Module 4 - How Do I Maintain Confidentiality?

Patients have the right to have their personal health information managed in a confidential and secure manner. By law, the organization is required to notify a patient if their information is compromised, e.g., if it is lost, stolen or accessed without authority.

1. Discuss the intended use, and disclosure of the information with the patient, and respect and comply with their decisions. You may rely on implied consent from the patient to disclose personal health information to other care providers as long as the purpose is to provide health care to the patient and unless the patient has placed a restriction on the use or disclosure of that information.
   
   
2. Access only the information that is essential for you to do the role for which you have been hired or affiliated, whether it is providing direct care to a patient or providing services to the hospital. This includes accessing your own record or that of your family and friends. Patients have the right to access their information and the organization has a process to provide access that all patients, even those who are also employees or affiliates, must follow. Accessing information that does not pertain to your work may result in disciplinary action.
   
   
3. If you have access to hospital network systems, you are responsible:
   • For all work done under your user name and password, i.e. your “log in”
   • To maintain the security of your log in:
   • DO NOT:
     • share your log in with anyone
     • use your log in to give access to any other person
     • use someone else’s access if you find one open and unattended
     • leave your active access open and unattended
     • write down your password where others can see
     • reuse old passwords when it comes time to change your password.
   • DO:
     • create passwords that are hard to guess
     • change your password periodically
     • log off or suspend use of systems when you leave the terminal
     • contact Helpdesk if you suspect that your log in has been compromised.
       
       
4. Take measures to protect all confidential information:
   

Hard copy information:


• DO NOT:
  • leave confidential information unattended where unauthorized individuals could get access
  • remove hard copy confidential information from the hospital unless you have approval from your leader and unless you have put measures in place to ensure its security in compliance with the Security of Confidential Information policy, e.g.:
    • remove the least amount of information possible, for the shortest time required to accomplish the purpose, i.e. return information to the organization as soon as possible,
    • never leave confidential information unattended, especially in a motor vehicle,
    • keep confidential information in a secure area, out of the view of others. Return it to the organization as soon as possible.
• DO:
  • when the information is not in use:
    • store confidential information in a locked filing cabinet in a locked office
    • clear desks of hard copy confidential information to prevent unauthorized access
  • view information away from others' view, especially when viewing in remote locations
  • dispose of hard copy confidential information by putting it in designated confidential waste receptacles or using a cross cut shredder

Electronic Information:

• DO:
  • Store information on the hospitals’ network drives - not on a hard drive (also called local drive or “C”-drive) of a computer, or on a portable device, e.g. laptop, memory stick, smart phone etc.
  • If you have a role-related reason to store confidential information outside the hospitals’ secure network drives, you must:
    • Obtain approval from your leader
    • Comply with the Security of Confidential Information policy
    • De-identify the information or encrypt the device. Password protection of confidential information is not enough.
      • Contact Helpdesk:
        • To request the hospital’s encryption system for a laptop, or
        • To purchase an encrypted memory stick or,
        • If you have applied encryption to a personally-owned device, to ensure that the encryption meets hospital standards.
      • Ensure that codes for de-encrypting or re-identifying the information are not stored in the same location/device as the encrypted information,
    • Store the least amount of information on the device for the shortest time possible, and backup on the hospitals’ network,
    • Secure portable devices when not in use e.g.:
      • Locked cupboard in a locked office.
      • Avoid leaving a device unattended in a vehicle. If it must be left unattended in a vehicle, lock it in the trunk - never in view of a passerby.
      • Move the device to a more secure location as soon as possible and never leave it in a vehicle overnight.
      • If the vehicle has no trunk, leaving the device in the vehicle is not a secure option.
    • If the device is removed from service or redeployed for any reason, contact Help Desk to “scrub” the hard drive. Deleting a file does not permanently erase it.
    • If accessing or viewing information from remote locations, take precautions to ensure no one else can view the information
    • If a device storing confidential information is lost or stolen, notify the Privacy Office immediately
      
      
5. Never post confidential information on a social networking site, e.g. a personal blog, or Internet messaging sites.
   
   
6. Send/transmit confidential information in a secure manner:
   • Choose the method of sending/transmitting information appropriate to the confidentiality and sensitivity of the information.
   • E-mail is not a secure, private or confidential mode of transmission and must not be used to transmit confidential information, i.e., identifiable patient, employee, affiliate or information about about the confidential business of the organization to e-mail addresses outside the organizations' secure e-mail system. The secure system includes:
   • @LHSC.on.ca
   • @SJHC.london.on.ca
   • @londonhospitals.ca,
   • @Lawsonresearch.com and
   • @schulich.uwo.ca

   • An LHSC or St. Joseph's e-mail account must not be forwarded to an e-mail account external to the organiztion's secure system, e.g., to a UWO, Hotmail, Yahoo account
   • Information may be sent electronically in a secure manner using the Secure File Transfer System (SFT). Information on SFT may be found on the Information Technology intranet site.
   • Faxing - always use a hospital-template cover sheet that includes your name, telephone number, and a statement that tells the recipient what to do in the event they receive a fax in error.
     • Review and follow the organization's faxing guidelines (available on the Privacy intranet site).
     • Notify the Privacy Office immediately if you learn that you sent a fax to the wrong recipient, i.e. to a private home or business. By law, we are required to:
       • Retrieve the original fax
       • Notify the patient whose information has been inappropriately disclosed.
         
         
7. Discuss confidential information with others, only if you have a role-related reason to do so and only in private areas, where others cannot overhear the information.

   DO NOT discuss confidential information in public areas such as:

   • Elevators
   • Cafeteria
   • Coffee shops, retail spaces
   • Other patient's rooms
   • Hallways
   • In public
   • At home
     
     
8. Maintain the confidentiality of information about employees and affiliates, and the confidential business information of the organization the same as patient information. Respect your colleagues' right to privacy.
9. Refer to the Privacy intranet for:
   • all privacy-related policies and their supporting documents
   • Privacy-related newsletter articles `
   • Information on privacy in specific programs, e.g., research, mental health

Next (Scenario-based learning)