Scenario Confidentiality & PrivacY

Transporting Client Information

Shelley is a dietetic practicum placement student at your facility. Shelley has been assisting you with data collection for your research project which includes gathering client personal health information.  You and Shelley leave the facility to get a coffee and while paying for her coffee, she drops a USB flash drive out of her pocket stating, “Uh oh, I’m glad I didn’t lose this - I have the research files on here.” Do you need to address anything?
Healthcare providers and organizations need to take appropriate measures to safeguard personal information from unauthorized access, disclosure, use or tampering. In the scenario, Transporting Client Information, client information is at risk of exposure if the USB were lost and not encrypted.
The dietitian should ask Shelley the reasons why the information is being stored on the flash drive and whether or not the information is encrypted. In addition, it would be important to discuss the risks when removing personal health information from the facility. The following fact sheet from the Information Privacy Commissioner of Ontario may be helpful to review with Shelley Encrypting Personal Health Information on Mobile Devices, as well as, any relevant organizational policies.
The nature of the safeguards a dietitian puts in place depends on the sensitivity of the information and the circumstances. Generally, safeguards must include the following components:
 Physical measures
  • Keeping such information in restricted access areas;
  • Locked filing cabinets and offices; and
  • If necessary, security cameras.
Organizational measures
  • Staff training in privacy; internal policies (e.g. staff can only access client information on a need-to-know basis);
  • Security clearances; and
  • Policies about transmitting or discarding paper or electronic information.
Technological measures
  • Passwords to access any computer;
  • Screen saver passwords;
  • Encryption;
  • Virus protection; and
  • Firewalls.