The other day I saw a staff member getting into their car, and putting what looked like a handful of patient notes in the boot. He was probably off to see his patients at a clinic or do a home visit. This sort of thing is not unusual, especially as we are very much a paper based system and need to take patient notes with us to do our jobs. However, I couldn’t help thinking how accountable we are for keeping the personal and sensitive details of our patients safe when their notes are in our care. I bring this up as we have dealt with a case where patient information (contained in a notebook) was left in a vehicle, in full view while unattended. To compound matters, the car was broken into, and the notebook discarded along the way. While the notebook was retrieved, the Privacy Commissioner at the outset told CM Health that it had likely breached ‘Rule 5’ of the Health Information Privacy Code. In a nutshell, the Commissioner indicated that in this situation we did not take reasonable safeguards to protect the information contained in the notebook.
So what are reasonable safeguards, when it comes to transporting patients’ health information, for example, between sites?
Today I’m joined by John Hanson our Senior Legal Advisor who talks us through the intricacies of privacy law and how we can safeguard ourselves and our patients against breaches of privacy. If you are a health professional, who sometimes has to take notes off site to do your job, this is an interesting read.
CM Health takes patient privacy very seriously, and on the whole we do a great job of protecting our patients’ confidential and private details. However, when we transport patient information off site, we open ourselves up to a higher risk of this information being damaged, left behind, or in the worst case scenario being stolen. When a breach of privacy occurs, we go through a robust process to manage the situation and minimise the impact and risk for the people involved, in particular our patients. In the case mentioned by Geraint, every patient whose information was involved was notified. Understandably there were a mixture of responses. One patient was particularly upset and complained to the Privacy Commissioner’s Office. The Commissioner’s initial but clear indication to CM Health was that it had interfered with the person’s privacy.
In effect, this means that CM Health had breached Rule 5 of the Health Information Privacy Code, and the patient had suffered harm as a direct result. The Commissioner also found that some of the information in the notebook (including that relating to the patient who complained) did not need to be taken off site. In fact some of the information was quite historic. The Commissioner believed it was not reasonable to expose this type of historic information to the additional security risks involved without a clear clinical purpose.
In this case, the person felt particularly distressed by the whole affair and, as a result, had suffered harm. As a DHB, we had failed on both counts.
What this ruling did, up and down the country, is raise the following question. In healthcare organisations, where we largely deal with paper-based systems, how far do you need to go to ensure the safety of confidential information when transporting notes off-site? While it can seem like a minefield, the Privacy Commissioner is aware of the limitations that health agencies and DHBs work under and is working with the health sector to put in place some safety guidelines.
There are things you can do now to ensure patient records, remain safe and secure when travelling between sites. These reflect the Commissioner’s approach to security:
- If possible, transport patient notes or information in a secure container and remain in touch with them. If they need to be transported by car, for example, they should be secured in a container in your boot. They should never be left in open view or on a seat.
- Only take the notes you need for your task.
- If it’s a rainy or windy day, secure the notes in a bag, so they don’t blow away or get wet.
- Don’t take notes out for an extended period, when you don’t need them.
Just as you don’t leave your valuables, such as your wallet, in your car treat patient notes and information the same way. If they were your health records, it’s very unlikely you would want them falling into the wrong hands.
John and Geraint
You can now follow my blog and stay updated with our organisation via social media.