EHR Regulation in Canada: Did They Get It Right?
On 31 August 2009, Health Canada issued a Notice indicating that “patient management software” is subject to the Medical Devices Regulations (“MDRs”) and regulated under Canada’s Food and Drugs Act. While this action is laudable, the approach taken by Health Canada raises questions as to whether privacy and security are sufficiently addressed in this new regulation of EHRs and EMRs in Canada.
To briefly recap for those not familiar with this development, patient management software, manufactured, sold or distributed in Canada, now falls into two categories.
According to the Notice:
“Any patient management software used only for archiving or viewing information or images, and not involved in the primary acquisition, manipulation and transfer of data, is considered a Class I medical device based on Rule 12 of the Medical Devices Regulations.”
While Class I devices do not require a medical device license, manufacturers, distributors and importers must obtain an establishment license. For Class II:
“…any patient management software with capabilities beyond basic data visualization is considered a Class II medical device based on Rule 10 (1) of the Regulations.
This includes any patient management software involved in data manipulation, data analysis, data editing, image generation, recording of measurements, graphing, flagging of results or performing calculations. Any primary workstation that interfaces directly with a system (imaging or other type) by acquiring data and then sending data to an image generating, viewing or storage device, is also classified as Class II.”
Those definitions pretty well cover the waterfront when it comes to EHRs and EMRs in Canada – whether developed in the private or public sectors.
Regulating for patient safety makes sense. This news report, concerning recent Food and Drug Administration (US) testimony about EHRs, notes:
“Over the past two years, the FDA’s voluntary notification system logged a total of 260 reports of “malfunctions with the potential for patient harm,” including 44 injuries and the six deaths. Among other things the systems have mixed up patients, put test results in the wrong person’s file and lost vital medical information.”
What is required to satisfy Health Canada’s licensing requirement? Leaving aside establishment licenses, Health Canada requires compliance with ISO 13485-2003, which is a quality management standard for medical devices. Complying with ISO 13485-2003 means having the organizational structure, responsibilities, procedures, processes, and resources for implementing quality management in order to ensure that all of the features and characteristics of the device satisfy a “fitness for purpose” requirement, including safety and performance. In other words, demonstrate that you can systematically produce the same product for its intended use by following a particular course of production and you too can be certified under ISO 13485.
So if this is the first formal foray into EHR/EMR regulation in Canada – given the high sensitivity of personal health information – where are the security requirements? Health Canada is silent on the point (and the word “security” does not appear in ISO 13485). In reasonable scenarios, inattention to security not only raises the specter of physical harm but also emotional damage resulting from the violation of basic concepts of record confidentiality and integrity. One might suggest that such issues would certainly be addressed in RFPs but, as EHR audits in Canada have shown, there can be a large distance between stated RFP requirements and delivered product.
ISO 13485 is a “process” standard not a “product” standard. I’m not suggesting that Health Canada should not use a process standard nor am I suggesting that all the security issues with EHRs and EMRs will disappear with a regulatory requirement to meet security standards or criteria. What concerns me is the absence of any attention – even in passing reference – to the important aspects of privacy and security.
At least one might have thought some incorporation by reference to the requirements of Canada Health Infoway’s Privacy and Security Conceptual Architecture. Or, if ISO compliance is a good basis for regulation, then why not amend the August Notice to reference ISO 21547:2010, which concerns security requirements for the preservation of electronic health records? Or require certification under the ISO 27000 series for information security?
Secure coding remains the exception rather than the rule, as noted in this article, yet there is no insistence on some evidence of adherence to any one of a number of secure coding methodologies (so Health Canada doesn’t have to pick one; simply say use one).
We hear increasing reference to “privacy by design” these days but as Health Canada extends its regulatory authority over patient management software it doesn’t appear to have concerned itself with such a concept, especially when a good security regime for software design and development can go a long way to assure patient privacy.
Health Canada’s primary role is not to regulate privacy and security. But it has chosen to regulate software and the secure design, development and functioning of patient management software is, in my view, integral to the integrity of the software. So if Health Canada is concerned about “fitness for purpose”, shouldn’t one of those purposes – given the information in question – be how well software protects that information?
With a plethora of standards in Canada, some form of EHR/EMR certification is needed (and kudos to Health Canada for its decision to bring patient management software under the MDRs). But privacy and security need to form part of any certification. Which makes me wonder if Health Canada got the regulation of EHRs and EMRs right.