Protecting health information is everyone’s business

---

This year the Health Informatics Society of Australia (HISA) released its guidelines for the protection of health information. This is an extract of the publication which is available for download on the HISA website.

---

In recent years, healthcare systems and healthcare information in Australia have been reimagined under increased communications provisions to remote parts of Australia, increased use of technology, economic challenges, remote patient care, and higher public expectations. Organisations have become more customer-oriented, focusing on quality and engaging in participative decision making. Healthcare is shifting under restructured governance, greater emphasis on outcomes, and the implications of the increased integration, scope, complexity, and use of information systems.
With all of these changes, it is now much easier for the system to affect people than for people to affect the system, which means that the rights of the individual may be at risk — in danger of being subjugated to the efficiencies of the system. Consequently, it is more important than ever for healthcare organisations to make sure that information is complete, accurate, available, and protected.  Health information must be managed and used appropriately to benefit both patients and society. Neither society nor individuals should suffer from the changes being made to health information systems, from either too little or too much privacy protection.
Responsibility for personal health information (PHI) has traditionally demanded a duty of care and confidentiality from healthcare professionals. Along with financial information, health information is considered to be the most sensitive form of personal information; the public is acutely aware of the risks associated with its use and disclosure and the consequent need to use and protect it appropriately.
All Australian jurisdictions are moving toward using electronic health records (EHRs). With the integration of these healthcare information systems to support EHRs, healthcare professionals will, as things progress, be able to share PHI across jurisdictional and organisational boundaries, thus supporting the provision of improved healthcare services in Australia. In addition, the sharing of PHI supports the growing demand from consumers and healthcare professionals to include the “subject of care”[1] as a member of the healthcare team. In this scenario, subjects of care will have access to their own PHI, participate in their own care, and understand how their information is used and what their privacy rights are.
The Australian government has introduced the Personally Controlled Electronic Health Record (PCEHR). Presently, participation for individuals and healthcare organisations, is voluntary not compulsory. It will increasingly become adopted by healthcare organisations while government payment incentives are offered together with increased demand from patients. The PCEHR does not provide a comprehensive collection of an individual’s health records but a centralised point for summaries and additional information to enhance existing health records. Currently, the content is limited to include: event summaries, shared health summaries, discharge summaries, Medicare data (e.g., MDS, PGS), together with data entered by the individual. Takeup continues to be gradual since the system is opt-in by both individuals and healthcare organisations. The necessary Security and Privacy is embedded into the systems design allowing individuals a range of controls on who can view their health information at a general and specific record level. This landscape creates urgency for healthcare organisations and professionals to ensure that PHI is being collected, used, and disclosed appropriately. Privacy and security safeguards are needed to protect the confidentiality, integrity, and availability of PHI, while simultaneously enabling healthcare professionals to access the PHI needed to provide appropriate and safe healthcare services.
How can this be done?
First, an organisation must determine its information protection needs and to do that, it should conduct a privacy impact assessment (PIA), gap analysis, and threat and risk assessment (TRA). Once information protection controls are identified, they must be aligned with legislative and regulatory requirements, health industry standards, and organisational priorities, and they must be balanced for cost and value. In short, any privacy protection system must be practical and sustainable, but at the same time, it must not conflict with legislation or undermine ethical principles. In the face of ongoing technical advances and increased public awareness, the goal of any privacy protection program must be not only to preserve the current level of public confidence in the health system, but to increase it. Without trust in the system and its ability both to treat illness and to preserve privacy, the duty of care cannot be fulfilled.

---

“HISA Guidelines is an excellent starting point for understanding the value of tools such as privacy impact assessments, threat and risk assessments, privacy and security policies, and education programs.”

---

Editor’s note: At the time of writing these guidelines, the PCEHR was an opt-in system; whereas now the Federal government is trialling an opt-out system in selected areas. See our eHealth column by David More (pX) for further information.

---

“It is now much easier for the system to affect people than for people to affect the system, which means that the rights of the individual may be at risk.”

---

Purpose and Scope
This publication, ‘HISA’s Australian Guidelines for the Protection of Health Information’ (HISA Guidelines), serves as a resource to assist the health sector as a whole, and especially healthcare professionals, to protect the PHI they require to do their work, and to meet their role and responsibilities. HISA Guidelines describe key security and privacy issues faced by healthcare organisations and offers guidance for responding to these issues. It is not an all-encompassing guide on the protection of PHI; rather, it is designed as a stepping stone to help healthcare organisations address common concerns, avoid confusion, and prevent misunderstandings.
In conjunction with applicable privacy legislation, security standards and information protection best practices, HISA Guidelines form part of a privacy and security framework designed to support the appropriate use and protection of PHI. There are the four major objectives of HISA Guidelines:

• To educate healthcare professionals and organisations about the privacy rights of their subjects of care.


• To assist healthcare professionals and organisations to minimise the risk of inappropriate, insecure, or unauthorised collection, use, disclosure, modification, storage, or destruction of PHI.


• To assist healthcare professionals and organisations to maximise the integrity, availability, and confidentiality of PHI, and the efficacy of administering authorised access.


• To assist healthcare professionals and organisations to design and/or implement programs to protect the privacy and security of personal health information.

Benefits of Using HISA Guidelines
The extent of the benefits you and your organisation may derive from this publication will depend on the organisation’s current understanding of information protection issues and the maturity of the existing information protection program. Our hope is that you find the information here assists and supports progress in developing, implementing, and improving your organisation’s program.
If your healthcare organisation already has an established information privacy and security program with a designated information privacy officer, you may find the descriptions of fundamental information protection structures and mechanisms to be a review. In that case, your organisation may use HISA Guidelines to identify gaps and enhance existing practices and safeguards and as a tool to advance education and awareness. You will also benefit from the discussions on new privacy laws, technologies, threats, risk management, and other leading best practices in the field.
If your healthcare organisation has only recently begun to identify information protection as an organisational priority, or is introducing new health information systems, or technology, you will benefit from the detailed information provided. HISA Guidelines is an excellent starting point for understanding the value of tools such as privacy impact assessments, threat and risk assessments, privacy and security policies, and education programs. You may use the information provided here as a basis for developing organisational capacity, safeguards, processes and policies, and you can build on this base by exploring the suggested resources listed in the appendices, which provide more detailed information on specific subjects.
Whatever your starting point, you and your organisation will benefit by relying on HISA Guidelines. It is updated regularly by a panel of Australian national and international experts to reflect the latest knowledge in the field. You can use this publication confidently, knowing that you are doing your best to reduce privacy threats for both your organisation and the people it serves.

---

‘HISA’s Australian Guidelines for the Protection of Health Information’ (HISA Guidelines), edited by Peter R. Croll; Patricia A.H. Williams; Emma Hossack

published 2015 by Health Informatics Society of Australia Ltd is available for download at http://healthprivacy.org.au/

---

 
References
[1] “Subject of care” is a term recognised and used by the International Organization for Standardisation (ISO) to refer to patients, clients, and residents of healthcare organisations. While not an elegant term, it is currently accepted internationally as the best one to use at this time.