As I was preparing to post this comic(1) for April Fool’s Day, I realized that this type of situation occurs all too frequently, even within healthcare and medicine.
How often do we read about this type of thing happening with medical records, with PHI?
In privacy and biomedical ethics, the acronym PHI has two common definitions in North America:
In Canada, PHI is an umbrella term for personal health information(2) which is often defined in more detail at the Provincial and Territorial levels than in the federal Personal Information Protection and Electronic Documents Act (PIPEDA):
“The core activities of public hospitals or publicly funded long-term care facilities are not subject to PIPEDA. However, health care providers in private practice such as doctors, dentists and chiropractors are engaged in a commercial activity and thus subject to the Act, unless substantially similar provincial legislation applies…
Alberta, Saskatchewan, Manitoba, Ontario, New Brunswick and Newfoundland and Labrador have enacted personal health information legislation that applies to the health care sector, including hospitals. Quebec’s Act respecting health services and social services also contains important provisions regarding personal health information”(2)
In the United States, under the 1996 Health Insurance Portability and Accountability Act (HIPAA), PHI is protected health information (3):
“The HIPAA Privacy Rule protects most individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or medium, whether electronic, on paper, or oral. The Privacy Rule calls this information protected health information (PHI). Protected health information is information, including demographic information”(3)
The type of information covered by HIPAA includes:
- The current, past, or future mental or physical health of an individual, or any condition that they may have
- Any care provided to that person
- Past, future, or present payment for healthcare for that individual, which identifies them or which could be reasonable expected to identify them
No matter the definition, a patient’s medical information should be protected. Unfortunately – whether it’s faxing laboratory results to the wrong number, failing to secure (i.e. lock up) medical records, or leaving a clinic computer open without password protection – this is an area where there seems to still be knowledge gaps among healthcare providers and teams…
So enjoy the comic, and let it be a reminder about dealing safely with patients’ information! ‘-)
References:
(1) The Office of the Privacy Commissioner of Canada; Government of Canada. “Did you see some boxes of confidential personal information? I left them on the floor right beside my desk!”. 2016. Accessed 01 Apr 2016. Web:
https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/pipeda-compliance-and-training-tools/pipeda_sa_tool_200807/
(3) “Health Information Privacy”. 06 Nov 2015. Accessed 01 Apr 2016. Web:
https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html#protected