Privacy and Security Challenges
Privacy and security have always been important for physicians and our teams, but they aren’t necessarily top of mind for those of us practicing in a community medicine setting because of competing priorities. After the introduction of mandatory breach reporting by the Office of the Information and Privacy Commissioner of Alberta in 2018, many of us took the opportunity to learn about the general components of this work, including understanding the requirement for a Privacy Impact Assessment and basic security processes. Additionally, you might be aware that an up to date PIA is a required to participate in CII/CPAR.
Increased Breaches
The recently released OIPC Annual Report highlights an increase in reports of privacy breaches and investigations. The report brings attention to the major types of breaches, including incidents when someone who is authorized to access health information does so without a legitimate business reason to do so and misdirected correspondence through fax or email. Other incidents involving unauthorized disclosure of health information included:
- When health care providers discuss health information with other providers not involved in a patient’s care.
- There is a lack of security controls leaving health information exposed online.
- Health information is shared on social media.
PIA Challenges
Even though most clinic staff and providers understand the importance of patient privacy, the steps needed to develop reports, write and update PIAs, and to create an overall culture of privacy and security is a challenging undertaking for us and our teams.
We are divided by the need to complete these tasks and the demands of providing patient-centered care, and we often lean on the support of our office managers, privacy officers or costly consultants to initiate this work internally. An absence of accessible security training for office managers and privacy officers, and the lack of a one-stop location to obtain self-serve resources, compounds the issue.
Hiring a privacy consultant to complete a clinic PIA may address the current need for a PIA or process development, but it does not build long-term capacity within the office.
Clinic Privacy and Security Program
The attitude towards PIA work by physicians and clinic staff is generally negative – we know it can be a time-consuming and confusing process. The solution to decreasing the burden of having to submit a comprehensive and tedious PIA is to implement a Clinic Privacy and Security Program.
Thinking about the elements of a privacy program and implementing the necessary elements are important steps towards creating safe privacy environments in the clinic. Maintaining the privacy program and reviewing it periodically will make it much easier to complete our due diligence and document our practices in a PIA as required by the OIPC.
The elements of a strong clinic privacy and security programs include:
- Creating or adapting privacy policies that cover collection, use and disclosure of health information for clinic staff. The policies need to be reviewed by staff regularly and updated as needed when there are changes in the clinic.
- All members of the clinic, including physicians, staff, and other professionals providing care need to be aware of their specific roles and obligations with respect to security and privacy. This is best achieved by the provision of regular training for staff.
- Safeguards must be in place in the clinic to protect privacy.
- These include technical, administrative and physical safeguards. These should be tested on a regular basis to ensure that they are being adhered to.
- Strong data sharing processes including the completion of the required agreements that create safety for the transfer of information are also important to help clinics meet high security and privacy standards.
- All the elements above should be articulated in the PIA and reviewed periodically. The PIA needs to be amended or submitted when there are administrative or technical change that affect health information.