Four Tips for Best-Practice Privacy With Medical Data

ArticleChelsea Palmer
Blue-lock.png

4 Tips for Best-Practice Privacy With Medical Data

Dealing with people’s personal information in the middle of a busy workday can be difficult enough, even when that information isn’t sensitive or medical in nature. Additionally, while Canada’s powerful regulations put people and privacy first, especially in the healthcare sector, it’s not easy to remember every single detail while juggling multiple tasks. Luckily, there are primary guiding principles you can keep in mind which will help cover all your bases in this regard. We’ll provide four major principles of this sort, as well as sharing more in-depth resources to explore.

1. Approach your work with a “Privacy by Design” mindset: never capture or store information unless it’s explicitly needed, and only do so within approved platforms.

Privacy by Design is a concept advanced by Dr. Ann Cavoukian, who was at that time the Information and Privacy Commissioner of Ontario. Facing the complex privacy problems of the rising mainstream internet, she proposed a set of 7 foundational principles for building privacy into the design of information systems from the very start.
Untitled design (3).png
Privacy by design can be applied in the work setting just as well as in building software systems. One great way to save time spent on admin overhead while inherently improving patient privacy is utilizing kiosks or terminals where patients can check themselves in. Rather than sharing their information out loud in a crowded room, they can quietly enter it via touchscreen, while MOA time is freed up for more important tasks.

2. Only access EMRs and care platforms from trusted devices, and never download or store patient data locally on your personal devices.

In general within healthcare, we would expect all day-to-day business to be conducted on work computers. The COVID-19 pandemic and virtual care provision initially shook up this expectation, the sector and its regulations have mostly caught up and we need to set new, rigorous standards with telehealth in mind.
Untitled design (4).png
Opening email or other platform attachments (e.g. PDFs, spreadsheets) on a cellular device can often automatically download to that phone without clearly indicating it. Even when on-the-go or working virtually, it’s valuable for privacy compliance to ensure you have one work device which serves as your sole access point for work activities. As a bonus, this can help ensure more work-life balance: it’s valuable for your own wellbeing to set such boundaries, checking in on messages and platforms at dedicated times of day from your secure device.

3. Help guide patients to protect their own privacy by continuously directing them to approved platforms or channels to share sensitive information.

It’s a tale as old as time: we design systems, and people just build workarounds for convenience. Unfortunately, this means that no matter what, patients will reach out on any available channel with unsolicited personal or medical information. While this is less of an issue on the phone or face-to-face, if they attempt to send information via text message or email, that enters a dangerous zone for privacy regulations.
Untitled design (1).png
There’s nothing we can do to stop this, of course, but promptly redirecting them to a more appropriate channel for secure data exchange is the next best thing. Cortico’s suite of complementary tools for EMR, booking, and telehealth tackles this problem (Learn more about Cortico’s features here).

4. Maintain best practices for general workplace security: a ‘clean desk’ policy, strong and unique passwords, and multi-factor authentication for sensitive accounts whenever possible.

While sensitive medical information carries unique privacy concerns, the overall security of your passwords and accounts can be assured through general best practices from information security policy across industries:

  • A ‘clean desk’ policy simply means avoiding jotting down passwords, sensitive or personal information, or other ideally private information on paper or post-its in your workspace. Particularly for busy professionals, it’s tempting to jot down your 20-character password near your computer screen, but it is too risky considering the amount of people who can theoretically access the workspace in your absence.
  • Strong passwords are unique, preferably in a way that humans can remember. A now-classic webcomic demonstrated the importance of this, but when it was published many readers misunderstood its point about randomness and just copied the example password it uses, which led to them getting hacked. Passwords should not only be unique to you, all of your major accounts should have wholly unique passwords from one another.
    Untitled design (5).png
  • Whenever you are setting up accounts for work and have the option of multi-factor authentication, taking the extra time to do so is worth it. It’s rare that a hacker will blatantly hijack your digital accounts, but if it happens you’ll be glad you did the extra prep work to frustrate such attempts. It’s always better to use application-based authentication like Google Authenticator rather than two-factor authentication (2FA) which uses your cell phone number, as this method is itself susceptible to abuse by hackers.

Final Tip: Let Your Tools Do the Work For You

For maximum privacy we highly recommend leveraging useful digital tools which will take most of the work out of privacy and security. Password managers are recommended for convenience and safety in both personal and professional use of the modern internet.

Similarly, the suite of tools provided by Cortico fills inherent gaps in EMR functionality and addresses common clinic challenges to increase privacy and optimize your patient workflow. To see for yourself, book a Demo with our team here.

Want to learn more about Cortico? Contact us for a free demo!

Fill the form so our team can reach out.

Install Plugin
Install EMR plug-in Send messages & files in your EMR