EMR Data Security #1: I will just take my old EMR home for Reference

We dealt with this situation few years ago, where a doctor was converting from one EMR to another.  He wanted to keep his old system for reference, but did not want it taking up space in the office.  So his solution was to take it home with him.  We mentioned to him that doing so would expose him to a lot of liability if he did not first encrypt the disks on the computer he was going to bring home – due to it containing medical records.  His response was that he only used to the old EMR for billing and therefore it only contained the patient billing information, which did not, in his opinion, violate patient privacy.

This response showed his total lack of understanding of what he was dealing with.  First, the term “just billing information” is anything but.  The Billing information in Canada uses ICD9 codes – and a direct link to patients.  This means that the billing information, the doctor was referring to, contains the diagnosis for all his patients!  As well, the tie to the patient was a direct link to the entire patient demographics (name, address, phone, birthdate, sex, health card number, social insurance number, etc.).  Billing data is anything but ‘just billing information’!

Aside from diagnosis information in the above example, which would make any privacy breach just that much worse, the demographics information alone is considered personally identifiable information and is protected by both Federal and Provincial legislation.

Another point to consider is that the doctor was moving a business asset out of the business environment and into his home.  Would his insurance company have covered any loss of that hardware or liability if the breach occurred outside of the business premises?  The risks associated with this action far exceed any possible gains on the part of the physician.  Thankfully, once we pointed out these issues, the physician chose to leave the server in his office and over a period of a year and then decommissioned the entire older EMR.

Summary:

1.  Almost all data in an EMR should be kept private.

2. Do not take data outside of your business environment unless you have a very good reason.

Welcome to TimeAcct’s SEMRT Blog

Hello Everyone,

Welcome to our blog on Electonic Medical Record Data.  We will be posting various entries here on all aspects of EMR data, in order to encourage discussion on the topic and share our thoughts.

We encourage you to join us – and make posts and comments!

G. Bradley MacDonald

 

Notes:

1.  All comments will be held for manual approval.  This will help us deal with SPAM and other issues associated with running a blog on the Internet.

2.  The following blog entries are the opinions of the posters and readers should seek out pertinent professional advice before acting on any suggestions, real or implied.