Electronic Messaging: What About Patient Privacy?

The College has seen an increase in the use of unsecured electronic methods by pharmacy professionals and other healthcare professionals to communicate with each other and with patients for purposes such as information gathering, the provision of care, consultations, education, and administrative tasks. These methods can include email, text message, social media, and messaging services such as Whatsapp or Facebook messenger.

However, the use of these technologies, instead of systems such as EMRs, clinical viewers or secured healthcare-focused platforms, can present serious risks to the security of the personal health information of patients and have the potential to lead to a privacy breach.

Important Things to Know About Protecting Personal Health Information

As health information custodians, registrants must follow the rules established by the Personal Health Information Protection Act (PHIPA) and are accountable for taking reasonable steps to protect personal health information and keep it secure. This obligation includes the proper use of physical, administrative, and technical safeguards.

Registrants should also comply with the policies and procedures set out by the pharmacy and/or institution to use, protect, store and dispose of personal health information.

PHIPA requires health information custodians to notify the Information and Privacy Commissioner of Ontario (IPC) at the first reasonable opportunity about certain privacy breaches. These breaches include use or disclosure of personal health information without authority (or further use or disclosure after a breach), stolen information, a pattern of similar breaches, and significant breaches. More information is available from the IPC.

Common Risks Involved in Communicating via Unsecured Messaging Tools

Common risks of communicating personal health information via unsecured electronic messaging can include:

• Information can be sent to the wrong recipient
• Information can be intercepted
• Loss or theft of mobile devices
• Messages can be forwarded to others without the knowledge of the original sender
• Use of unsecure networks, such as public Wi-Fi
• Potential hacking of files or accounts
• Content, images or attachments included as part of the message may not be managed properly on mobile devices (i.e., retained beyond their immediate use)
• Spoofing (i.e., an individual presenting like they are someone else)

It’s important to know that the unauthorized access or disclosure of personal health information can result in harm to patients and cause a loss of trust in the care they receive. It can also result in potential investigation by the IPC, employers and/or the College.

Using Electronic Communication with Patients and Caregivers

When deciding if, when and how to use electronic messaging, registrants can consider the following:

• Technical safeguards in use. These safeguards include strong passwords, two factor authentication, firewalls and anti-malware protection, regular updates of applications to incorporate the latest security patches, adjusting settings to the most privacy protective setting and verifying the identity of the recipient prior to sharing information. Registrants should also be aware of what and how information might be collected or used by the technology platform.
• Encryption. The IPC expects that email communication of personal health information among custodians (i.e., between healthcare professionals) will be secure from unauthorized access by use of encryption, barring exceptional circumstances. If possible, healthcare providers should also use encryption when communicating with patients. If only unencrypted messaging to patients is available then custodians should avoid including personal health information (i.e., only communicating regarding administrative matters such as scheduling or reminders).
• Informed consent. If it is not possible to use encrypted electronic communications with patients, then express patient consent should be obtained prior to use. The informed consent should include how this communication will be used, the type of information being communicated, how it will be processed and the limitations and risks of using unencrypted digital communications. If sharing the identifiable personal health information of patients with colleagues, it is important to consider whether the recipient is within the patient’s circle of care. If they are not, then consent may need to be obtained from the patient.
• Minimize the data shared. It is a good practice to minimize the amount of personal health information shared via messaging and focus only on what is needed to achieve the desired outcome (such as answer a question on a prescription, consult a colleague etc.) Even if sharing patient information without naming the individual (such as for learning purposes or discussion among clinicians), it’s important to ensure that the patient cannot be identified. The Advice to the Profession: Social Media from CPSO points out that an unnamed patient may be identified through a range of information and that informed consent may be required where there is any doubt that the patient can be kept anonymous.
• Retention and documentation. Personal health information should only be stored on email servers, within applications or on portable devices for as long as necessary to serve the intended purpose (for example, if an image is taken of a prescription, consider how long and where it should be stored on the mobile device). Registrants should be aware of all the places where information is being stored (for example, if content from a device is being automatically backed up in the cloud) and ensure they manage access and security appropriately. Ensure that any relevant information and communication is documented in the patient’s record as well (e.g., confirmation from a prescriber, expert opinions sought, information provided by patient).
• Policies, procedures, and training. Registrants should follow the policies, procedures and training set out by the operator of the pharmacy or institution.

Registrants and pharmacy managers may wish to consider undertaking a Privacy Impact Assessment, which is a self-assessment process designed by the IPC to help health information custodians to review the impact a program, technology or system may have on the privacy of personal health information.

Before using electronic messaging with patients and providers, have you considered?

Remember, Safeguarding Patient Privacy is a Must

Electronic messaging can be a convenient way to communicate with healthcare providers and patients for a variety of purposes, including scheduling, reminders, consults, gathering information and seeking clarification.

However, pharmacists and pharmacy technicians should keep in mind the potential risks and limitations of using unsecured messaging channels and use caution whenever sharing patient health information beyond the pharmacy via these platforms. Registrants are strongly recommended to use encrypted communication and/or secured healthcare-specific software and applications to communicate personal health information to prevent privacy breaches and protect patient privacy.

Helpful Resources

• Record Retention, Disclosure and Disposal Guideline
• Designated Manager – Professional Supervision of Pharmacy Personnel
• Communicating Personal Health Information by Email – Information and Privacy Commissioner of Ontario
• Circle of Care: Sharing Personal Health Information for Health-Care Purposes – Information and Privacy Commissioner of Ontario
• Privacy and Security Considerations for Virtual Health Care Visits – Information and Privacy Commissioner of Ontario
• Privacy and Confidentiality – Canadian Medical Protective Association
• Texting safely about patient care: Strategies to minimize the risks – Canadian Medical Protective Association
• How to Communicate PHI Securely – OntarioMD
• Advice to the Profession: Social Media – College of Physicians and Surgeons of Ontario
• Protecting Personal Health Information – College of Physicians and Surgeons of Ontario