Confidentiality and medical records
- Keep medical records in a secure place – do not leave them lying around in publicly accessible areas.
- Restrict access to patient records on a “need to know” basis – not all staff need access to the whole record.
- Dispose of records securely by shredding or incinerating them.
- Do not use information contained in the medical records for purposes other than patient care, unless consent has been obtained or the data anonymised.
- For research or audit, anonymise information about patients in such a way that they cannot be identified. If this isn’t possible, obtain the patient’s consent.
Do not use information contained in the medical records for purposes other than patient care
Computerised and electronic records
There are many advantages to holding information in electronic form, not least of which is the greatly reduced storage space that is needed. Computer records can be easier to track and access and, if they are password accessible, it is also easier to restrict access to specific personnel.
Compared to paper records, on the other hand, the effects of unauthorised access to computer records are potentially of a greater magnitude. Moreover, as systems increasingly become networked, the opportunities for security breaches are expanding.
What you can do to minimise the risk of security breaches
- Position computer screens and printers where they can’t be seen by unauthorised people.
- Impress on staff that they must not disclose their password for any reason.
- Change passwords regularly.
- Do not set up a single username/password for use by all locums (or anyone else). Everyone who logs onto the system should do so using an individual username and password.
- Introduce practices such as always locking workstations before leaving them unattended, and set your screensaver to come on after a few minutes of inactivity (make it password protected).
- Use software that restricts access to authorised users and generates audit logs.
- Back up files regularly and keep back-ups in a secure off-site environment.
- Regularly review the effectiveness of your security measures.
- Install a good firewall and a regularly updated virus checker.
Do staff at all levels understand the implications of losing personal data?
Box 8: Questions to ask yourself
- What would your practice do if it had a data breach incident?
- Have you a policy in place that specifies what a data breach is? (It is not just lost USB keys/disks/laptops. It may include any loss of control over personal data entrusted to organisations, including inappropriate access to personal data on your systems or the sending of personal data to the wrong individuals).
- How would you know that your practice had suffered a data breach? Do staff at all levels understand the implications of losing personal data?
- Has your organisation specified whom staff should tell if they have lost control of personal data?
- Does your policy make clear who is responsible for dealing with an incident?
- Does your policy meet the requirements of the Data Protection Commissioner’s approved Personal Data Security Breach Code of Practice?
Source: Data Protection Commissioner, Breach Notification Guidance