Storage and Security

Medical records must be stored in a safe and secure
environment to safeguard their physical integrity and
confidentiality. Physicians must take reasonable steps
to ensure that records are protected from theft, loss
and unauthorized use or disclosure, including photocopying,
modification or disposal.
What is reasonable depends on the threats, risks and
vulnerabilities to which the information is exposed,
the sensitivity of the information, and the extent to
which it can be linked to an identifiable individual.
Consideration must be given to each of the following
aspects of record protection:
• Physical security (for example, locked file cabinets,
restricted office access, alarm systems).
• Technological security (for example, passwords,
encryption and firewalls).
• Administrative controls (for example, security clearances,
access restrictions, staff training and confidentiality
agreements).8
Patient records should be kept in restricted access
areas or locked filing cabinets, and measures should be
in place to ensure that only those who need access to
the records for a legitimate purpose are able to see
them. Physicians need to consider that non-medical staff,
such as maintenance staff, may have access to
records, and must ensure that steps are taken to
ensure that access to the records is limited or that
those who have access to the records are bound by an
appropriate confidentiality agreement.