Individual health practitioners and community health organizations usually have some awareness of privacy regulations and have developed a privacy policy, but may struggle to integrate privacy principles into their daily operations. Here are our answers to the question, “Where do we start?”
Most community health providers are aware that they are governed by privacy legislation, and have made some effort to familiarize themselves with the provincial or federal laws that apply to them. Most have developed a privacy policy based on guidelines from federal or provincial privacy commissioners. The challenge usually is knowing how to implement it. Small to midsize health organizations serving local communities generally do not have the resources to build a privacy program with expert staff. They may seek consultations such as organizational reviews or privacy impact assessments, but these are intended for contexts where privacy practices are already being integrated into daily operations. So, where should community health providers start with privacy?
We suggest that the first steps for community health providers seeking to improve privacy are the following:
1. Create a privacy officer role
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) affirms that every organization should have a designated privacy officer. This does not only mean appointing an individual, but defining a role: Who will the privacy officer need to consult with? Which committees will he or she sit on? What actions or changes will need to be approved by the privacy officer? While the privacy officer’s role will be unique to your context, it is helpful to keep in mind that privacy connects multiple areas, including policy, communications, information technology, service delivery, and staff training.
2. Review communications
You probably has a privacy policy, but do your clients know about it? One of the privacy officer’s first tasks is to make sure that clients are informed about the privacy policy through channels such as your website, information sheets, and most importantly, frontline healthcare delivery. Clients’ personal information should only be collected with their informed consent, which means that they should know what kinds of information will be collected, how it will be used and stored, who may have access to it, and how long it will be kept. Clients should also know whom to contact about privacy concerns.
Of course, the privacy officer will also need to make sure that what clients are told about how their personal information is managed is true – that your privacy policy is actually being implemented. As clients are invited to raise concerns about privacy, the privacy officer should have a plan for handling questions and complaints.
3. Investigate information management
How do you collect, use, store, and dispose of personal information? How long is it kept, and how is it destroyed? Who manages the data and who has access to it? In particular, what outside service providers do you depend on to manage client information? These could include email and cell phone service providers; cloud data storage providers such as Dropbox or Google Drive; and IT installation and support for software (e.g., appointment booking and client record-keeping systems) and hardware (e.g., internal server, desktop computers and laptops). What client information could they access, and what are their privacy policies and practices? The privacy officer needs to know the answers to these questions, make sure that they are in line with your privacy policy, and ensure that clients are informed of these practices.
4. Develop breach response protocols
What will be done if there is a privacy breach – for instance, if your website or record-keeping system is hacked? Do you have the ability to block access from a hacked account, or are you dependent on service providers to manage access? What if a USB, laptop, or smartphone containing personal information is lost or stolen? Are these devices password protected? How much information could be compromised by a breach? Who needs to be notified in the event of breach? At this stage, the privacy officer will need to consult with IT staff to reduce security risks and develop breach response protocols.
These initial steps are the foundation for implementing privacy policy in regular operations. Once this is done, you will be in a better position to benefit from an organizational review or consultation, which documents privacy policies and practices and identifies any gaps. From there, an important next step is to develop privacy awareness and training for all staff. Later, privacy impact assessments or maturity assessments may be used to refine privacy risk management. Each of these steps aims not just to identify risks and develop policies, but to ensure that privacy considerations are integrated into every aspect of your daily operations that involves individuals’ personal information.
For healthcare organizations and health professionals in Ontario, we recommend consulting:
A Guide to the Personal Health Information Protection Act (PHIPA). Information and Privacy Commissioner of Ontario. Information and Privacy Commissioner of Ontario