5

Privacy Issues & Technology in Healthcare Organizations

Executive Summary

Patients must be confident that their privacy rights and the confidentiality of their personal information and personal health information are respected and upheld, and that the information they share is kept confidential and secure. Maintaining high standards that safeguard information privacy and security is an essential aspect of asset management for any healthcare provider. The introduction of information technology to the healthcare environment means new methods for managing information and mitigating associated privacy risks must be developed and implemented. 

Health privacy has become increasingly important due to the rapid rate of technology integration in healthcare. New technologies (e.g., mobile apps and devices) can track substantially larger amounts of information about a patient than ever before and put it in an easy to access place such as a cloud-based service. As emerging technologies may not be well understood, what references do app developers and staff at the healthcare organizations use to quickly define the relevant privacy and security requirements? Where do they obtain useful healthcare-specific guidance?

We are interested in generating some discussion on this topic in our Healthcare Privacy Community. Please visit this space to join the conversation.

 

 Addressing and implementing privacy controls and practices can be achieved through the following:

  1. Understand privacy, security and confidentiality;
  2. Define privacy and security requirements; 
  3. Create privacy and security controls based on risk; 
  4. Implement a privacy and security management program;
  5. Create a culture of privacy; and  
  6. Be ready for a privacy breach.


Understand Privacy, Security and Confidentiality

Information privacy is about the control of how personal health information is collected, used and disclosed. Information privacy ensures that the Personal Health Information (PHI) is protected when transmitted, processed and stored. This applies to both healthcare organizations and healthcare IT vendors that process and host information on behalf of healthcare organizations.

Secure and timely access to relevant patient PHI is essential to the proper functioning of healthcare practices and to the delivery of appropriate and quality patient care. Patients must be confident that their rights to the privacy and confidentiality of their PHI are respected and upheld, and that the information they share with their healthcare providers is kept safe and secure. 

It is important to note that there are differences between privacy and confidentiality. Privacy is concerned with information handling processes of personal and sensitive information. Confidentiality deals with ensuring that this information is not disclosed for any purpose other than for which it was collected without appropriate consent.

The security and protection of information are of prime importance to all healthcare organizations and vendors that provide digital solutions and/or process and store PHI on behalf of these healthcare organizations. For the health sector, there is added emphasis on the requirements for confidentiality, privacy, integrity, and availability.

With increasing electronic exchange of patient health information between healthcare providers, there is a clear need in adopting a privacy and security management program.

Health information is an important asset for healthcare providers and needs to be adequately protected. The primary focus of health information security relates to the protection and safeguarding of patient information and the requirement to protect the privacy of patients/clients. In addition, health providers must ensure that information is accurate and available when required.

Information security involves the preservation of the following:

  • Confidentiality: information accessible and available only to those authorized to have access.
  • Integrity: information stored, used, transferred and retrieved in manners such that there is confidence that the information has not been tampered with, or modified, other than as authorized.
  • Availability: information accessible to authorized individuals when and where required.


Define Privacy and Security Requirements

Finding out which privacy legislations apply to which jurisdiction and entity can be difficult to understand. In countries such as Canada, there are both federal and provincial standards to consider. The federal privacy law in Canada is the Personal Information Protection and Electronic Documents Act (PIPEDA). There are also specific privacy laws regarding healthcare for each individual province in Canada. In the United States of America, the relevant privacy legislation is the Health Insurance Portability and Accountability Act (HIPAA). The Guide to Privacy and Security of Electronic Health Information can assist in understanding the HIPAA and how to comply with it. Understanding which privacy laws apply to your organization can be confusing but it is a necessary step to ensure that all patients, clients and staff are protected.  

It is critical to conduct the proper research and understand who is responsible under relevant laws in addition to what must be maintained in order to avoid compromising PHI. Knowing who is accountable is key to understanding associated responsibilities. In a healthcare environment, it can be difficult to determine who is in charge of a patient's privacy. Generally, if PHI is compromised at a private healthcare practice, that organization is at fault. If a specific employee is the reason for the compromise, they are considered equally at fault. When a company collects personal information from a client, they are also responsible for protecting that data and are liable if that data is compromised.

