The Privacy Workshop for Developing Nations was held on Sunday, November 17, during the IFHIMA 2019 Congress in beautiful Dubai. Approximately 90 IFHIMA members were in attendance. Nations represented included United Arab Emirates, Saudi Arabia, Oman, Egypt, Australia, Nigeria, Barbados, Ghana, Kenya, Kuwait, and India. A representative of the WHO was also present.
The workshop was an extension of the IFHIMA whitepaper “Privacy of Health Information: An IFHIMA Global Perspective.” During the development of the whitepaper, the authors realized the need to go beyond the whitepaper to assist developing nations in their journey toward health information privacy. Hence, the workshop was born.
A team to develop and administer the workshop was appointed by Lorraine Fernandes to include Dorinda Sattler, USA, team lead, Mujeeb Kandy, and Selvakumar Swamy of India on assignment in Qatar, and Dr. Sabu Karakka Mandapam, of India. Dorinda and Mujeeb conducted the workshop itself.
An online survey of specific IFHIMA member nations was conducted before the workshop to help the team determine relevant content. The purpose of the study was to determine the various states of privacy practice and any perceived needs related to privacy. Results revealed that nearly half of the surveyed members ranged from not having any privacy laws in place to having legislation in place but not being fully implemented. Additionally, significant barriers to health information privacy were shown to be a lack of education regarding healthcare privacy (50%), a lack of resources to address it (22%), and the lack of laws surrounding healthcare privacy (18%).
Keeping in mind the survey results, the team developed the objectives of the workshop, lecture topics, and three activities. The objectives for the participants were to learn about privacy regulations and policies from around the world, to learn how to begin formulating privacy needs that address basic principles and challenging areas on healthcare, and to receive guidance on how to get started in developing privacy practices and regulations.
The workshop began with a conversation about privacy and trust and their importance in the healthcare realm, especially in the context of providing quality and safe healthcare. After the discussion, the participants worked in groups to identify reasons behind the importance of data privacy and security. Participants then shared their results. Many of the participants were already aware of how a patient’s lack of trust in their provider’s privacy practices may result in less than optimal healthcare data or care.
Additional discussion entailed balancing the need for public health against the privacy of individuals in the context of the stigma surrounding specific diagnoses or tests, and the potential ramifications of inappropriately divulged or individually identifiable information. Also covered were needs related to establishing privacy practices with cultural alignments, using empathy maps, policy prioritization, and other tools to align privacy practice with cultural norms.
Next, a brief overview of major privacy laws from the UK, EU, and the USA, along with the Fair Information Practice Principles, was provided. The purpose of the overview was to point developing nations toward established standards for use in the development of their privacy laws.
The second activity involved initiating a patient information inventory. A sample information inventory sheet was given to the participants to get them thinking about and documenting the various formats, purposes, users, retention periods, and locations of healthcare data in their institutions. The rationale behind the activity was to help the participants understand that organizations cannot adequately protect the privacy of information unless they know the breadth of information in their possession that requires protection. Some participants indicated that this particular exercise got them thinking outside the “patient health record box.”
The last activity was to identify privacy or security breach scenarios. Once identified, the next steps were to indicate how the situations could be prevented in the future, and to identify any mitigation strategies that should be implemented once the breach was discovered. The subsequent sharing of scenarios and strategies gave much food for thought for the participants to consider and employ in their institutions.
The final discussion included ideas on how to get started down the path to implementing privacy laws. Ideas ranged from starting at one’s institution by implementing and enforcing privacy practices, drawing from other countries’ laws, leaning on associations such as IFHIMA and HIMAs for guidance and support, and finally to addressing lawmakers.
The conversations and questions raised during the workshop were engaging and showcased HIM’s passion for privacy. These workshop conversations, coupled with the data from the survey and the work of the whitepaper, highlight the necessity for continued vigilance toward health information privacy.
Dorinda M. Sattler, MJ, RHIA, CHPS, CPHRM
Owner/Consultant, Sattler Healthcare Consulting, Inc.
Clinical Assistant Professor and HIT Program Director, Indiana University Northwest