5 ways to maintain patient confidentiality

The digital world has revolutionised patient confidentiality. How can you hope to protect information with
the growing dependence on online portals and device connectivity? 

1. Create thorough policies and confidentiality agreements

Drawing up all encompassing and wide-ranging confidentiality agreements or policies means that everybody
on your medical team knows exactly what is expected of them in every eventuality.
A confidentiality agreement is, in its essence, a legal document which specifies exactly what information
cannot be shared outside of the working premises. This policy must be read from cover to cover by every
staff member and signed. It can also be regularly shared with patients to demonstrate that your organisation
upholds strict confidentiality procedures.

2. Provide regular training

People adhere best to policies and practices when they fully understand why they are in place. Holding
regular training sessions for all your staff members, from administrators to doctors and nurses, helps to
reinforce how essential confidentiality requirements are, and provides a refresh of staff duties and
expectations.
For best results, make these training times fun and a good opportunity to learn while getting to know
colleagues. Taking a creative approach to the topic and introducing games can also help the information be
more engaging whilst also being a positive experience for your staff.

3. Make sure all information is stored on secure systems

As the standard of healthcare improves and populations expand the amount of patient data being stored has
increased astronomically. As a result, many practices and clinics may face challenges in correctly storing
this information, both in terms of where huge data quantities can be saved, and making the information
easily accessible. Alongside these systematic difficulties it is essential that the highest level of security and
digital protection is used when storing patient data. Purchasing platforms or using cloud providers that
ensure your data is safe is the best way to look after this.
Furthermore it is important that only strictly necessary personnel have access to this data. Levels of
password protection that controls access is also worth considering and investing in.  

4. No mobile phones
An easy way to eliminate possible threats to patient confidentiality is to strictly limit or remove mobile
phones from patient areas. This ensures that no one could either maliciously or accidentally record or
photograph private records or information. According to research by Imperial College healthcare NHS trust
in London 65% of doctors used SMS to communicate with colleagues about a patient, opening up concerns
about privacy.
This can sometimes be a difficult rule to enforce given the proliferation of digital devices. However,
regularly reminding staff and patients why it is their best interests can help to reduce any resistance.
Strictly controlling the use of mobile phones helps to reduce the possibility of information theft.

5. Think about printing

Once all your technical solutions and security is in place it can be tempting to think you have everything
sorted. However, printed materials that contain key patient information are often overlooked. Labels, forms
and printed notes can easily be misplaced, or even stolen, if they are in a busy area. Having streamlined,
easy-to-use and secure printing systems is well worth investing in.
 Threat 1: Insiders who make ''innocent" mistakes and cause accidental disclosures. Accidental
disclosure of personal information—probably the most common source of breached privacy—
happens in myriad ways, such as overheard conversations between care providers in the corridor or
elevator, a laboratory technician's noticing test results for an acquaintance among laboratory tests
being processed, information left on the screen of a computer in a nursing station so that a passerby
can see it, misaddressed e-mail or fax messages, or misfiled and misclassified data.
 Threat 2: Insiders who abuse their record access privileges. Examples of this threat include
individuals who have authorized access to health data (whether through on-site or off-site facilities)
and who violate the trust associated with that access. Health care workers are subject to curiosity in
accessing information they have neither the need nor the right to know. Although no overall statistics
are available to indicate the scope of the problem, discussions with employees during site visits
uncovered many cases in which health care workers have accessed information about the

 health of fellow employees or family members out of concern for their well-being. There are reports
of health care workers accessing health records to determine the possibility of sexually transmitted
diseases in colleagues with whom they were having a relationship—or in people with whom former
spouses were having relationships. Potentially embarrassing health information (e.g., psychiatric care
episodes, substance abuse, physical abuse, abortions, HIV status, and sexually transmitted diseases)
about politicians, entertainers, sports figures, and other prominent people regularly finds its way into
the media.
 Threat 3: Insiders who knowingly access information for spite or for profit. This type of threat arises
when an attacker has authorization to some part of the system but not to the desired data and through
technical or other means gains unauthorized access to that data. An example is a billing clerk who
exploits a system vulnerability to obtain access to data on a patient's medical condition. For example,
the London Sunday Times reported in November 1995 that the contents of anyone's (electronic)
health record in Great Britain could be purchased on the street for about £150 (or about $230).7
 Threat 4: The unauthorized physical intruder. In this case, the attacker has physical entry to points of
data access but has no authorization for system use or the desired data. An example of this threat is
an individual who puts on a lab coat and a fake badge, walks into a facility, and starts using a
workstation or asking employees for health information.
 Threat 5: Vengeful employees and outsiders, such as vindictive patients or intruders, who mount
attacks to access unauthorized information, damage systems, and disrupt operations. This is the pure
technical threat—an attacker with no authorization and no physical access. An example is the
intruder who breaks into a system from an external network and extracts patient records. Threat 5 is
truly dangerous only when patient records are accessed regularly through an external network. It is
clear that most providers are moving toward the use of networking and distributed computing
technologies as they move toward electronic medical records. Threat 5 is therefore a latent problem
on the horizon. The current reliance on paper records and the preoccupation of system managers with
internal systems make threat 5 low in perceived importance and, so far, low in reported incidence.
This situation is unlikely to last past the point at which internal systems are connected to external
networks.