We dealt with this situation few years ago, where a doctor was converting from one EMR to another. He wanted to keep his old system for reference, but did not want it taking up space in the office. So his solution was to take it home with him. We mentioned to him that doing so would expose him to a lot of liability if he did not first encrypt the disks on the computer he was going to bring home – due to it containing medical records. His response was that he only used to the old EMR for billing and therefore it only contained the patient billing information, which did not, in his opinion, violate patient privacy.
This response showed his total lack of understanding of what he was dealing with. First, the term “just billing information” is anything but. The Billing information in Canada uses ICD9 codes – and a direct link to patients. This means that the billing information, the doctor was referring to, contains the diagnosis for all his patients! As well, the tie to the patient was a direct link to the entire patient demographics (name, address, phone, birthdate, sex, health card number, social insurance number, etc.). Billing data is anything but ‘just billing information’!
Aside from diagnosis information in the above example, which would make any privacy breach just that much worse, the demographics information alone is considered personally identifiable information and is protected by both Federal and Provincial legislation.
Another point to consider is that the doctor was moving a business asset out of the business environment and into his home. Would his insurance company have covered any loss of that hardware or liability if the breach occurred outside of the business premises? The risks associated with this action far exceed any possible gains on the part of the physician. Thankfully, once we pointed out these issues, the physician chose to leave the server in his office and over a period of a year and then decommissioned the entire older EMR.
1. Almost all data in an EMR should be kept private.
2. Do not take data outside of your business environment unless you have a very good reason.