Privacy is an integral part of the foundation of trust between patients and providers. If individuals feel their sensitive personal health information will be mishandled in a way that could cause them harm or embarrassment, they may be less forthcoming with details that could assist in their care. It’s the goal of the NSHA Privacy Office to ensure that does not happen.
What are “privacy” and “confidentiality”? The two terms are often used interchangeably, and while they definitely go hand-in-hand they have different meanings. Privacy is the right of the individual to control their own information, including its collection, use and disclosure. Confidentiality is the obligation of an organization or individual to protect that information from misuse, to maintain its secrecy and to ensure it is not wrongfully disclosed. All NSHA employees have the obligation to ensure patient information is kept confidential.
The Personal Health Information Act (PHIA) is the Nova Scotia Legislation that governs the collection, use, disclosure, retention and destruction of Personal Health Information (PHI) by a custodian like NSHA. PHIA balances two objectives: upholding the privacy rights of individuals while meeting the information needs of custodians to provide, support and manage health care. “Need to know” and “minimum amount” are core tenets of PHIA. “Need to know” means only those who need to use specific PHI to carry out their role should do so – if it’s not part of your job you shouldn’t look. “Minimum amount” means even if you have a need to use someone’s PHI to do your job, you should only use the smallest amount possible to complete the task at hand.
When these two principles are contravened, we have a privacy breach, which is an incident where PHI is lost, stolen, or subject to unauthorized access, use disclosure, copying or modification. Breaches are usually non-intentional and often preventable. Examples include misdirected faxes, emails and test results; unsecured documents; overheard conversations; inappropriate sharing of PHI with others; and intentional snooping into patient records.
What do you do if faced with a breach? There are four crucial steps:
- Contain the breach – stop the unauthorized practice, retrieve missing or misdirected materials, shut down the affected IT asset, and revoke access to PHI.
- Investigate – report the breach to a manager and Privacy Officer. The Privacy Officer will assess the severity, determine the root cause, and make containment and notification recommendations.
- Notify – breaches of PHI require external notification. Patients must be notified at the first reasonable opportunity if there is potential for harm or embarrassment to the individual. Otherwise NSHA notifies the Office of the Information and Privacy Commissioner.
- Prevention – once the situation is addressed, a review of what happened and why should lead to preventative measures being put into place e.g. training for staff, security audits, moving of printers/faxes, etc.