Don’t dig a bigger hole
A doctor closed the doors of his practice after years of treating patients, and was left with a substantial amount of information to dispose of. Instead of shredding the documents or arranging for some other type of secure destruction, the doctor decided he would do it himself - by hiring a digger, and digging a hole - at the beach. He put the records in the hole, filled it in, and went on his way. The records later found their way back out, littering that part of the coastline.
Needless to say, not only is this method of record disposal a breach of the Health (Retention of Health Information) Regulations 1996 (http://legislation.govt.nz/regulation/public/1996/0343/latest/DLM225616.html), it is not in line with the obligation the Privacy Act imposes on agencies to ensure health information is kept secure.
Security of information isn’t just about making sure it is destroyed or stored properly. It’s also about making sure when an agency shares information it does so in a way that protects the information.
The introduction of technologies like faxes and email had a huge impact on the sharing of health information. Providers could send healthcare information to each other almost instantly. Unfortunately information could be sent to the wrong place just as rapidly. The advent of email upped the stakes because while a fax sent to the wrong number might be seen by 20 people, an email could end up being seen by 20,000.
The risks of having inadequate security measures in place for any agency that uses electronic information sharing methods have been highlighted in recent years with a number of high profile breaches in 2012. Nearly a third of the 344 data breach notifications that we as an office received since 2012 involved electronic information being sent to the wrong recipient. Each of these breaches have affected between dozens and thousands of people. Data breach complaints to us have attracted a range of remedies, including compensation payments of up to $10,000.
Methods for sharing healthcare information are evolving, with agencies focusing on putting information in the hands of healthcare clients, as well as making it easier for providers to access this information.
Patient portals, for example, are online systems where patients can access their health information from their general practitioners. The Royal New Zealand College of General Practitioners Expert Advisory Group has published an opinion on the impact these portals may have on the privacy of the individuals who use them. Portals pose obvious risks because online systems like these may be vulnerable to malware, as well as the risk that unauthorised individuals may gain access to them.
Shared Care Records
Shared Care Records are similarly designed to share an individual’s GP information with other health professionals involved in their care. These are becoming a popular way for providers to share health information. In the areas of New Zealand where this system has been introduced, between 79 percent and 96 percent of practices have installed them. The attraction is obvious, especially for health providers who work in emergency medicine.
In 2014, our Office carried out a review of the common risks associated with these systems and how they have been mitigated. We identified that while the projects surveyed appropriately mitigated privacy risks, medical practices using Shared Care Records need to continue to pay attention to possible threats to the security of patient information.
If a privacy breach occurs, this can expose a healthcare provider to an investigation by our Office, which can ultimately lead to significant compensation payments or proceedings in the Human Rights Review Tribunal.
The good news is these risks can be easily mitigated. From a technical security perspective, providers should undertake security risk assessments before implementing online portals and have appropriate security software to prevent malware attacks. Access and audit logs enable both providers and individuals to check that information is only being accessed with authorisation. Restricting access to situations where an individual has consented (save in an emergency situation), using password protections, and monitoring attempts to access the information also help to mitigate risks.
Providers cannot always stop data breaches, but rule 5 of the Health Information Privacy Code requires them to put security safeguards in place to stop these from happening where possible.
Ultimately, good data protection is a fundamental aspect of the trust individuals have with their healthcare providers. Providers who want to move into the future of data sharing, and retain this aspect of their relationship with their patients, will need to turn their minds to the obligations under the Health Information Privacy Code - because no one wants to see their health information fluttering down the beach.