would argue with that, that that's not good medicine but strictly speaking we are only allowed to access personal health information for purposes of providing care. So whether following up on someone is continuation of providing of care is perhaps a bit of a grey zone and even being in the context of a circle of care the access does have limits. We are only allowed to access what we need to deliver that care or what we need from their past history to deliver their care today.

Steven: Right. So I am thinking if I'm treating a patient with appendicitis, I would have no reason really to go look in their psychiatry outpatient visit history for instance. 

Yolanda: Correct. That is not on a need to know basis unless it's relevant to the care today. So that is common sense. But let's focus on the issue when a physician is no longer providing care, as is the case when a patient gets transferred to another team, another institution. So this physician is no longer considered to be in the circle of care and they do need to stop accessing personal health information.

Steven: Well that is something to think about isn't it? I know many physicians who see someone they are concerned about and may often reflect after the fact, and wonder “Was my care appropriate, was my diagnosis right, should I have done something differently?” and they may seek to learn and improve their practice by looking in the EMR. So that may be a problem, privacy-wise. 

Yolanda: Yeah. 

Steven: It could be a walk in clinic case where you found out after the fact, for instance that you might have missed something. So, leaving the circle of care is really the turning point then.

Yolanda: Absolutely. We've had cases, we're doing just that, has led physicians to be flagged by an EMR audit as having breached privacy.

Steven: That's right and there may be ways to manage this though.

Yolanda: I think so.

Steven: It may involve talking to the patient or the substitute decision maker if they are not capable of giving you consent to obtain consent to do just that. To follow up in their record after the fact and learn. If you do that, it's wise to get that consent signed and to really make a note in the record of the fact that you have accessed the medical record with the patient's consent so that you establish that you weren't snooping. 

Yolanda: Yeah. So it's not foolproof but at least it creates some transparency for your actions.

Steven: I think that's a great segue then to the third take home point, custodianship of medical records. Why is that important? 

Yolanda: Well, honestly as a physician we often regard patient's health information as ours to use in the course of providing clinical care and even for other purposes, like teaching or research, but individual patients do have the right to determine who can access their health information and under what circumstances.

Steven: Right, because the patient owns the information. The physician, the clinic, the hospital may own the system, the EMR system or the paper record that houses the info, but the info belongs to the patient.

Yolanda: So in a hospital or other group practice, it is the institution that is the information custodian, who controls access over these medical records and physicians should seek permission from the institution and be forthcoming about their reasons for requesting access to a patient's medical record.

Steven: That's not to be nit picky, it's really because that's the custodian's duty, their legislated duty to ensure there is no unauthorized access to those EMRs and to personal health information. That's why they actually run chart audits when they do.

Yolanda: So without getting overly complicated, physicians can generally rely on a patient's implied consent to access and share their personal health information for purposes of providing that health care with people in the circle of care. However, when we access the record for purpose other than providing care, the physician should really aim to get explicit consent from the patient or rely on a legislated provision that does allow them to access the record without seeking consent.

Steven: Depending on the provincial or territorial legislation, it may be possible to work with the hospital to create policies or procedures that actually allow access to patient information for educational purposes.

Yolanda: That helps everyone. So the bottom line is two-fold, patient consent is required to access their personal health information for anything other than provision of care and physicians should always seek direction from custodian of the record for purposes here at the hospital or the clinic before accessing patient' records when they are no longer in that circle of care.

Steven: Right. That's why accessing a record to refresh your memory can be problematic once you hear of a complaint, a lawsuit or after a patient safety incident after you have left the circle of care.

Yolanda: So it's not that you are not going to be allowed to refresh your memory or that there isn't a good reason to access. You are entitled to access the record to defend yourself in a complaint or a lawsuit, you just need to do so appropriately.

Steven: That's right. You need to follow the rules. Here is a perfect example, it's not related to a complaint or a lawsuit but I think it illustrates the points. You are on staff at a hospital and your child has a chest x-ray and you look up the results in your EMR. Seems like a benefit of working at the hospital right? 

Yolanda: Sure. I mean, you are the parent. You provide consent for your minor child. Of course, so what is the problem?

Steven: Well the issue is that the hospital didn't give you access to their EMR for that purpose and you are not and never were in the circle of care for your child.

