2. Contents
• Medical Privacy Legislation, Policies and Best Practices
• Examination of Privacy matters specific to World Wide Web
• Protection provided by the freedom of Information Act or the
requirement for search warrants
4. Legislation
1. State Laws
• Different states separately regulate the privacy of healthcare information.
• “Covered entity” more broadly includes virtually anyone or any entity coming
into contact with PHI.
• This definition comes into play particularly with marketing and re-
identification, both of which require individual consent under the law.
5. Legislation
2. Sanctions and Penalties
• Potential sanctions, in order of ascending severity: verbal/written warnings,
probation, suspension, transfer, or termination of employment.
• Penalties: Monetary penalty amounts.
• Individuals, including employees of covered entities or business associates, may
be criminally liable or subject to imprisonment.
6. Policies
1. Protecting Privacy of Patient Information:
• Only share patient information with other faculty and staff who need the
information to do their job.
• Avoid accessing a patient’s record unless you need to do so for your job or you
have written permission from the patient.
• Do not access the record of your co-worker, spouse, or family member unless
there is written authorization in the patient’s record.
7. Policies
2. E-MAIL:
• Never send unencrypted information over the Internet that you would not place on a
billboard.
• You cannot control how a message you generate is forwarded or shared after you hit the
“Send” button!
• Never use the full nine-digit social security number in an electronic message unless the
message has been encrypted or otherwise secured!
• Do not use a patient’s full name associated with specific health information (e.g. reason
for visit, diagnosis, procedures, or test results).
8. Policies
3. Telephone and Fax Precautions:
• Only speak to the patient (or parent);
• Do not leave message with identifying information;
• Do not give your personal phone number;
• Check fax number (more than once);
• Fax with a permission form;
• Use a cover sheet;
• Check to see if the fax was received;
• Do not fax plans, logs, reports to supervisors unless absolutely necessary and
only if information is de-identified.
9. Policies
4. Files:
• Store patient files, CDs/USB drives containing PHI and video/audiotapes in a
locked file cabinet.
• Never store PHI on personal hard drives.
• Never take from clinic unless to off-site assessment and then you must
immediately return the files.
10. Best Practices
• Do not use patient’s whole name in earshot of others;
• Cover charts so patient name is not visible;
• Do not leave records & other PHI unattended;
• Screen computers or locate so others cannot read the screen;
• Keep secure patient reports and appointment schedules;
• Back up disks;
• Reports prepared on home computers must be prepared in de-identified format;
• All reports sent as email attachments must be de-identified;
• Video/audio tapes must be erased or destroyed before clinician graduates, unless
being preserved in master patient file at the clinic for archival purposes.
12. Points to ponder
• Collection Limitation -There should be limits to the collection of personal data, and any such data should be obtained
by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
• Data Quality - Personal data should be relevant to the purposes for which they are to be used, and to the extent
necessary for those purposes, should be accurate, complete, and kept updated.
• Purpose Specification - The purposes for which personal data are collected should be specified not later than at the
time of data collection, and the subsequent use limited to the fulfillment of those purposes or such others as are not
incompatible with those purposes, and as are specified on each occasion of change of purpose.
• Use Limitation - Personal data should not be disclosed, made available, or otherwise used for purposes other than those
specified in accordance with [the Purpose Specification] except:
• with the consent of the data subject; or
• by the authority of law.
13. Points to ponder
• Security Safeguards - Personal data should be protected by reasonable security safeguards against such risks as loss or
unauthorized access, destruction, use, modification, or disclosure of data.
• Openness - There should be a general policy of openness about developments, practices, and policies with respect to
personal data. Means should be readily available of establishing the existence and nature of personal data, and the main
purposes of their use, as well as the identity and usual residence of the data controller.
• Individual Participation - An individual should have the right to know whether a data controller has data relating to
him/her, to obtain a copy of the data within a reasonable time in a form that is intelligible to him/her, to obtain a reason
if the request for access is denied, to challenge such a denial, to challenge data relating to him/her, and, if the challenge
is successful, to have the data erased, rectified, completed, or amended.
• Accountability - A data controller should be accountable for complying with measures, which give effect to the
principles stated above.
14. Protections provided by the Freedom of
Information Act or the requirement for search
warrants
15. Points to ponder
• Right to access Health records, subject to specific and limited exemptions.
• Personal privacy is protected as the FOIP Act regulates the way an organization
collects, uses, and discloses personal information.
• Right to access information that an organization has about the patient.
• Right to request a correction of information that an organization has about the patient.
• Right to request an independent review of decisions made by the organization.
16. Points to ponder
• The practice is often asked for information about patients from insurance companies
or solicitors. On no account will any information be given without the patient's
written consent.
• Information about a patient's medical condition will only be passed to other health
professionals to help with treatment.
• Staff at the surgery have access to personal information on a need-to-know basis only
and are bound by rules relating to patient confidentiality.