While US/Canadian/European laws govern how electronic health record data is to be managed and protected, organizations often wonder how to ensure compliance throughout daily workflows. Privacy practices need to accommodate patient interactions that may be short-lived, during emergency situations or long-term.
We can help healthcare providers to develop Privacy Statements to set out their practices for managing patient information in the context of day-to-day clinical care. Privacy statements include explanations of the types of personal information collected, what the information is used for, and how the information is stored. They also summarize measures in place to protect personal information from misuse, loss, unauthorized access, modification and disclosure.
Privacy in Design helps organizations to review their security measures by performing threat risk assessments (TRAs). We often develop recommendations on how to implement audit trails, so that patients can see who has accessed their medical record and when, and how to use encryption, secure log-ins and passwords effectively. We also support organizations as they select patient record identifiers, by outlining the legal implications of their choices.
Privacy Issue Management
Privacy issues including complaints, requests for access, and medico-legal issues can consume operational management of healthcare organizations. Some surveys done Australia show that 49.1% of Australian patients stated they have withheld or would withhold information from their healthcare provider based on privacy concerns. In Canada and the US the numbers are relatively lower, yet the financial cost of privacy issue management in healthcare organizations is considerable. We help healthcare providers to address citizens’ privacy concerns efficiently and effectively.
Privacy Consent Management
Healthcare organizations want to ensure patient consent to the collection and use of personal information. However, requiring consent does not always translate into good practices for informed consent. Privacy in Design works with organizations to implement informed consent by defining relevant privacy information to be provided by the healthcare practitioner and ensuring that patients understand this information.
Opening Access to Data
Electronic health data is predominantly used for patient care, but other uses for policy, research, audit and public health purposes are common. Privacy in Design helps organizations to define legitimate uses of personal health information and appropriate privacy practices for different uses.
Extra-Clinical Uses of Data
Privacy in Design helps organizations to ensure that uses of patient data are legitimate. For example, providing de-identified data to pharmaceutical companies is viewed as potentially problematic; if these companies are perceived by the public to be more concerned with profit than public health, sharing patient data with them could be seen as unethical or as an invasion of privacy. Another significant issue is the potential for parties other than healthcare practitioners, such as insurance companies, employers, police or the government, to use information in a way which could result in discrimination or disadvantage to particular groups.
Privacy in Design helps organizations to understand the potential implications of unwanted disclosure of patient information. Electronic health record initiatives are usually successful if patients believe that the system works for clinicians and is safe, and that personal information will stay within a trusted patient/clinician relationship. We help organizations manage the realm of permissible disclosures. By providing techniques that can detect information ‘leakage’, we can improve adoption of electronic health records and preempt patient and clinician reluctance to participate in the system.
If patients lose trust in the confidentiality of their health information, they may withhold sensitive information from their health care providers. Clinicians also may be reluctant to participate in a system where they are uncertain about the completeness of their information. Privacy in Design offers clients a set of communication templates to help boost confidence and provide clarity to patients.
Executives want to know if safeguards for the protection of patient information are sufficient. With electronic health record systems a significant privacy risk is unauthorized access to patient data. Privacy in Design has in-depth expertise in the technical and business aspects of identity management. We help healthcare providers to review identity and access management and establish simple but effective protocols for identity validation and system access.