Professional Documents
Culture Documents
RCDSO Guidelines Electronic Records Management
RCDSO Guidelines Electronic Records Management
Management
ADDITIONAL ISSUES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
6 Crescent Road
Toronto, ON Canada M4W 1T1 APPENDIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
T: 416.961.6555 F: 416.961.5814
Additional Resources and Reference Materials
Toll-free: 800.565.4591 www.rcdso.org
Available on the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2 Guidelines: Electronic Records Management
Introduction
Professional, ethical and legal responsibilities However, the use of electronic records by dentists,
dictate that dentists must create and maintain including digital radiography, has grown substan-
records documenting all aspects of each patient’s tially in Ontario, and the sophistication of
dental care. The extent of these records will vary, hardware and software has evolved significantly
depending on the conditions with which the since the Guidelines on Dental Recordkeeping
patient presents and the complexity of the treat- were originally issued in June 1995.
ment that is required. However, certain baseline
data should be kept for all patients, as described Dentists are permitted to use electronic records
in the College’s Guidelines on Dental for their patients, but they must comply with all
Recordkeeping. This information includes: requirements of traditional dental records.
• accurate general patient information; Moreover, the nature of electronic records raises
• a medical history that is regularly updated; additional issues for both dentists and patients,
• a dental history; particularly with respect to accuracy, authenticity
• an accurate description of the conditions that and access.
are present on initial examination, including an
entry such as “within normal limits” where ACCORDING TO HEALTH CANADA, PATIENT MANAGE-
• a record of the significant findings of all DEVICE AND MUST BE CLASSIFIED IN ACCORDANCE
supporting diagnostic aids, tests or referrals WITH THE RULES UNDER THE MEDICAL DEVICES
such as radiographs, study models, reports from REGULATION.
specialists;
• a diagnosis and treatment plan; ANY PATIENT MANAGEMENT SOFTWARE THAT IS USED
• a notation that informed consent was obtained ONLY FOR VISUALIZING, ACQUIRING, TRANSFERRING OR
from the patient for treatment; STORING DATA OR IMAGES IS CONSIDERED A CLASS I
• a notation that patient consent was obtained for MEDICAL DEVICE.
• a description of all treatment that is provided, CAPABILITIES BEYOND BASIC DATA VISUALIZATION,
materials and drugs used and, where appro- ACQUISITION, TRANSFER AND STORAGE IS CONSIDERED
priate, the outcome of the treatment; A CLASS II MEDICAL DEVICE, WHICH REQUIRES A
In addition to their content, the manner in which SALE, IMPORTATION AND DISTRIBUTION IN CANADA.
records are created and maintained will vary and, THIS INCLUDES ANY PATIENT MANAGEMENT SOFTWARE
in many respects, this is currently changing. INVOLVED IN DATA MANIPULATION, DATA ANALYSIS,
Historically, dentists have used paper charts and DATA EDITING, IMAGE GENERATION, DETERMINATION OF
ledgers to keep records for their patients. MEASUREMENTS, GRAPHING, FLAGGING OF RESULTS,
CALCULATIONS.
Guidelines: Electronic Records Management 3
There is increasing pressure on all health care • The archiving, retention and disposal of paper
professionals to convert from paper records to records, if not carried out in a secure manner,
electronic records. The province of Ontario has may also pose a threat to security and privacy.
committed to implementing a comprehensive • Dentists may require assistance from third-party
electronic health record for all Ontarians, and service providers to make the transition,
similar efforts are being made in other provinces creating an additional layer of complexity to the
and nations. security and privacy risks that must be managed.
Electronic records offer many benefits to dentists To date, there have been few guidelines regarding
and patients. They require less space and fewer electronic records management for health care
administrative resources to maintain, while professionals. Those dentists who wish to use
supporting improved clinical decision-making, electronic records should implement these guide-
leading to more effective diagnosis and treatment, lines as soon as practicable. The purpose of this
greater patient safety and increased efficiency. On document is to describe the essential principles in
the other hand, electronic records present unique managing and protecting electronic records from
security and privacy risks, such as the potential the moment of their creation or capture, as well as
for exposing the personal health information of the minimum requirements of related electronic
patients to hackers and others with malicious records management systems.
