Health on the Road
It’s Asia-Pacific Privacy Week, so as winter creeps up on us it’s a good time to throw a log on the fire and think about how to keep information safe. One option is to put it on the couch next to you – both snuggly and secure – but that probably doesn’t meet the RNZCGP Cornerstone standard. It also doesn’t meet the needs of modern health professionals providing decentralised and community based health services.
In recognition of this important issue, and as one of our Privacy Week products we have issued Health on the Road; guidance on how to keep your patients’ health information secure when moving between different places.
The law is simple enough – rule 5 of the Health Information Privacy Code just says if you hold health information you need to take reasonable security safeguards to protect it from loss, unauthorised access or misuse. It’s focused on ensuring health agencies have thought through potential security risks and ways to guard against them.
When I’m talking to providers and practitioners about health information security, I often talk about ‘picking the low-hanging fruit’ – in other words, doing the easiest things first. For instance, when going out with health information, it’s worth asking yourself how much information you actually need. If you are habitually taking more information with you than you need, you’re running a risk without any benefit.
In general, thinking ahead about straightforward steps you can take to secure the health information you need, both in transit and at your destination, can protect you against legal liability and trust-damaging data breaches.
Avoid storing files in the car
A large number of data breaches have involved bags or laptops containing health information being stolen from cars. If you can avoid leaving information in your car you probably should, but if you don’t have any option, then make sure it’s somewhere out of sight and that you’ve also hidden any other valuable items that might make the car a tempting target for larcenous individuals.
Still, there’s no substitute for paying attention. We had a breach report from a health worker who stopped for a meal and left a file behind on the counter when they collected their dinner. The next morning they discovered the missing file, called the restaurant and were told it was being held behind the counter. Luckily the information was inside a zipped and locked satchel, so the health worker could confirm it hadn’t been exposed or tampered with.
Your own devices
While we may never reach the paperless nirvana envisaged in the 1970’s, health records are increasingly electronic. Accessing shared care health records on a device, or carrying large numbers of records on a USB bulk storage device opens up many possibilities but also exposes a wider range of information to accidental disclosure.
Any laptop or tablet you want to use externally should have the same level of security as your workplace computers. This means strong passwords, a firewall, up-to-date patches and security software. If you’re using your own device, then make sure all available security measures have been activated – encryption, remote erasure, location tracking, and fingerprint or passcode lock.
Most of the major risks around information in transit involve a third party’s intervention, but if you can think ahead and use ‘fail-safes’ then even if someone steals your stuff, patient data won’t be put at risk. For instance, we were told about the theft of a laptop at an airport. The laptop had clinical data on it but the information was encrypted, the password was long and complex, and the risk of unauthorised access to the data was therefore minimal.
Into the (hopefully unlikely)breach
In the event that information about your patients does get lost or accidentally disclosed, you need to act fast. We have a data safety toolkit that sets out the right steps to take – contain the breach, work out what went wrong, evaluate the risks, decide who to notify, act to stop it happening again in the future. Notifying us is not yet legally compulsory but is still a good idea. We can work with you to help address any issues and give you a sense of whether it’s appropriate to contact the people whose information has been lost or disclosed.
The theme of Privacy Week 2017 is Trust and Transparency, and security of information sits right at the heart of the trust between patient and doctor. If you habitually treat patients in multiple venues, or even if you don’t, it’s worth downloading the guidance and confirming that your patients’ trust in how you take care of their information is justified.