Using a shared EMR? Make sure you sign on the dotted line

College of Physicians and Surgeons of Alberta Messenger Leave a Comment

In the November 2011 Messenger, we provided a checklist of all the things you need to do to make sure your Electronic Medical Record (EMR) is secure and accessible only by authorized users.

But what happens if you don’t own or control the EMR yourself? Maybe you are one of several physicians working part-time in a clinic. While you all use the EMR, it is owned by the company that owns the clinic.

Who is responsible for security in this situation? You are, as well as the owner, and every other person who has access to the EMR.

To keep patient information safe, everyone needs to clearly understand how security is maintained and meet their individual responsibilities. That’s why signing an Information Management Agreement and Information Sharing Agreement is so important.

Information Management Agreement
An Information Management Agreement outlines all the measures in place to make sure the EMR is secure, access is monitored and data is managed appropriately. Typically it includes authorization protocols (e.g., role-based access), user identification, passwords, data encryption and audit logging. It also describes how data is backed-up, how it can be recovered in the event of system failure and how it must be disposed of to maintain security – essentially, all the items identified in the security checklist.

Information Sharing Agreement
An Information Sharing Agreement describes the role and responsibilities of authorized users in managing issues related to access, secondary use and disclosure of patient information.

 

Please Note: Comments that appear on our site reflect the opinion of the writer and not necessarily the position of the College of Physicians & Surgeons of Alberta. Offensive language, personal attacks and unsubstantiated allegations are not allowed. All comments are reviewed before posting to ensure they adhere to these rules and are not spam.