Privacy & Confidentiality of Electronic Medical Records

Information security in health care is a new threat to privacy and confidentiality of health information of the patient related to user authentication, physical security, data ownership, access control, network security, education of users and various legal and ethical issues.

These issues are described below:

  • Authenticated user –identification and authentication of users logging in to the system is of utmost importance. User roles and privileges have to be defined as an integral part of system security.
  • Physical security of data centre sites: the security of sensitive data centre and terminal location is a priority. Besides this, access of physicians and other authorized users to the computer hardware has to be controlled and monitored. Policies for prevention of theft; backup and disaster recovery plan have to be in place.
  • Access control systems: physical device and logical mechanism that controls access to system resources like biometric access control systems, smart card systems etc must be made use of.
  • Data ownership: issues of ownership of data in the EMR should be handled carefully in terms of definition of roles, privileges and authorized access to select data in the EMR. It should be very clear as to who owns which data in the EMR.
  • Data protection policies: Institutional policies should be in place which clearly defines the flexibility or rigidity in terms of action towards those misusing the system privileges.
  • In-built system security: the system should have in-built intellect to partition and secure data on central and local systems. The system security should remain undeterred upon system upgrades.
  • Destruction and disposal of hard copy materials: security breaches from paper copies of sensitive electronic document and data should be prevented.
  • System integrity: system data, physical computer and network systems have to be accurate and reliable.
  • User profiles: user types and roles have to be clearly defined in order to distinguish the functional needs and security levels of users.
  • Legal and liability issues- relate to the use and misuse of the system that involves potential liabilities or legal concerns for participating organizations, including protection under existing computer crime laws, liabilities when a record is compromised and requirements for user penalties under contracts.
  • System audits and auditability- for intrusion detection and notification of intrusions. Notification mechanisms for other types of security problems should be considered.
  • Network security: network security of bridges and routing equipment, passing of authorization tokens, data encryption, electronic signatures and non- repudiation of messages is crucial.
  • Informed consent: needs to be taken from patients or their family for potential use of medical data.
  • Education of users: users have to be regularly educated about their responsibilities as system users and the risks associated with their non-vigilant actions.

Contributed by- Ms. Ranjeeta Basra K. – Assistant Professor, IIHMR, New Delhi, India