Protecting People’s Private Health Information

Date of publication:

A new guide on how to protect people’s privacy within healthcare services has been published by the Health Information and Quality Authority.

Professor Jane Grimson, Director of Health Information at HIQA said: “With so much information being collected, used and shared in the provision of health and social care, it is important that appropriate steps are taken to protect the privacy of each person to ensure that personal information is handled legally, securely and efficiently.”

“Information is a vital resource in the delivery of high quality, safe healthcare for patients but there is a very real need to strike a balance between using personal health information to improve the delivery of care while also protecting people’s rights to privacy and confidentiality."

It has been estimated internationally that up to 30% of a country's total health budget is spent on health information - collecting, storing, managing and searching for it. It is therefore essential that it is managed as efficiently and effectively as possible in order to ensure value for money. Privacy Impact Assessments can make an important contribution to this.

“The public has the right to expect that their private information will be safeguarded and protected when it is given to those who deliver health services,” Professor Grimson said.

HIQA’s guidelines are a practical resource on how to strike this balance by outlining how, in practice, privacy can be appropriately considered and protected.

“We have developed the Guidance on Privacy Impact Assessment in Health and Social Care as a resource to show service providers how to ensure that they protect the privacy rights of the people using their services and to assist them in strengthening their own governance arrangements around health information,” said Professor Grimson.

Importantly, privacy impact assessments (or PIAs) also bring value and cost savings to healthcare projects. When conducted in the early stages of work, PIAs can demonstrate whether or not a project meets legal requirements for the storage of personal information and is viable to continue before significant investment is made.

The Authority’s guidelines provide a step-by-step guide on how to undertake a PIA and the important factors to be considered at each stage of the process. It is intended as a resource for all those involved in healthcare delivery, project planning and research.

Guidance on Privacy Impact Assessment in Health and Social Care

Resource: Privacy Impact Assessment Threshold Assessment form

Sample Privacy Impact Assessment Report

Further Information: 

Marty Whelan, Head of Communications and Stakeholder Engagement
01 8147481 / 086 2447623
mwhelan@hiqa.ie

Notes to the Editor: 

  • The role of the Authority, under its legal mandate, is to develop an information governance framework for health information to ensure that the privacy of people who use health and social care services is protected
  • In September 2010 the Authority launched its draft National Standards for Safer Better Healthcare. Privacy features as a key element of these standards, appearing under Theme 7 – Use of Information which requires that service users’ dignity, privacy and autonomy are respected and protected appropriately
  • The Report of the Commission on Patient Safety and Quality Assurance underlined the importance of sharing data, knowledge and expertise to ensure that the health service can operate effectively. However, this Report very clearly stated that information sharing should be subject to appropriate safeguards to protect individuals’ privacy from unauthorised access or disclosure
  • Similarly, one of the key objectives of the current Health Service Reform Programme is to ensure the delivery of better patient care. Good information governance – how a patient’s information is collected and stored, how it is shared among relevant healthcare professionals and how it can feed into top-level service planning – is a critical part of this
  • The benefits of PIAs include:
    • enabling service providers who undertake PIAs appropriately to demonstrate that the privacy of individuals is a priority for their organisation, and show commitment to putting the rights of the service user first and the proper handling of their personal health information. This helps to build the trust of the service user in the provider
    • educating service providers about privacy and the rights of the service users. This learning is essential in promoting a culture of information governance in organisations
    • potential money savings - by conducting a PIA in the early stages of planning an initiative, privacy risks or issues are much simpler to resolve prior to any significant investment being made
    • enabling a clear focus to emerge as to the precise data required for an initiative and in the event of an unavoidable privacy risk or breach occurring, the PIA report can provide evidence that the service provider acted appropriately in attempting to prevent the occurrence. This can help to reduce or even eliminate any negative publicity and loss of reputation.