intent. The design and implementation of an
electronic records management system requires
careful consideration in order to address these IMPORTANT
risks, including the use of access controls, audit In this document, the following assumptions
trails, encryption and other safeguards. have been made:
1. Electronic records comply with all
The risk of exposing personal health information recordkeeping principles and requirements,
may be greatest during the transition from paper as outlined for traditional dental records.
records to electronic records. Many factors 2. The electronic records management system
converge to increase this risk: is based on a private computer and
• Staff may not be fully trained on using the new network infrastructure (e.g. privately
electronic records management system, managed local area or wide area networks),
increasing the likelihood of human errors. where the ultimate control and responsibil-
• During the initial implementation phase, the ities remain with the dentist, and does not
new electronic records management system involve any hosting or management of
may not be fully functional, and the security patient records with an external service
and privacy features of the system may be provider (e.g. cloud computing).
either turned off or set to a default minimal 3. All electronic copies of patient records in
standard of protection. all locations are appropriately secured.
• The conversion of existing paper records to 4. The electronic records management system
electronic format may require more frequent has no wireless access points, unless they
access to records of personal health information are appropriately secured.
by a broader range of persons than would 5. The term “user” encompasses any entity
normally be the case. that may access the electronic records
• Records may be duplicated in both paper and management system, including a person, a
electronic formats, potentially doubling the computer services account, a software
volume of records that need to be protected. application or a computer system.
4 Guidelines: Electronic Records Management
(ERMS) captures and organizes electronic records, AND MAINTENANCE OF COMPUTER EQUIPMENT AND
manages and protects them from unauthorized OTHER ELEMENTS OF THE SYSTEM.
Functional Path of
Electronic Records
6 Guidelines: Electronic Records Management
EACH PATIENT MUST BE ASSIGNED AN IDENTIFIER OR As well, electronic financial records should
PATIENT ID THAT CAN UNIQUELY IDENTIFY THE provide an accurate reflection of the current
PATIENT WITHIN THE ERMS. THE PATIENT’S HEALTH status or running balance of each patient’s
OR SOCIAL INSURANCE NUMBER MUST NOT BE USED account, in keeping with standard accounting
FOR THIS PURPOSE. practices.
described in the following sections on physical RADIOGRAPH OR STUDY MODEL FOR A PATIENT MAY BE
The ERMS must be capable of the following: CAPTURED BY THE ERMS, WHICH SERVES AS A COPY
• providing a secure means of access to all OF THE ORIGINAL. THE PAPER RECORD, DENTAL
recorded clinical and financial information for RADIOGRAPH OR STUDY MODEL MAY THEN BE PLACED
patient promptly and in chronological order. IMPORTANT TO NOTE THAT ORIGINAL PAPER RECORDS,
There are three basic types of functions: A system may have several audit trails, each
1. Read – The user can read information in a devoted to maintaining a record of a specific type
system resource, such as a patient record, but of activity.
cannot alter it.
2. Write – The user can add information in a Audit trails are the means by which several
system resource. security-related objectives are accomplished,
3. Execute – The user can run a program. including individual accountability, the recon-
struction of events and intrusion detection.
These privileges may be used alone or in combina-
tion. For example, an individual staff member may Audit trails should contain the necessary informa-
be given read and write access to patient records, tion to answer the following questions:
but not execute privileges to run programs. • For a given user, what patient record did the
user access, create or alter, what did the user do
In appropriate circumstances, an individual staff and when?
member may be registered with more than one • For a given patient record, what users have
non-overlapping role in the dental office, each accessed, created or altered the patient record,
with a unique user ID, in order to carry out what did the users do and when?
specific tasks. In all circumstances, the ERMS
should ensure that a user may access applications AT MINIMUM, AN AUDIT TRAIL MUST CONTAIN THE
Although privileges are assigned to authorized B) THE ROLE THE USER IS EXERCISING;
users at initial registration, they should be C) THE PRACTICE LOCATION AND SPECIFIC COMPUTER
required. Further, the system must support the D) THE IDENTITY OF THE PATIENT;
revocation of access privileges; that is, a user must E) THE ACTIVITIES PERFORMED BY THE ACCESSING
system once his/her privileges have been revoked. F) AN ACCURATE DATE AND TIME STAMP.
