The healthcare industry is rapidly moving towards digitalization and electronic health records utilization.
As the healthcare industry moves towards the application of digital technologies in clinical data management, new risks associated with personal information and sensitive data collection arise. It is important to both healthcare service organizations and customers while engaging with digitalized healthcare services to prepare for possible threats to sensitive information and take necessary action to prevent and mitigate such dangers.
In this article, we will discuss important risks that may be present in the digital healthcare era and explore measures to properly prepare for such risks.
PIPEDA, PHIPA
Privacy and security in patient information collection in Ontario are overseen by two major laws. On the federal level, the Personal Information Protection and Electronic Documents Act (PIPEDA) relates to all personally identifiable information (PII) collected by all commercial bodies and the private sector in Canada. Additionally, the Personal Health Information Protection Act (PHIPA) is Ontario’s health-specific privacy legislation which governs the collection, use, and disclosure of personal health information within the health sector in Ontario.
PIPEDA requires that patient healthcare data must:
- be collected with consent;
- be used and disclosed for the limited purpose for which it was collected;
- be accurate;
- be accessible for inspection and correction and;
- stored securely.
What is Personal Information?
Personal information obtained by healthcare service providers may include age, name, ID numbers, income, ethnic origin, or blood type; in addition, opinions, evaluations, comments, social status, or disciplinary actions may also be collected. Employee files, credit records, loan records, medical records, the existence of a dispute between a consumer and a merchant, and intentions (for example, to acquire goods or services, or change jobs) are other types of information that may be acquired and stored in the healthcare sector.
What do organizations need to consider?
Private and commercial healthcare providers ought to consider CASP (Consent, Access, Security, Privacy) while preparing their privacy policies and security measures. These organizations may be considered Health Information Custodian (HIC) which operates with the primary purpose of providing direct healthcare services, or agents which collect information on behalf of the HIC. Regardless, where personal information is being handled by private organizations, PIPEDA and PHIPA apply in the province of Ontario.
To begin with, organizations need to use PIPEDA-compatible websites, applications, and servers to provide services. Customer data must only be collected with the owners’ consent, with clearly defined purposes, and to the extent which is necessary for providing the service and not beyond. The data must be disposed of entirely as soon as it no longer serves the intended purpose. Furthermore, protective measures against ransom attacks are necessary, including keeping your website, application, and server up-to-date and looking for vulnerable spots on the network. End-to-end data and connection encryption and password protection must be considered in every step of data collection, storage, transfer, and disposal. Employees’ level of access needs to be frequently monitored and unauthorized access should be prevented as much as possible. Development of a privacy breach protocol including timely notification of the owner in case of a breach is encouraged.
What do the customers need to know?
While organizations with different roles in personal health information collection in Ontario must abide by the laws that govern personal data management, customers may also benefit from recognizing their rights and possible risks to their sensitive information.
Proper data collection processes include a thorough disclosure of informed consent to the consumer. The information owner retains full authority over their information at all times and must be informed of the purpose of the data collection. In addition, the client must be informed of any threats to their health information in case of data breach or loss. Healthcare customers are encouraged to fully read and understand the privacy policy statement of commercial healthcare organizations before registration of their information.
Among the most important risks to personal information are risks of data loss, unauthorized access, and unauthorized use of sensitive information. Hackers pose a great threat to the safekeeping of personal health information. The users are encouraged to safely store their log-in information (i.e., username, and password) and never share them with anyone.
Please share your opinion and any previous experience with us in the comment section, and explain the importance of safeguarding your personal healthcare information.