The health sector reports more serious privacy breaches than any other area even though under-reporting continues to occur. Frustratingly, many of those breaches occurred when the underlying issue had been, or should have been, identified and acted on earlier. We explain why more internal privacy breach reporting is needed in the health sector and ways to avoid privacy breaches from occurring.

The Office of the Privacy Commissioner’s last Insights Report (1 December 2020 to 30 November 2021) revealed 85 serious privacy breaches were notified by the Health Care and Social Assistance industry last year – the top contender, and far above second placed Public Administration on 53.  This number almost certainly represents an under-estimate due to the continued under-reporting of serious harm breaches.

Unfortunately, many serious harm breaches occur because previous internal errors weren’t deemed serious enough to be properly secured, for example, where a previous incident wasn’t identified as a privacy breach, or the outcome of the breach wasn’t considered serious enough to result in further action.

TAKE ACTION

Health agencies will be familiar with the need to identify, report, and review adverse events and “near misses”, as well as other accidents or incidents that occur in the workplace.  The same applies for privacy. Identifying, reporting, and reviewing privacy breaches, and acting when individual or systemic issues are identified, are vital to ensuring that a strong privacy culture exists. Personal information must be treated with careful respect.

Breaches are not just external

A common misconception is that a privacy breach only occurs where personal information is inadvertently shared to, or inappropriately accessed by, someone external to the agency.  That is not the case. Accidently sending personal information to the wrong clinician or someone’s payslip to a fellow staff member is a privacy breach. Browsing patient records or looking up the records for friends or family members may be HR or professional conduct issues, but they are also privacy breaches.  Health records that are lost or accidently destroyed – again, these are privacy breaches. Access to personal information should be restricted to only those need to see the information. This protects the person whose information you hold in trust, your staff, and your organisation.  Trust is hard won and easily lost.

Not just sensitive information

Another common misconception is that is it only ‘sensitive’ information that matters.  Again, that is not the case.  All personal information, whether it is of a ‘sensitive’ nature or not, requires legal protection.  For example, it is a privacy breach regardless of whether test results sent to the wrong address are a simple and unremarkable blood count or disclose the existence of an STI or underlying medical condition.

Not just ‘notifiable’

While the above examples may not all be at the level that they need to be reported to the Office of the Privacy Commissioner - you may be lucky and the breach may be quickly contained with no risk of harm to the patient - they do all need to be reported to your privacy officer and recorded and reviewed as a privacy breach. 

Just like “near misses” in the Health and Safety at Work regime, they all tell you something about your privacy systems, and the changes needed to ensure the information you are entrusted with is appropriately protected.  

HUMAN ERROR

More than 60 per cent of privacy breaches last year were due to ‘human error’.  Agencies are responsible for ensuring their systems are fit for purpose and that the personal information they hold is protected by reasonable security safeguards.

Email hygiene

Poor email hygiene is a common cause of privacy breaches.

One example we were made aware of involved an email containing detailed health information about a group of patients, which was intended to be sent internally to the staff of a medical provider. A typing error in the ‘TO’ field resulted in a member of the public receiving these patients’ medical records. Having their sensitive personal information exposed in this way caused considerable emotional harm to a number of these patients.

Respect the people whose information you’re sending by double-checking who you’re sending it to. Go a step further and use a delayed send option on your email to avoid any hasty mistakes. Always use the BCC field when emailing groups of recipients.  If you are emailing sensitive material, encrypt the material. If you do this, the password (phrase or code) should be sent by some method other than email so that the wrong person doesn’t receive both.

Confirm Contact Details

Ensure you confirm patient contact details before sending out their personal information.  Check that the address or email is still current.  If you’re enrolling a new patient or emailing a patient for the first time send out an email just to confirm the correct address.

Explaining your processes to your patients is not only good practice, but also demonstrates you are trustworthy.  It helps ensure information is accurate and reduces the risk of a data breach.

One case notified to our Office was about a patient who told their GP about being abused in the past. The GP referred the patient to counselling to help work through the issues stemming from that abuse.

The GP’s office followed up this referral by sending a letter to the patient’s house. Due to human error in the office’s internal processes the envelope containing the letter did not have the patient’s name on it, or a return address. It also had the incorrect street number, meaning that it was sent to a neighbour’s house instead of the patient’s house.

Not knowing who the letter was addressed to or who it was from, the neighbour opened the letter, inadvertently finding out about the patient’s abuse history.

Inadvertent disclosures

Our Office receives numerous notifications of healthcare staff either accidentally dropping patient documents or leaving the information in public view. Being busy caring for patients isn’t an excuse and making changes to your systems and practices now can make a big difference.

• Where is patient information recorded or displayed in your organisation? Think whiteboards, run sheets, patient lists, computer screens, medical records. Can these be seen or accessed by others? If you have paper run sheets, are these collected and destroyed at the end of the shift?
• Do you use portable storage devices such as USBs? Should you? If you do, are they encrypted? 
• If you are transporting paper records, how do you make sure they are secure? Can they be seen in transit?

This article first appeared in NZ Doctor - Rata Aotearoa magazine.