Healthcare records by their nature contain sensitive personal data. Such information can take on heightened sensitivity when it may involve particularly vulnerable types of individuals, such as children. The digitisation of patient records presents many opportunities for increased efficiencies, such as improving the record retrieval process and facilitating information sharing among medical professionals. There are also concerns that the same benefits may present new or increased levels of risk to patient privacy.
In December 2020, the Swedish Data Protection Authority (DPA) published the findings of an audit of eight health care providers, examining how they manage access to patient’s electronic healthcare records. The audit discovered significant deficiencies, resulting in fines of nearly €3 million.
In this article, we will consider what lessons should be noted by health care providers when managing patient data using electronic record management systems.
The audit included an examination of whether the assigning of system authorisations to individuals was preceded by the completion of appropriate needs and risk analyses. In a majority of cases, the DPA observed that health care providers did not carry out such an analysis, nor did they limit users’ access authorisation to the electronic document management system to what was strictly necessary for the performance of the individual’s tasks.
While access should be restricted to what the individual needs to perform their health care duties, those needs are likely to change over time, as the role and duties of staff members evolve. As such, they should be kept under review and governed by appropriate organisational measures that ensure evolving needs are reflected in updated controls.
In developing an authorisation structure, organisations may consider:
- Defining different categories of authorisation within the electronic medical record system. The more comprehensive an information system is, the more authorisation levels should be considered;
- Implementing a layered approach to the storage of personal data – for example, segmenting data according to its sensitivity. This can facilitate assigning access to different roles depending on their need of access to differing sensitivity levels in order to perform their health care duties.
The DPA suggests six steps for an effective implementation of the needs and risk analysis:
- Analyse and determine the needs of the organisation;
- Identify and analyse the risk to the privacy of the individuals concerned;
- Identify and take appropriate technical and organisational measures to reduce the risks;
- Based on a strategic analysis of business needs, establish a competency structure adapted to supporting the needs of the organisation that minimises risks to individuals;
- Document all the steps; and
- Continuously review the authorisation structure and what measures are in place for reducing risks.
Carrying out a needs and risk analysis enables the data controller to find out who needs access, what information is required to be accessed, and in what context access is needed.
In some cases, health care providers may have a unified electronic medical record system with other health care providers, thereby providing access to patient data between disparate record system. This provides an extra dimension to be considered, and needs analyses and risk assessments should take this into consideration when evaluating appropriate authorisations for staff.
When an insufficient needs analysis is performed, it can lead to:
- staff not having enough access to carry out their duties, which can impact patient care and/or
- a situation where access is not limited to what is needed, and thus presents a risk to patient privacy.
Should either occur, it can affect a patient’s confidence in the system. It is therefore essential that a well-defined competency structure is developed that enables effective needs and risk analyses. This will ensure that users of the electronic record management system are assigned privileges that are appropriate based on their need to perform their health care duties while respecting patient privacy by not giving access beyond need.
Documenting the needs analyses carried out for allocation of authorisations to individuals helps health care providers to demonstrate that appropriate organisational procedures have been followed and enables them to be accountable for the decisions made as a result. The needs analyses should demonstrate that authorisations to electronic record management systems are linked to the needs of the individual in fulfilling their health care duties.
Where needs and risk analyses are not performed, this will result in the controller not being able to demonstrate sufficient control of the personal data processing that takes place in the medical record system.
We can help
Appropriate governance of electronic medical record systems is essential to ensure the confidentiality and integrity of the data that health care providers manage. Trilateral’s Data Governance and Cyber-Risk Team has significant experience helping health care providers implement measures to facilitate the needs of healthcare organisations and protect the rights of the patients they care for.
We offer data governance services that can help your organisation develop policies and procedures for ongoing compliance. Trilateral can help audit existing practices, perform gap analyses, and offer compliance support to facilitate ongoing compliance. Please feel free to contact our advisors, who would be more than happy to help.