The public has the right to expect that their private information will be safeguarded and protected when it is given to those who deliver health services, writes Prof. Jane Grimson.
Creating a balance between respecting individual privacy and providing safe and effective care is the difficult, but very important, task faced by health and social care organisations internationally. While the concept of privacy impact assessment (PIA) is new to Irish health and social care services, it is used to varying degrees in a number of health services, including in Europe, Canada, Australia, and New Zealand.
PIA considers the future privacy consequences of proposed projects that involve collecting and using personal health or social care information, for example, setting up a database in a hospital for patients with diabetes. The advantages of PIA are many and include demonstrating publicly that an organisation takes privacy very seriously, and is doing its utmost to protect highly sensitive health and social care information.
It is estimated that up to 30 per cent of the total health budget may be spent one way or another on handling information, collecting it, looking for it, storing it. It is therefore crucial that information is managed and protected in the most effective way possible. PIAs can make an important contribution to this. When conducted in the early stages of work, PIAs in the health and social care sector can assist in verifying whether or not a project meets best international practice and existing legal requirements for the collection, storage, use or disclosure of personal information and whether it is viable to continue before significant investment is made on a particular initiative.
Privacy can be broadly described as the right of individuals to keep personal information about them from being disclosed. Under Irish legislation, the right to privacy is protected by, amongst other legislation, the Data Protection Acts 1988 and 2003. Furthermore, a number of key health service reform reports in Ireland have highlighted the importance of safeguarding the privacy and confidentiality of personal health information by the establishment of a legislative framework – namely the Health Information Bill. That Bill is expected to build on the legislative provisions already in place and seen to be working well. In advance of the Bill, the Health Information and Quality Authority (the Authority) is developing a health information governance framework to help protect and effectively use patient and client information.
PIA considers the future privacy consequences of proposed projects that involve collecting and using personal health or social care information
The public has the right to expect that their private information will be safeguarded and protected when it is given to those who deliver health services. Therefore, the primary purpose in undertaking a PIA is to protect the privacy rights of service users. Guidance on Privacy Impact Assessment in Health and Social Care http://www.hiqa.ie/media/pdfs/HI_Privacy_Impact_Assessment.pdf has been developed by the Authority as a resource to support service providers in protecting these rights and to assist them in strengthening governance arrangements around health information. It offers practical step-by-step advice on how to undertake a PIA. Privacy impact assessments are used internationally to help protect individuals’ privacy. They are used across all sectors but are particularly useful for health and social care providers. Internationally, there is a growing move towards mandating PIAs for healthcare projects which involve the collection, use, storage or disclosure of sensitive health information.
The Authority recognises that health management in Ireland faces a number of challenges in relation to protecting the privacy of patients and clients. However, there are many benefits arising from the use of PIAs. These include:
- Enabling service providers to demonstrate that the privacy of individuals is a priority for their organisation. This helps to build the trust of the service user in the provider.
- Educating service providers about privacy and the rights of the service users. This learning is essential in promoting a culture of information governance in organisations.
- Potential resource savings. By conducting a PIA in the early stages of planning an initiative, privacy risks or issues are much simpler to resolve prior to any significant investment being made.
- In the event of an unavoidable privacy risk or breach occurring, a PIA report can provide evidence that the service provider acted appropriately in attempting to prevent the occurrence.
The completion of a PIA encourages all providers of health and social care services to review management and practices in the handling of personal health information with a view to considering, and reflecting on, existing legislative requirements and best international practice. This increases awareness among professionals and creates a culture where maintaining personal health information privacy is a priority. Consultation with stakeholders and members of the public about the privacy risks associated with the project can also prove valuable.
The final output of a PIA is a published report on the project which documents the risks identified, and recommendations to address these risks. The focus of a PIA report should be on the needs and rights of individuals about whose personal health or social care information is collected, used or disclosed. Publishing a PIA report helps to build a culture of accountability and transparency and inspires public confidence in the service provider’s handling of personal health information.
The PIA Guidance published by the Authority also warns of some limitations involved in the project management process and how to manage them. The PIA process should be undertaken when a project proposal is in place but before any significant progress or investment has been made. In addition, service providers are encouraged to use the Guidance document to conduct a PIA process that is appropriate to their particular circumstances.
PIAs should be reviewed and approved at a senior level with each PIA report being quality assured by senior management. For example, a PIA for a major national project should be approved by the Chief Executive Officer of the Health Service Executive (HSE). A PIA for a new hospital patient administration system (PAS) should be approved by the CEO of the hospital, while a PIA for a new general practice management system should be approved by the general practitioner (GP) or the practice manager.
Privacy impact assessments are used internationally to help protect individuals’ privacy
Having completed this Guidance, the Authority will continue to develop and publish additional documents to support improvements in information governance and the protection of the rights and interests of health and social care service users.
There are four stages in the PIA process as follows:
- Stage 1 requires a project team to answer a number of questions about the project to determine if it presents any potential privacy risks to patients and clients. The answers may trigger the initiation of a PIA.
- If, after Stage 1, it is deemed necessary to proceed with a PIA, Stage 2 involves identifying the privacy risks through exploring the scope, information flows and security arrangements of the project.
- Stage 3 then deals with addressing the risks identified in Stage 2. This is achieved firstly through analysing and assessing them and then looking at ways to avoid them or mitigate them through privacy enhancements.
- Stage 4 is the output of the PIA process, which is a published PIA report. As the concept of conducting PIAs is new to the Irish health and social care sector, a sample PIA report based on this Guidance (Sample Privacy Impact Assessment Report Project: Outsourcing clinical audit to an external company in St. Anywhere’s hospital: October 2010) has been developed and is available on the Authority’s website for illustrative purposes (www.hiqa.ie).
Professor Jane Grimson is Director of Health Information, Health Information and Quality Authority.