Risk management for healthcare entities: Physical protection of patient records

Doctor working on a computer in hospital office with paperwork. Medical healthcare concept.

Healthcare entities have an ethical and legal obligation to uphold patient confidentiality and protect patient records across all environments, whether they are in a filing cabinet or electronically stored on the cloud. Even as healthcare entities transition from paper-based records to electronic files, it remains critical that they have physical measures in place to secure documents. Patient records include any documents with patients’ personal health information (PHI), such as details about their past, present, or future physical or mental condition, healthcare plans, payments, or eligibility for healthcare.

To adequately protect patient records, healthcare entities must implement the appropriate safeguards across their organization. In this context, safeguards are any controls around the physical access, storage, and usage of patient files and records, including necessary measures to secure documents from unauthorized access.

As part of their approach to patient record protection, healthcare entities must consider the range of risks in the physical environment and address them with a comprehensive risk management plan. Equipped with a layer of effective controls as well as a holistic approach, healthcare entities are better positioned to mitigate risks associated with patient privacy, safety, and confidentiality.

The following guidance highlights key risk controls healthcare entities may implement to protect the patient records under their custody. It is not an exhaustive list and should be used in conjunction with internal policies and procedures, as well as in compliance with local laws and regulations.

1. Code of conduct

Amending your code of conduct to include best practices, policies, and procedures for protecting patient records can help create alignment between all members of your organization. It should reinforce the importance of maintaining patient privacy and confidentiality in a healthcare environment and provide specific guidance on how patient records should be accessed, stored, and used across the organization.

Code of conduct

Develop comprehensive policies and procedures that address:
- Physical protection of patient records, including during access, storage, and usage
- Use of appropriate physical protection relative to the sensitivity of the file and information
These policies and procedures should include the following:
- Commitment to safeguarding patient records under its custody
- Establishment of where the policies and procedures are enforced
- Expected accountability of all parties, including:
  - Employees
  - Independent practitioners (For example, physicians and midwives)
  - Volunteers
  - Students
  - Vendors
  - Patients and families
Unacceptable behaviour (For example, leaving patient files unattended in a public area where unauthorized individuals can access them)
Available support services internal and external to the organization
Definitions and examples of patient records, such as:
- Physician order and progress notes
- Nursing and allied health progress notes
- Health history and assessment notes
- Medical history and administration notes
- Diagnostic imaging results and notes
- Laboratory results and notes
Definitions and examples of physical controls and access measures, such as:
- Locked file cabinets, desks, and closets
- Restricted office spaces
- Mechanical locks and access (For example, keys)
- Electronic locks and access (For example, ID badges, card swipes, keypads)
- Ensure that training regarding the policies is mandatory for all individuals and groups
- Ensure the policies are accessible to all individuals and groups

2. Access

Healthcare entities must consider the types of patient records under their custody, who has authorized access to these files, and the appropriate physical measures to safeguard records. The physical access security measures they adopt should include the following:

Establishing physical access control for designated areas through a blend of the following controls:
- Mechanical access (For example, keys)
- Electronic access swipes (For example, fobs, badges, keypads)
- Alarm keypad systems (For example, mechanical or electronic)
Installing alarm systems to monitor authorized and unauthorized access to designated areas
Changing alarm system passcodes and keypad access codes on a regular basis
Appointing designated individual(s) to manage and document access management

3. Storage and on-premises use

When reviewing a patient’s records is necessary for the delivery of healthcare services, healthcare entities need to ensure that only authorized individuals have access to them and that they are stored properly when not in use. The security measures that should be adopted by healthcare entities include the following:

Storing physical patient records in locations where unauthorized individuals cannot view them, such as:
- Lockable file drawers or cabinets
- Controlled access buildings, rooms, or designated areas
Closing the drawers and cabinets when not in use
Locking the drawers and cabinets when leaving the area or workstation
Positioning screens or displays that contain patient information away from plain view
Covering any records that contain patient information when in use but not actively being viewed
Not leaving documents unattended at printers, photocopiers, or fax machines, or open computer screens
Returning documents to the secured filing location as soon as possible

4. Off-premises use

There are instances when patient records are required to be taken off-premises, such as while delivering in-home care or travelling to another satellite location. In support of this, healthcare entities should adopt the appropriate safeguards to protect patient records and reduce the risk of unauthorized access off-premises.

Obtain approval from responsible parties, as designated in organizational procedures, prior to removal of patient records from the premises
Utilize a sign-out system to document:
- Who is moving the patient records
- What type of patient records are being transported
- When the patient records are taken and to be returned
Remove patient records from the premises only when absolutely necessary, and only those records needed for the task at hand
Retain original patient records, if possible
Place patient records in a secured folder, container, or concealed location during transportation (For example, a car trunk)
Refrain from viewing patient records in public (For example, a public place or on public transit)

Summary

Protecting patient privacy, confidentiality, and safety is the cornerstone of delivering quality healthcare services. Further, healthcare entities have an ethical and legal responsibility to do so. Healthcare entities must consider the risks associated with patient records in the physical environment and embrace a comprehensive approach to risk management. Some key controls they can take include improving policies and procedures around access, usage, and storage of patient records, as well as best practices for maintaining security on- and off-premises.

Female doctor explaining diagnosis to her young patient

Article

Risk management for healthcare entities: Physical protection of patient records

Code of conduct

Access

Storage and on-premises use