Yolanda: So while you have a password and access to the EMR, you still shouldn't access that information, right?

Steven: Exactly. No, you are allowed to get the info of course, you are the parent, and you can consent to that, but you have to do it through the right channels. If you get back to the initial question you were asking at the very beginning of the podcast, having a password to the EMR doesn't give you access to anything, any time.

Yolanda: No carte blanche. In fact, that's what happens when audits are run on hospital medical records. The hospital will often run reports flagging access to a record by people with the same surname, i.e. family member or all access on a VIP or celebrity medical record for example.

Steven: Right. We've seen those, we've seen those cases.

Yolanda: Yes we have.

Steven: So how about we revisit our initial examples, Yolanda.

Yolanda: So remember what about the friend who asks you to do look up their MRI result because they can't get in to see their doctor?

Steven: Nope. Even though you have consent from your friend to do so, you are not in their circle of care and they right way is through medical records or for them to actually do it through their own physician.

Yolanda: So then as a friend, I could tell my friend, why don't you go to medical records, ask for a copy of your report, you are entitled do it, but you need to be the one asking for it, right?

Steven: That's right.

Yolanda: How about when we are working with residents and other learners and we ask them to follow up on a patient they have been involved in and have a look in their record and see how they evolve wanting to see what happened to this patient?

Steven: Nope. That's probably the most shocking “nope” for our listeners I suspect. Again, they have left the circle of care if they are just doing follow up and they are not involved any more. We have to be real. This could have significant impacts on how we learn and how we provide care. Don't we have an obligation to follow up on lab results for instance?

Yolanda: Absolutely. Physicians are responsible for ensuring follow up on all investigations they order. But that follow up implies that you are still in the circle of care to action that result. The issue of following up out of well-intended curiosity for our own learning or QI is really the grey zone and it is best to seek permission to do so from the patient and document your reasons for accessing that EMR if you do do it.

Steven: So following up with a purpose to provide care, i.e. following-up lab results, is different than following-up with a purpose of just learning and keeping apprised.

Yolanda: However noble that may be.

Steven: Subtle, subtle differences, right? Finally then, what about accessing a record if you have been sued or complained about?

Yolanda: Nope. You may still be the circle of care, accessing the file for this purpose is no longer related to delivering care and well we are entitled to access the record for our defence in the case of litigation or complaint, we have to go through the right channels.

Steven: Okay, Yolanda I think we've given our listeners a good primer on privacy issues and the whole business of needing to know information. That was probably what they needed to know about privacy. How about we move on to communication tip then.

Yolanda: So, communicate with your hospital to develop policies and procedures that will allow access to patient information for those circumstances that aren't strictly related to patient care. For example, education and quality improvement undertakings.

Steven: I think that clarity would be wonderful to have, for sure.

Yolanda: For everyone.

Steven: And in everyone's individual context because one hospital might deal with an issue very differently than another.

Yolanda: Exactly. How about a documentation tip, Steven?

Steven: You know my documentation tip would be, linked to the fact that EMRs have built in audit controls to detect each time a record is accessed. They know who accessed the record at what time, for how long, on what page, what was added, what was changed, what was deleted, it's all in the background. So, if anyone is accessing a record for a purpose other than provision of clinical care, documenting the fact that they were doing so with the patient's consent and for the purpose of following up helps build that transparency. I think it's worthwhile to really demonstrate that you are not really snooping.

Yolanda: So documenting a note in the patient record at the time of transfer of care. Patient agreed for me to follow up on their evolution in hospital for example or at the time you accessed the EMR, making a note and saying accessed on this date, today, for this purpose. So doing it proactively rather than at the time when potentially it gets caught and it's still explainable but to do proactively and contemporaneously would be more prudent.

Steven: Well that's all the time we have for today. Thank you for joining us everyone and please don't hesitate to send us your comments, questions and story ideas. Our address is podcasts@cmpa.org.

Yolanda: Thanks everyone and thank you Steven, this was great.

Steven: It was great, and remember, when you change the way you look at things...

Yolanda: the things you look at change.

Steven: Goodbye,

Yolanda: Bye everyone.

Announcer: These learning materials are for general educational purposes only and are not intended to provide professional medical or legal advice, nor to constitute a standard of care for Canadian Health care providers. 

END OF AUDIO