Friday, March 11, 2005

What to do if patient information is stolen

Doctors Nova Scotia (formerly the Medical Society of Nova Scotia) this week asked me to write a brief article for their website and magazine about what physicians should do if the security of patient information is compromised. The question arises most often in the form of "what if my computer [or PDA] is stolen?"

I was happy to help since DoctorsNS has been extremely proactive in helping its members to address PIPEDA. In fact, it was for DoctorsNS that I originally wrote the Physician's Privacy Manual (e-mail me - david.fraser at - if you are interested in purchasing a copy).

Q. With the new privacy law now in force, what measures do physicians have to take to prevent the theft of computers and the like containing confidential patient information and what should physicians do if something like this were to happen?

A. Since January 1, 2004, the collection, use and disclosure of personal information by private practice physicians in Nova Scotia has been regulated by the Personal Information Protection and Electronic Documents Act, commonly know by its acronym “PIPEDA”. The law covers all aspects of physicians’ responsibilities with respect to patient information and specifically includes an obligation to safeguard personal information against a wide range of risks. Among those risks are loss, theft and inappropriate access. The law does not dictate what specific technological or security measures must employ but it does provide say that the safeguards must be proportional to the sensitivity of the information in question. Because medical records are among the most sensitive, a physician’s responsibilities in this area are proportionately high.

While PIPEDA is a new law, it does not replace the obligations that physicians have always had to exercise due care to protect their patients from harm caused by the physician’s actions or omissions. The inappropriate disclosure of personal information can undoubtedly cause harm, particularly in this age of identify theft. In addition, individuals entrust their physicians with very sensitive information that may have significant consequences if it is disclosed to others. For example, a patient’s record may contain information about a particular condition that, if disclosed to the individual’s employer, could result in the individual being fired. The inappropriate disclosure of information about a battered spouse may have severe safety repercussions for that patient.

These rules apply to all patient information, regardless of whether it is written on paper or stored in a computer. Use of electronic systems pose additional risks, simply because large amounts of information may be stored in an easily stolen form. Also, external hackers might access an under-protected system, leaving very little sign that the information has been compromised. Physicians should take all reasonable measures to protect this information against the sorts of threats that may exist, depending upon the circumstances. Locks on doors, virus scanners and computer firewalls immediately come to mind. The encryption of electronic data may also be the last line of defence, meaning that data stored on a stolen hard drive still cannot be accessed by a thief who does not have the password.

So what should a physician do if he or she believes that patient information may have been compromised? PIPEDA does not specifically say, unlike Ontario’s new Personal Health Information Protection Act which requires all health information custodians to inform an individual at the first reasonable opportunity if that individual’s personal information is stolen, lost, or accessed by unauthorized persons. While physicians likely should contact all affected patients to inform them of a breach or possible breach, whether they are under a legal obligation to do so is unclear. Because the unauthorized access to personal information may put individual patients at risk, the only way that this risk may be mitigated is to inform the patients so that steps can be taken to minimize the harm. The following checklist may be helpful to assist with a physician who believes that patient information may have been lost, stolen or inappropriately accessed:

  • If the incident relates to a theft or malicious intrusion attempt, the police should be notified as soon as possible.
  • The College of Physicians and Surgeons should be notified.
  • Your liability insurer and/or the Canadian Medical Protective Association should be notified.
  • Immediate steps should be taken to prevent the recurrence of the loss; for example, computer servers should be immediately disconnected from potential avenues for intrusion, such as external networks and modems; locks should be changed on the doors if the incident relates to a physical break-in.
  • Carefully consider whether patients should be contacted to allow them to mitigate the effects of the incident.

Physicians should not attempt to cover up or gloss over any of these incidents, as such actions tend to compound the problem and undermine patient confidence in physicians generally.

If you have any concerns about the way that personal information is safeguarded in your practice, Doctors Nova Scotia is able to help by referring you to information and specialists that can help minimize the risk to the security of your patient information.

I note that this article is not legal advice and only pertains to provinces where private practice physicians are governed solely by the Personal Information Protection and Electronic Documents Act (NS, NL, PE, NB and not BC, AB, SK, MB, QC, ON).

No comments: