In seeking to identify the existing legislative framework for security of electronic health records ("EHRs") systems, we have reference to the two basic precepts of confidentiality and privacy. Within the health sector, these are the key existing rules from which the security obligations emanate. Confidentiality and privacy are often treated interchangeably; however, they are different, although overlapping, concepts.
Confidentiality is an obligation imposed on health professionals and providers, including institutions, to protect and not disclose patients' or clients' personal health information ("PHI") except as expressly permitted. For doctors, the rule emanates initially from the Hippocratic Oath, but is now found in their professional codes of practice as well as in legislation such as the Medicine Act. For other professionals such as nurses, physiotherapists and pharmacists, the confidentiality rule is found in their professional codes of practice and in applicable legislation. Institutions such as hospitals and social agencies are subject to confidentiality obligations contained in the Public Hospitals Act, the Long-Term Care Act, 1994, and other similar legislation.
Clearly, confidentiality implies security; but security rules and standards constitute a distinct category. Essentially, they are the means by which confidentiality is to be achieved. Therefore, while the confidentiality obligation exists for health providers, it contains no explicit directions or rules that address security, or guidance as to the standard of care that can be expected. The obligation does impose potential liability on providers if it is breached and that creates an incentive for providers to adopt appropriate security measures.
The other key precept from which security criteria emanate is privacy law. Privacy is distinct from confidentiality because it derives from the right of individuals to control their personal information, in contrast with the obligation on providers, which is to keep PHI confidential. However, maintaining confidentiality is an aspect of protecting privacy, and so the two precepts overlap.
Privacy implies security because one of the principles of a privacy regime, such as is in the Canadian Standards Association's Model Code for the Protection of Personal Information ("CSA Model Code"), is that an individual has the right to have any of his or her personal information that is held by a data collector protected from unauthorized disclosure. The privacy precept, therefore, is more specific than the confidentiality precept in that it expressly articulates a security requirement.
This security requirement is set out expressly in the privacy laws, and it is these laws that form the primary mandate to health care providers to establish appropriate security systems with respect to PHI both generally and, potentially, specifically with respect to EHRs and systems. It is worth emphasizing, therefore, that the primary source of statutory direction for security of PHI is in the privacy laws.
The significance of stipulating the security requirement under the privacy laws is important. Not only does it set a regulatory standard, but it creates a civil standard of care, which means that if practitioners or institutions fail to meet this standard, they may be liable in damages to the individuals whose information has been compromised.
The privacy laws not only articulate a required standard of security but contain, in varying degrees, guidance for data collectors as to the nature of the security systems and procedures that should be adopted. However, the primary security obligation contained in Ontario's Personal Health Information Protection Act, 2004 ("PHIPA") is stated in quite general terms. And to date, only regulationsrelating to network service providers have been enacted.There are no regulations respecting records management or electronicdata procedures, although such regulations are clearly contemplatedby the legislation. This deficiency is particularly relevantto the adoption of EHR systems.
PHIPA's limited detailed guidance respecting security procedures contrasts with the federal Personal Information Protection and Electronic Documents Act ("PIPEDA") which through its adoptionof the CSA Model Code provides an outline of the nature of theprotections that should be adopted. The PIPEDA rule makes clearthat such protections should include physical, organizational andtechnological measures and provides examples of each of those categories.The PIPEDA rule also stipulates that organizations mustensure that their employees are trained in security procedures.PHIPA's approach also contrasts with the other health privacy lawswhich follow the particularity stipulated in PIPEDA.
While this specificity of required procedures is not currentlyfound in PHIPA, it is clear that, in orderto comply with the legislation, custodiansare expected to adopt detailed procedures.The only difficulty with this approach isthat the law itself does not provide therequired guidance. Instead, practitionersand institutions must look to othersources, such as international standards-settingbodies, industry associations andother stakeholder organizations.
Security is Critical
Why is security such a critical element of a privacy regime?
Firstly, the elemental concept of privacy implies an individual's control over and in effect ownership of his or her personal information. Recognition of this concept dictates that if that information is entrusted to another person, that person must take appropriate precautions to prevent the information from being misused, lost or stolen. Furthermore, implicitly, a privacy regime recognizes that if personal information is misused, an individual may suffer injury whether it is financial, psychological or physical. The security rule seeks to prevent such injury.
Electronic Health Records
While electronic health records offer significant advantages to effective health care, they pose challenges to the security of PHI. Locks and pass-keys, though potentially sufficient in a paper-based system, are inadequate in an electronic environment. Further, in a computerized environment the detriment made possible in the event of unauthorized access is magnified. Computerized databases of personally identifiable information are more vulnerable than paper-based systems because they may be accessed, changed, viewed, copied, used, disclosed or deleted more easily and by many more people than paper-based records. The technological means to secure or render unidentifiable PHI do exist. The challenge is not to invent the technology, but rather to ensure that the law has done all that it can to protect the individual's reasonable expectation of privacy and security of PHI.
How Do the Privacy Laws Address Electronic Security?
We see, therefore, that it is under the privacy laws that security ofPHI is addressed. As mentioned above, PIPEDA provides substantialguidance in this area; however, it only applies to commercialentities (and the commercial activities of other entities) and, therefore,has certain limitations in scope when dealing with the healthsector. Four provinces have adopted specific health-sector privacylegislation (Ontario, Manitoba, Saskatchewan and Alberta).Furthermore, all of these laws address, with greater or lesser specificity,the security requirement. All of theprovincial laws, except Ontario's, mandatehealth information custodians to addressthe three categories of safeguards identifiedin PIPEDA: administrative, physical andtechnological.
However, only Manitoba has addressedwith any specificity electronic security.In that province's statute and regulations,protection respecting unauthorized interception,secure destruction and mobile devices is addressedand user logs and audit trails are required. The rules stipulated arequite general in nature but can be contrasted with the other provincialstatutes and PIPEDA, which at present contain no rules specificallyaddressing EHRs and the use of electronic systems bycustodians.
In the absence of legislative guidance, the Ontario Informationand Privacy Commissioner has articulated certain criteria throughher order-making power and through informal guidelines. Forexample, the Commissioner has set out certain criteria to addressthe security of PHI maintained on portable electronic devices. TheCommissioner's Order contains a number of recommended administrativeprocedures; its specific application for portable devicesaddresses recommended procedures for maintaining and providingaccess to PHI held on such devices. Essentially, the Order mandateseffective encryption of such information and the use ofmulti-layered access authorization procedures.
The question that may be posed is the following: ShouldCanada's laws reflect a pro-active leadership role in establishing basicprinciples for EHR security, or should we rely on general legal preceptsof security to ultimately generate a set of rules, through a morecircuitous process? If we believe that privacy laws should be instructiveand preventative, not reactive, then providing guidance for usersto avoid pitfalls is preferable to penalizing them for breaches. Moreimportantly, compliance and breach avoidance protects those whowould suffer injury; that is, the individual users of the system.