Speaker 1: Do you remember the last time you visited your local clinic? You probably had to just mention your name and voila. The receptionist could fish out all your details which would include your blood group, date of previous visit, medical history, home address, phone number and a lot more. Your data is collected at several touch points in the medical ecosystem. Let us demonstrate the same with a few examples. When Seema enters a pathology lab to get a blood test done, her data is being collected. When Mihir suffers a fracture, the consulting doctor already receives a detailed study of his medical history. Both the situations have one thing in common – the role of data. Healthcare providers maintain these records for patients' convenience and record-keeping but may sometimes be unaware of the best practices to safeguard it effectively. Data Security Council of India, DSCI, through its Sectoral Privacy Project, brings data privacy best practices to large enterprises, small and medium enterprises, SMEs and start-ups through the creation of sector-specific guidance material. DSCI's Healthcare Privacy Guide lays emphasis on the patient's journey in the healthcare ecosystem and the identification of specific intervention points for healthcare service providers to alleviate different privacy risks emanating from the different data operations. We strongly advocate that the healthcare providers should maintain the privacy, confidentiality and accuracy of the data collected to establish trust with the patients. When trust is created, patients are more comfortable in sharing their complete health information with the provider, enabling better decision-making. So let's begin with asking ourselves an important question – who is this Healthcare Privacy Guide for? The guide is for all healthcare service providers, ranging from private and public sector hospitals, diagnostic centres, doctors, nursing staff, clinics, nursing homes, medical practitioners, pharmacies and many more. If you fall in any of these categories, our Healthcare Privacy Guide is going to be immensely beneficial for you. What is the relevance of the Healthcare Privacy Guide? While patient data collection is important, the lack of set protocols in collecting and using the personal data of patients can encroach on their right to privacy. Because of a lack of clear understanding on the subject, you might face certain challenges while maintaining the privacy of the patients, but introducing yourself to certain key concepts will allow you to implement best privacy practices. Now moving ahead, we are going to discuss all the key concepts of privacy in the context of Healthcare Services 1x1.1 – Accurate and Proportional Data Collection for Patient Identification. Let's hear Anita's story. After undergoing a knee surgery, Anita's healthcare provider suggested that she take physiotherapy sessions from the same hospital. At the time of her surgery, she was asked to share some basic details including her name, age, date of birth and the number of her unique government-issued ID card. At the hospital's physiotherapy centre, she was again asked to share this information. The lack of a centralised data collection system in this case poses a risk to the uniformity and identifiability of Anita's medical records. Anita's interaction with the hospital tells us that healthcare service providers must strive to improve the patient's personal data collection process to ensure that only accurate and necessary information is collected from the patient. Information should only be collected by lawful and fair mean. Effective patient communication is an integral step to build trust. Healthcare providers must take into consideration the apprehension patients may have in sharing their information. Patients should be clearly informed about how their personal data will be used. While filling the admission form at his local clinic, Ashok noticed that the document permitted the clinic to use his personal information for assessment and business purposes. The form, however, did not explain the nature of these businesses. The receptionist also failed to provide a clear and complete explanation for it. Hence, consent obtained by the clinic in this scenario cannot be characterised as informed consent. Ashok's story informs us of the importance of explicit, affirmative and action-based consent in healthcare-related scenarios. Consent should always be freely given in an unambiguous manner to ensure that the patient has given authority to the administration to process their personal information. The only exception to this rule should be high-risk scenarios where urgent medical assistance is required. Use or Disclosure of Patient Personal Data The primary purpose for collecting health information is to provide healthcare services. Any usage and disclosure of health information should serve this primary purpose unless the patient consents to disclosing it to a third party or if such disclosure is required by law. 5. Securing Patient's Personal Data Healthcare service providers must ensure the security of the patient's personal data through administrative and technological controls. Health data must be secured in custody to avoid misuse, interference, loss and unauthorised access, modification or disclosure. 6. Enabling Access to and Correction of Personal Data After undergoing a surgery, Lalit made multiple requests to the hospital administration to gain access to his medical records. However, the customer service representative of the medical facility was not aware of a patient's right to access his information and hence his application was dismissed. As a result, Lalit could not show his previous records to another doctor for consultation. Thus, the lack of a streamlined process hampered Lalit's treatment. It is highly important for healthcare service providers to allow patients to access their personal data upon request. Patients should also be empowered to request amendments to their personal data to ensure that it is accurate, relevant, up-to-date, complete and not misleading. 7. Maintaining Patient Anonymity Sixteen-year-old Suresh wanted to quit smoking but he was uncomfortable bringing this topic up with his parents and was unsure how they would react. After getting in touch with a counsellor to assist him in quitting smoking, he was relieved to find out that his identity would be kept anonymous and the details of their session would not be shared with anybody without his consent. This shows the importance of giving patients the option of not identifying themselves when dealing with healthcare organisations. Healthcare service providers must also actively adopt acceptable methods of de-identification and anonymisation to reduce the risk associated with processing patient health data, especially with respect to genetic data or children's data. If you follow the seven principles that we just discussed and adopt digitisation in the overall healthcare process, you will be able to Enhance information transparency Improve interoperability Standardise processing of claims Roll out digitised prescriptions Provide improved access and services to patients We hope that the information in this video was meaningful and comprehensive to help you get started on your journey to implement privacy best practices at your workplace. Our self-assessment checklist will aid you in evaluating your adoption of patient-centric privacy principles. To improve your privacy implementation as a healthcare service provider, download the complete guide now.