Ethical Issues, Confidentiality, & Other Considerations
As the ability to quickly send and receive information has increased dramatically over the past several years, concerns about the privacy and confidentiality of personal information have also greatly increased.
Among other things, the concern over privacy has led to the development of the Health Insurance Portability and Accountability Act (HIPAA), which requires certain entities engaging in the electronic transfer of personal health information to comply with minimum standards regarding the protection of such information so that it is safeguarded from unnecessary or careless disclosure or use. Learn more about HIPAA by visiting the U.S. Health and Human Resources, Office for Civil Rights, HIPAA website.
If you or your organization conducts research or studies involving the collection of information about human subjects, there are several steps to consider in order to make the protection of the information a top priority.
For instance, you will need to determine whether your organization is a covered entity under HIPAA. If so, you obviously will need to comply with all the requirements of the law. Check to see if your organization has a HIPAA officer, or talk with others in your organization who may have already conducted research and had to address data privacy concerns.
Also, if your organization is controlled by or affiliated with an Institutional Review Board (IRB), issues about data privacy and confidentiality will need to be spelled out in consent forms or waivers, and there may already exist protocols for such purposes.
Protecting the Data
Below are other basic tips for protecting personnel health data:
Protect yourself and others!
- Physically secure documents, CDs, computers, laptops, fax machines and other media so that sensitive information is not visible to those who don’t need to see it. Security breaches often occur unintentionally because employees forget to do the seemingly little things.
- Require employees to protect work stations through passwords, and strictly prohibit the sharing of any account or password information between individuals.
- Make sure you are comfortable with requests to provide patient or provider information before doing so. If you are unsure or hesitant, always ask a supervisor or get approval from a higher authority, even if somewhat inconvenient.
- Put "PHI" (protected health information) in the subject line of emails that contain patient or other sensitive information, alerting the recipient to not open the email if others are present. Never send specific personal identifiers such as social security numbers in an email! Email is not as secure as you may think.
- Develop a procedure for each research study that specifies which individual(s) are responsible for data entry and analysis, being careful to limit access to data to only those who truly need it for study purposes.
- Require that all data entry and analysis be conducted on work premises. Do not permit employees to take confidential patient files or paperwork containing patient information away from the office unless absolutely necessary and approved by supervisors.
- When discussing or showing analysis results in public venues, always report information at an aggregate level so that individuals or individual organizations cannot be identified. Even when aggregating data, you should be confident that the data were derived from enough sources that it would be improbable to identify an individual or individual organization through deductive reasoning or simply guessing.
- Develop a confidentiality agreement document specifying the above items and any other organizational policy regarding protecting data. Require all employees to sign and abide by the agreement as a condition of employment.
- Clearly communicate your organizational policy to others so they can see your efforts and the priority you are placing on data protection. Likewise, know and be comfortable with the data security policies and practices of any other organizations you may be exchanging study information with. If necessary, develop and sign business agreements with them so that all expectations regarding the protection of study data are clearly spelled out and understood.
Step 7: Consult and Test >>