This week on our Road to PIPA, we are talking about training. Using question and answer scenarios, we take a look at a number of privacy-related aspects of using personal information in the medical field. It is essential to consider these topics and incorporate them into your general, as well as role-based privacy training for your staff.
Contact information
Under PIPA, personal information means any information that relates to an identified or identifiable individual. Examples include name, dates of birth, photographs, video footage, email addresses, and telephone numbers.
Question: Are the patient demographics (contact info) “owned” by the company or the healthcare practitioner?
Answer: The patient’s contact information is the personal information of the patient. The organisation or the healthcare practitioner are stewards of that information.
Under PIPA, individuals have the right to request access to their personal information (section 17), the right to request access to their medical records (section 18) and the right to request correction, blocking, erasure or destruction (section 19). These rights are not absolute.
Medical records
Under PIPA, medical records or other health-related information is sensitive personal information. Sensitive personal information is a defined term that includes information relating to place of origin, race, colour, sex, sexual life, physical and mental health, disabilities, genetic information etc. (for a full list, see section 7).
Question: Is it sufficient if our electronic medical records are HIPAA and GDPR compliant?
Answer: Organisations using personal information in Bermuda are obliged to comply with the legal requirements stipulated by the Personal Information Protection Act (PIPA) 2016. Under section 5, organisations are required to adopt suitable policies and measures, i.e. a privacy programme, to give effect to its obligations and to the rights of individuals. When setting up a PIPA-compliant privacy programme, HIPAA and GDPR may be useful to establish what controls or best practices are “suitable”. However, organisations need to be aware that the applicable privacy law in Bermuda is PIPA.
Security safeguards
Under section 13, organisations are required to implement appropriate safeguards to protect the personal information that they hold against risk, loss, unauthorised access, destruction, use, modification, disclosure or any other misuse. Although PIPA does not specify what such appropriate security safeguards are, encryption is often a best practice and highly recommended.
Maintaining privacy in email communications
Organisations are encouraged to maintain privacy in their email communications.
Question: A healthcare practitioner is moving from practice A to practice B. Both are located in Bermuda. Can practice A make a practice-wide announcement via BCC’d email or email blast via platforms such as Mailchimp to all patients, who have given consent to these types of emails, that the healthcare practitioner is moving to practice B?
Answer: General email announcements differ in nature from individual emails regarding a patient’s appointment, test results, condition etc. Provided that the healthcare practitioner agrees, and the patients have consented to subscribe to general email announcements, it is up to the organisation to make a privacy-driven determination on a need-to-know-basis as to whether to send the email to the healthcare practitioner’s patients only or to all patients.
Mailchimp is an example of email marketing tools. It is a popular email marketing service that many organisations use to send newsletters and promotional emails because it offers a lot of useful features. There are several privacy-related concerns one should be aware of when using email marketing tools.
Data collection
Personal information: An email marketing tool may collect a lot of personal information from its users and their subscribers. This includes names, email addresses, and sometimes even more detailed data like purchase history or location.
Usage data: An email marketing tool may track how subscribers interact with emails, i.e., they can see who opens emails, who clicks on links, and other engagement metrics.
Behavioural tracking
An email marketing tool can use the data it collects to create detailed profiles of subscribers. This profiling can be used to target individuals with specific content or advertisements (invasion of privacy).
Data sharing
Third parties: An email marketing tool may share your personal information with other third-party services for various purposes, such as analytics, advertising, or improving their services. This can raise concerns about where your data is going and how it’s being used.
Data security
Server locations: An email marketing tool may store data on servers, which are located in different countries, the US included. Different countries have different privacy laws, and this can affect the level of protection your personal information receives. Organisations making overseas transfers of information must be able to guarantee a comparable level of protection (comparable to the level of protection under PIPA).
Control over personal information
User consent: Users need to ensure they have proper consent from their subscribers to collect and use their data. This can be tricky to manage and might lead to legal issues if not handled correctly.
Data deletion: While an email marketing tool allows users to delete their data, it might not be immediate, and some data might still be retained for a period of time or for backup purposes.
Changes in policies
Policy updates: An email marketing tool can update its privacy policy, and users must stay informed about these changes to understand how their data might be used differently over time.