Anyone who has implemented and used an EMR is aware of the terms Privacy and Security. However, what do they mean and how does one apply the concepts to the protection of personal patient data in the EMR-based practice? Privacy experts will describe privacy principles as enablers in the development of the right technology processes and software. While this is true if understood and applied in advance, privacy can also be a barrier to adoption, particularly if software was never designed with today’s privacy requirements in mind.
In 2005/2006, I was a member of a team of primary care physicians and specialists working on a primary care strategy for Vancouver Coastal Health. One of the strategies was the development of a Privacy Toolkit for the medical practice. Nigel Brown, Managing Consultant of the Security, Identity and Privacy Practice, IBM Global Technology Services, led the development of the toolkit and described privacy in the following ways:
Historical Definition — Physical Privacy: “the right to be left alone”
Modern Context — Information Privacy: “the right to have knowledge and control over information about you”
Information Privacy — Identifiable Information about an individual, including the following:
- Factual information such as contact, health, financial, affiliations, etc.
- Biological information: biometrics, blood type, DNA
- Derived information: credit scores, etc.
- Opinions: performance evaluations, etc.
- Observations: shopping habits, etc.
Security is the ability to protect the confidentiality and integrity of information and computer resources using the acronym CIA:
- Confidentiality: Allowing access only by authorized individuals.
- Integrity: Ensuring that information is not altered or tampered with by unauthorized individuals.
- Availability: Ensuring that information is available when needed.
Confidentiality is the process of ensuring that information is accessible only to authorized individuals.
A failure in either security or confidentiality can compromise privacy. However, privacy can also be compromised through the use or misuse of information by authorized individuals.
What can you do within your office to protect privacy? The following are a number of suggestions that apply to both paper-based and EHR-based practices:
- Position computers in administrative areas so that staff conversations cannot be overheard from public areas.
- Place computers, printers, and other devices in non-public areas and rooms that can be locked.
- Limit the display of personal information in areas where patients wait or walk to examination rooms.
- Establish policies that encourage discretion when discussing patient information, particularly if there is a possibility of being overheard by other patients, for example in check-in areas.
The issues of Privacy and Security are complex and require a common sense approach to correctly apply the right principles to specific situations. To assist you further, the BC Medical Association provides a very useful resource on privacy issues.