An audit trail is a record of events or actions For example, an audit trail should be capable of
concerning the activity of the operating system, a displaying the content of a patient record at any
software application or a person using the system. point in the past, as well as the associated
metadata of who accessed the record, what alter-
ations were made and when this was done.
Guidelines: Electronic Records Management 9
For example, if the system fails or the integrity of Accordingly, dentists should avoid using e-mail to
a patient record is questioned, an analysis of the communicate the personal health information of
audit trail can reconstruct the series of steps that patients, unless they are employing a secure
were carried out by the system, a software appli- e-mail service with strong encryption.
cation or any user.
THE INFORMATION AND PRIVACY COMMISSIONER OF
In addition, audit trails may aid in the recovery ONTARIO (IPC) HAS ADVISED THAT EVEN IF PATIENTS
process. For example, if a patient record is ARE WILLING TO ACCEPT THE RISK OF UNAUTHORIZED
corrupted, an audit trail analysis can be done to DISCLOSURE OF THEIR PERSONAL HEALTH INFORMA-
ascertain the alterations made and reconstruct it. TION IN EXCHANGE FOR THE CONVENIENCE OF
Audit trails may be used to detect users THEIR DUTY TO TAKE STEPS THAT ARE REASONABLE IN
system. They may also be used to detect changes HEALTH INFORMATION IN THEIR CUSTODY AND CONTROL.
THE TERM “STRONG ENCRYPTION” DOES NOT REFER users, and restrictions may be imposed on
TO A PARTICULAR TECHNICAL OR DESIGN SPECIFICA- the connection duration and window
TION, OR A DISTINCT ENCRYPTION FEATURE. RATHER, (e.g. time-of-day, day-of-week). In addition, the
A VARIETY OF CIRCUMSTANCES AND FACTORS NEED TO use of teleworking must require minimum
BE CONSIDERED IN ORDER TO ENSURE THAT PERSONAL two-factor authentication and employ strong
HEALTH INFORMATION IS ADEQUATELY PROTECTED. encryption.
ONTARIO (IPC) HAS PROVIDED A WORKING DEFINITION BACK-UP AND CONTINGENCY PLANNING
FOR STRONG ENCRYPTION, AS WELL AS GUIDANCE
ON THE MINIMUM TECHNICAL AND FUNCTIONAL All existing electronic patient records and critical
REQUIREMENTS FOR A HEALTH CARE ENVIRONMENT. data must be backed-up on a routine (i.e. daily)
FOR MORE DETAILED INFORMATION, REFER TO FACT basis and stored in a physically secure environ-
SHEET 16: HEALTH-CARE REQUIREMENT FOR STRONG ment off-site. Further, recovery procedures should
ENCRYPTION, WHICH IS AVAILABLE ON THE WEBSITE be periodically tested to ensure that all patient
OF THE IPC AT WWW.IPC.ON.CA. records and critical data can be retrieved and
reliably restored from the backup copy.
such as from a home computer or wireless device, SHOULD KNOW THE DENTAL OFFICE’S SECURITY
via external internet connection to the ERMS) in MANAGEMENT PROTOCOL TO ENSURE THAT THE NECES-
dentistry is increasing and offers many advan- SARY STEPS ARE TAKEN TO ENSURE A RAPID, EFFECTIVE
tages. However, it also raises significant security AND ORDERLY RESPONSE TO MINIMIZE ANY LOSS OF
and privacy concerns for dentists, due to the CONFIDENTIALITY OR DATA AND SYSTEM INTEGRITY.
The use of teleworking should be prohibited, The physical setup and environment of the ERMS
unless a clear security policy is in place and the should be evaluated to protect it from environ-
user agrees to abide by it. See the section on mental threats and hazards, such as fires and
Security Policy for the Dental Office on page 12. floods, as well as power failures or surges and
Even so, it should be strictly limited to authorized other electromagnetic disruptions.
