privacy policy for doctors

Does your privacy policy protect your private practice?

Telehealth, new online tools, a rapidly changing landscape full of tools, software and technology. And yet, you could be at risk because you haven’t paid attention to your privacy policy since the fax machine was installed. If that is the case, our conversation with Craig Hong at Hillhouse Legal Partners will give you the context you need to update your policies. 

Privacy policy for doctors

Does your privacy policy protect your private practice?

Kris Borgraeve - Co-founder Digital Practice

Kris Borgraeve

December 2, 2021

Craig Hong, Legal Advisor: It’s not just about drafting a privacy policy

data retention and privacy

Patient information travels in all directions. From your email conversations with patients to the cloud-based storage systems you use for images and documents. From printed and filed reports at your office or in the cloud, to electronic patient records and practice management software.

And then we had this big digital shift, where many of us had to improvise and access details from home, on other devices than our regular office infrastructure.

Craig Hong is a legal advisor and a leading expert in all matters relating to corporate and commercial law at Hillhouse Legal Partners. Craig applies a multi-disciplinary and holistic approach. In the video, he explains the specific context of data privacy in Australia and the general principles that can be applied to your practice no matter where you operate.

Why empowered patients expect a failproof privacy policy

patient privacy issues

Patients – and let’s face it, all of us as consumers – have become more aware of data security. With health records, there is a deeper layer of confidentiality at work. Information about the patient’s health, including elective procedures or treatments, is supposed to be held confidential. Privacy legislation is being adjusted around the world to meet the challenges of the new digital threats such as hacking, the use of ransomware or identity theft. 

The empowered patient in the 21st century expects you to handle their data with the same level of care as you treat their body. Your privacy policy is more than a quick box to tick.

It should tick a few boxes actually:

  • Be proactive: Get in front of the new trends in privacy-related risks and don’t wait until your business experiences an acute crisis situation.
  • Check local guidelines: Depending on your jurisdiction, check your different levels of legislation and guidelines and take the time to go through the checklists that are available through government portals and websites.
  • Systemise: Look at your privacy policy beyond the document you add to your website. Look at your systems, software applications and the support you can get from the suppliers. Systemise your privacy environment so it reduces the risks for your patients and for you as a doctor.
  • Find help: When it becomes bigger than Ben Hur, identify who can help you and run your documents and processes past an expert, who can help you make it failproof and compliant.

Do not breach your own privacy policy as a doctor

telehealth safety for doctors

If the pandemic has seen you taking video calls from home, or transferring some of your team’s work to their home environment, chances are you have been using software you had not used before.

Zoom, WhatsApp, Messenger, Skype,…The list keeps growing and when your practice management team has to adapt to lockdowns and restrictions, there is often no time to thoroughly investigate the security of the home devices, networks and applications.

If your practice has switched to telehealth on the fly, now is the time to inspect the overall security of your new communication platforms and systems. Your IT team should be able to help you. Quality questions include:

  • Does the software use end-to-end encryption?
  • Does it use multi-factor authentication?
  • Are all networks, including home wifi systems, properly encrypted?

The work starts with looking at the actual systems. The next step is to communicate to your patients where the data is being stored and retained.

Involving the IT team, the legal adviser and the patient

privacy policy guidelines

Let’s look at the players in this story:

  • IT Team and software providers:
    Once you have identified which software contains patient data or connections to your database, sit down with each of the providers to map how data are collected. It means assessing the applicable standards for your legislation, for example, HIPAA in the United States, or regulations put in place by the Australian Information Commissioner and Privacy Commissioner.
  • Adviser and insurer:
    As part of your risk assessment processes, and often assisted by your insurer or your legal adviser, you will probably assess your data security like you would assess the overall security of your premises. And when you do this, you typically speak with your IT providers and create clarity about the software that contains patient data. Most doctors will then take this rough plan of their software infrastructure to a legal partner such as Hillhouse Legal Partners, to draft the actual privacy policy with all the information the software providers have given you.
  • The patient
    The next leg is to make sure that your processes to collect patient information, from online tools to forms that are filled out manually and then entered in your electronic patient records, are supported by patient consent. In other words, you give the patient the opportunity to formally agree that data will be stored in your systems.

When your privacy policy has become a mature and waterproof system, you can enjoy peace of mind in that area and focus on other things. That clarity is your insurance. In case a patient or their representative asks a question, you would rely on the same legal adviser who has helped you set up your privacy policy, evaluated your systems and drafted your consent forms.

Cybersecurity fundamentals for doctors

cyber security in healthcare

Pandemic-friendly workflows have been implemented all over the world since early 2020 and this has often happened in a hurry. Professional hackers and criminals are seizing these opportunities on a daily basis and one of the focus areas is to get access to health data and healthcare providers.

As a doctor, your responsibility is to educate your team members so they keep your patients’ details secure. The top 5 cybersecurity fundamentals for doctors and private practices we see are:

  • Go over your hardware and software: Quite often the old computer and the old software does a reasonable job but…how easy is it to hack your entire system simply because you have not updated anything? Updating can mean two different things: It either means literally updating a particular piece of software by checking if updates are available, downloading new versions and installing them. Or it can mean that you abandon a specific software and move this action to another platform.
  • Use stronger passwords: Your birthday or your cat’s name worked well in 1998. Now it’s time to look into the characteristics of really strong passwords and apply these stricter guidelines for all your software and tools.
  • Use multi-factor authentication: Hackers can only access your software if they have your username and password AND your smartphone or the dongle that generates an additional code.
  • Back-up your data: Keep external data in safe places so you are protected if someone hacks your entire system.
  • Avoid phishing: Educate and train your team to not click on unsolicited suspicious emails or text messages.
privacy policy for doctors

Disclaimer: None of the information in this article and the video is to be seen as legal advice. Seek qualified expert legal advice if you have questions in regards to your privacy policy or any other legal aspect of your business. 

Let's meet

Setting up your systems? We can help

privacy policy for doctors, specialists and surgeons

When you are only just starting out in private practice, chances are that your privacy policy is not the only document you are drafting at this point in time. If you need assistance setting priorities, book a consultation and we will go over some of the essentials of setting up your practice, your online presence and a safe set of systems and protocols.

Share this post
Table of Contents
Table of Contents
Share this post with your practice manager and/or colleagues