Conducting a privacy impact assessment to understand the risks associated with a product or service offered is a good starting place for many organizations. A privacy impact assessment (PIA) assists organizations by identifying and minimizing privacy risks of new projects or policies. The PIA works to accomplish 3 different goals: 

  1. To ensure conformance with applicable legal, regulatory and policy requirements for privacy; 
  2. Determine the risks and effects; and 
  3. Evaluate protections and alternative processes to mitigate potential privacy risks.[3]

For a deeper understanding of security issues, a threat and risk assessment can be conducted with consideration given to security awareness trainingThe diagram below details the testing process flow:[4]

 



Create Privacy and Security Controls Based on Risk

The most effective way to control security and privacy is to build it directly into the system or product. Once the PIA and TRA risk assessments have been performed, safeguards and countermeasures should be built to ensure PHI protection. Privacy-Enhancing Technologies refer to methods acting in accordance with the laws of data protection and include anonymizers and related algorithms. However, a more substantial approach must be taken to build security into systems such as the Privacy by Design (PbD) approach. This concept was designed to ensure privacy and gain personal control over one's own information. The 7 Foundational Principles outlined in the tool below can be used to build privacy into the product or system offered from the beginning. 



Implement a Privacy and Security Management Program

Privacy management programs are needed if an organization plans to collect, store or manage personal information as part of an offered service. The first step to implementing a privacy management program is to select a privacy officer. A privacy officer is a senior level executive within the organization accountable for keeping personal information safe. A privacy policy should be developed for organizational adherence. Several privacy policies can be created for different purposes. For example, one privacy policy could be created for customers or patients to review while another operational privacy policy could be established for employees to review and follow. People who review sensitive information should also sign a non-disclosure agreement (confidentiality agreement) that outlines principles for keeping PHI confidential. 



Create a Culture of Privacy

When every employee in the organization understands that privacy is a core value linked to strategic priorities, they will be more willing to adhere to and protect that privacy. Designing an educational course or webinar to teach members of the organization how to properly follow security and privacy guidelines may be useful. Some tips to create a successful program include: 

  • Train new employees immediately on appropriate security and privacy guidelines; 
  • Provide refresher sessions for existing employees;
  • Educate employees on why it is important to keep PHI private; and
  • Sanction employees who violate policies and procedures. 

 

Information covered should include a description of the differences between confidential versus open information; the policies applicable to the organization; and a description of what a data privacy breach is. Other relevant information should be determined by the privacy officer. Finally, understanding if this training needs to be documented under legislation applicable to the organization is critical. For example, HIPAA requires documentation that employees have been properly trained on privacy and security. 



Be Ready for a Privacy Breach

Despite being well prepared, many businesses and organizations may still have a privacy breach where PHI is compromised. It is important to implement a privacy breach management protocol where step-by-step procedures and responsibilities are defined for those in charge of managing the privacy breach. This can prevent a privacy breach from becoming even worse.  



Key Takeaways

Privacy and security management is key for the success of any organization, but has particular challenges in healthcare settings when dealing with sensitive information. Focusing on implementing privacy and security measurements from the beginning is key to creating a strong security and privacy system. This can be accomplished by establishing a security management program and appointing a privacy officer. Educating all employees about privacy and security practices, roles and responsibilities is key to this endeavour. Conduct a privacy impact assessment (PIA) to understand the privacy risks associated with new IT solutions or apps being developed or implemented. The PIA will help identify real hotspots where privacy and security countermeasures may be needed.  For a deeper dive into security issues, a threat and risk assessment (TRA) may be needed. Having an action plan in place for addressing privacy breaches is also a major component. Need more information? Have some resources to share? Please visit the Healthcare Privacy Community of Practice and ask a question in the discussion space and/or upload files to share with your colleagues.