Guidelines: Electronic Records Management 11
In the event of a disaster or catastrophic failure of medium in which they are kept. In general, all
the ERMS, business continuity may be at signifi- clinical, financial and drug records, and
cant risk. It is important to have a contingency radiographic and consultant reports that are
plan in place to provide for business continuity, made in respect to an individual patient must be
both from the perspective of the safe treatment of maintained for at least 10 years from the date of
patients and the maintenance of required dental the last entry in that record. In the case of a
recordkeeping. minor, these records must be kept for at least 10
years after the day on which the patient reached
Copies of all ERMS software programs should be the age of 18 years. This includes appointment
kept to facilitate recovery and consideration records, lab prescriptions and invoices.
should be given to equipping a standby system. In
addition, traditional paper records and dental Once the retention period has been satisfied, the
radiographs should be available, in case they are records for a patient may be disposed of in a
needed for a period of time until the ERMS can be manner that maintains confidentiality.
reliably restored.
THE DISPOSAL OF ELECTRONIC PATIENT RECORDS
DATA MIGRATION
As noted above, the ERMS must be capable of Effective disposal of electronic patient records
periodic upgrades to reflect the changing require- requires that they be permanently deleted or
ments of the dental office. There will come a time, irreversibly erased, including any back-up or
however, when a decision is made to switch to a other copies (e.g. copies created by the ERMS for
new ERMS, at which point the dentist must system purposes). An audit trail should maintain a
consider how to maintain the integrity of existing record of the name of the patient whose personal
electronic patient records and critical data. health information was disposed, the time period
to which the information relates, and the person
Options include migrating the patient records responsible for authorizing the disposal of the
from the old ERMS to the new ERMS or archiving information.
the patient records on the old ERMS.
In the event that electronic media (e.g. hard drives
Regardless of how the switch to a new ERMS is and other storage devices found in computers,
accomplished, the dentist must ensure that a servers, photocopiers, fax machines, scanners,
secure means of access to all recorded informa- printers, etc.) are to be disposed, dentists must
tion for each patient is maintained, and that the ensure that all patient records are permanently
recorded information and related metadata is not deleted or irreversibly erased from them.
compromised or otherwise changed in the Alternatively, the device may be physically
process. destroyed.
RETENTION AND DISPOSAL MEDIA DEVICE THAT HAVE STORED PATIENT RECORDS.
The dentist must assume responsibility for setting If services are provided by a third-party contractor,
and enforcing a security policy for the dental there should be a formal written agreement in
office, dealing with the roles and responsibilities place, which addresses the following:
of staff and third-party contractors who are • the responsibility for the security and privacy of
authorized to access the ERMS. the personal health information of patients;
• all repairs, changes and upgrades to the ERMS
In order to ensure that the security policy for the must be authorized and documented;
dental office adequately addresses all necessary • all planned new information systems, upgrades
criteria, a logical and deliberate process should be and new versions must meet acceptance criteria;
followed. The first step is to conduct a compre- • functional and security tests of the ERMS must
hensive threat and risk assessment of the ERMS, be carried out prior to acceptance;
and create an inventory of all assets. This should • all existing electronic patient records and
be repeated on an annual basis. The next step is to critical data must be continually safeguarded
develop and maintain a written security policy for during upgrades.
the dental office. It should address the following:
• the responsibility of all staff for the security and THE TERMS AND CONDITIONS OF EMPLOYMENT FOR
privacy of the personal health information of ALL STAFF AND THIRD-PARTY CONTRACTORS SHOULD
• education and training of all staff in security FOR THE SECURITY AND PRIVACY OF THE PERSONAL
and privacy policies and procedures; HEALTH INFORMATION OF PATIENTS, WHICH SHOULD
• the security roles and responsibilities of all SURVIVE THE TERMINATION OF EMPLOYMENT OR
Regardless of the type of records that are used, If personal health information is lost, stolen or
health care providers have a duty to ensure that accessed by unauthorized persons, health infor-
the personal health information of patients is mation custodians must notify the affected
protected at all times. patients at the first reasonable opportunity. In
addition, health information custodians must
Ontario’s Personal Health Information Protection ensure that records of personal health informa-
Act (PHIPA) permits all health information custo- tion in their custody or control are retained,
dians, including dentists, to collect, use and transferred and disposed of in a secure manner.
