EMR security problems – don’t get stung

D'Souza_cropSudhir D'Souza is a semi-retired paediatrician practising in Ontario

 

“About 80 per cent of health data is captured in physicians’ offices. Electronic records connected to hospitals and provincial health databases will provide a comprehensive and secure picture of a patient’s health.”

Greg A. Reed, Former CEO of eHealth Ontario

What happens when you leave a clinic? Do you remain the ‘health information custodian’? Do the electronic charts move with the patients who follow you?

In January, I decided to leave a ‘turnkey’ clinic and start my own practice. To accommodate patients for whom location was paramount, I allowed my electronic practice records housed in a server located in my office to be amalgamated under an Application Service Provider (ASP) EMR – cloud based – with the rest of the physicians in the clinic space we had shared. OntarioMD, a division of the Ontario Medical Association (OMA) that manages the EMR Adoption Program on behalf of eHealth Ontario, promotes the ASP EMR by providing slightly increased funding. As per OntarioMD, ASP EMRs ‘provide disaster recovery, data security, business continuity……., and facilitates interfacing with eHealth applications’. I reasoned that an ASP would permit patients to move freely. However, immediately prior to my departure, the clinic ownership group took over and locked me out of the EMR for which I pay. Patients are now being asked to pay $150 to transfer their records. According to what I have been told by the Canadian Medical Protection Association (CMPA), my patients and I are not alone.

The law is clear. The patient owns the information in a medical record. However, the physical record is the property of the person (the physician/caregiver) or organization responsible for its creation. Therein lies the rub. If you use the clinic’s computers to access the cloud-based program, the clinic may claim provenance over the digital record. Knowing this, I always owned and operated my own computer equipment. However, I blindly believed that the principles of the role of the ‘health information custodian’ and the rules and regulations of the College of Physicians and Surgeons of Ontario were followed in all approved programs.

Only a physician may own an EMR. All EMR programs have users with specific access levels. ‘Super’ user access is usually restricted to the physician owner; it controls all other levels. My previous EMR provider in both their local and ASP solutions had ensured that the addition or deletion of any physician – for example a locum - required the signed consent of the physician owner(s). The EMR provider under which my records were amalgamated does not, which I find shocking. Any ‘super’ user or a designee given this status can erase another. This means, for example, that any non-medical designee granted ‘super’ user status, could lock out a physician owner. It may seem silly and inconceivable but an assistant who is let go, having had ‘super’ user status to manage your clinic, could, after leaving, shut you out of your own EMR. What seemed even more absurd to me was that the ASP EMR provider stated the physician could not be reinstated even in the event of this clear breach. (I wonder if they would still bill the physician?)

I decided to discuss the potential for serious problems with OntarioMD and with the CMPA. The CMPA was not surprised by the possibility of this happening. OntarioMD had not heard of this happening before and were not sure if their CMS requirements address the ‘super’ user security issues raised above.

How can anyone avoid similar pitfalls? I suggest that before entering into any EMR:

  • Read your College guidelines and draft an agreement signed by all parties on how the medical records should be divided in case of a split.
  • If you do not have one, get it done soon after the split to stay within College guidelines.
  • During the implementation process, ensure a third party reads every aspect of your agreements, including the ‘workbooks’ detailing user access points. Do not sign if you do not have ultimate user access, which may only be revoked with your signature.

From a systemic standpoint, given that EMRs are government funded, a provincial central repository for all electronic patient records would allow mobility and access. Medical information is supposed to be transferable between various approved EMRs. The issues around patient confidentiality would be addressed by a signed standard Authorization for Transfer of Medical Records.

It is crucially important that e-Health Ontario through OntarioMD examines all programs carefully to ensure that none can operate with such fundamental security faults. I am more upset about the cost to my patients who must now request to transfer their information with the custodian to whom it was provided.

Every crisis is an opportunity to effect improvement. By telling this story, I hope to effect changes.

Leave a Reply

Your email address will not be published. Required fields are marked *