disclose personal health information for the
purposes of providing health care, or facilitating THE INFORMATION AND PRIVACY COMMISSIONER OF
the provision of health care, to patients. However, ONTARIO (IPC) HAS ISSUED AN ORDER (H0-004),
PHIPA also requires health information custo- WARNING HEALTH INFORMATION CUSTODIANS ABOUT
dians to take steps that are reasonable in the THE RISKS OF STORING PERSONAL HEALTH INFORMA-
circumstances to ensure that the personal health TION ON PORTABLE MEDIA. THE IPC STATED THAT IN
information in the custodian’s custody or control THE EVENT A PORTABLE STORAGE DEVICE WAS LOST
is protected against theft, loss and unauthorized OR STOLEN, IT WOULD NOT BE REGARDED AS A
use or disclosure, and to ensure that the records PRIVACY BREACH IF SUFFICIENT SAFEGUARDS WERE IN
containing the information are protected against PLACE TO ENSURE THAT THE PERSONAL HEALTH
unauthorized copying, modification or disposal. INFORMATION WAS NOT DISCLOSED, SUCH AS STRONG
ENCRYPTION.
Additional Issues
As the use of electronic records and digital Cloud computing raises significant security and
technology in health care is increasing, issues are privacy questions for dentists, who are respon-
emerging that raise new medico-legal questions, sible for the custody and control of personal
which are still to be addressed. health information. Dentists considering a cloud
service provider should perform due diligence,
For example, software programs and devices have assess the risks involved, minimize the amount of
been developed that allow a person to electroni- personal health information exposed and provide
cally sign a document, such as a medical history for appropriate remedies.
questionnaire. The term “electronic signature”
refers to electronic information that a person A further example relates to internet-based
creates or adopts in order to sign a document, and products for patients that allow them to create
that is attached to or associated with the their own health records. Patients may collect
document. One method involves the use of a health information about themselves, maintain it
special pen with a computer screen or touchpad, online and grant access to their healthcare
which captures a digital image of a handwritten providers.
signature. Other methods involve the use of
letters, numbers or symbols that are attached to Dentists should be cautious about relying on
or associated with the document. information contained in a patient-created health
record, and take appropriate steps to verify that it
In order to be accepted as valid, dentists must be is accurate and complete.
able to demonstrate that the person’s electronic
signature was unique, and that it was properly
associated with the document in question via
auditable means.
Appendix
Electronic Records Handbook: Implementing and Using Electronic Medical Records (EMRs) and Electronic
Health Records (EHRs), 2009
Canadian Medical Protective Association
www.cmpa-acpm.ca/cmpapd04/docs/submissions_papers/pdf/com_electronic_records_handbook-e.pdf
Notice: Classification of Medical Devices Class I or Class II Patient Management Software, 2010
Health Canada
www.hc-sc.gc.ca/dhp-mps/alt_formats/pdf/md-im/activit/announce-
annonce/md_notice_software_im_avis_logicels-eng.pdf
Fact Sheet 12: Encrypting Personal Health Information on Mobile Devices, 2007
Information & Privacy Commissioner of Ontario
www.ipc.on.ca/images/Resources/up-fact_12e.pdf
Fact Sheet 14: Wireless Communication Technologies: Safeguarding Privacy & Security, 2007
Information & Privacy Commissioner of Ontario
www.ipc.on.ca/images/Resources/up-1fact_14_e.pdf
Get Rid of It Securely to Keep It Private – Best Practices for the Secure Destruction of Personal Health
Information, 2009
Information and Privacy Commissioner of Canada
www.ipc.on.ca/images/Resources/neid.pdf
Personal Health Information: A Practical Tool for Physicians Transitioning from Paper-Based Records to
Electronic Health Records, 2009
Information & Privacy Commissioner of Ontario
www.ipc.on.ca/images/Resources/phipa-toolforphysicians.pdf
Information and Documentation – Records Management, Part 1: General (ISO 15489-1), 2001
International Organization for Standardization
www.iso.org
Information and Documentation – Records Management, Part 2: Guidelines (ISO 15489-2), 2001
International Organization for Standardization
www.iso.org
6 Crescent Road
Toronto, ON Canada M4W 1T1
T: 416.961.6555 F: 416.961.5814
Toll-free: 800.565.4591 www.rcdso.org
01/12_3100