| By: DataSociety
Not once have I seen a man fidgeting trying to remember their date of birth or that of their spouse or child at the hospital registration desk. With so much difficulty to an extent you would imagine that the data is being retrieved from a fortified banker with a double verification security system. Most women are gifted differently though, at a snap of the finger they will tell those dates of birth and identification details as if they are reading from a teleprompter.
Working as a care manager has made me cognizant of the secrecy with which patients require their personal data handled with. The escalating ills in society, targeting personal information tootle behind every person handling personal data in any institution setting, but much more in the hospital setup where emotional drain from the suffering of patients can easily distract even the most alert data handler.
Linking patients with healthcare providers, social services, and support programs requires a care manager to assess patient needs, track progress, and adjusting care plans accordingly. These adjustments ensure that the patient has access to necessary medication, treatment, and financial assistance as well as their rights being upheld, including access to healthcare and fair treatment. The patient support extends beyond the health facility, to offering information on disease management, preventive care, and mental health support along with how to manage emergencies and ensure timely medical response as well as ensuring compliance with healthcare policies and ethical guidelines during sickness, in their recovery journey and even past recovery. This level of interaction leaves behind undeletable footprints of patient’s data in the custody of care managers.
Data protection in Kenya is guided by the Data Protection Act, 2019, which aligns with global best practices in safeguarding personal information, including health records. Confidentiality is a key principle enshrined in the act. Healthcare providers and Care Managers must protect patient data from unauthorized disclosure. The relative who walks behind the admission table and requests for additional information on the patient, yet the patient has not signed them up as recipients of uncensored data is a threat to this principle. An employer who authoritatively calls seeking a brief on patient data must be professionally and with ultimate etiquette be advised that the information they seek, will be shared after relevant consultation. Some basic information on case management or financial plans which look unharmful at face value can be detrimental to the patient when shared with the wrong audience.
Patient data should only be collected and processed with informed consent or for legal and medical purposes. There are circumstances, however, where the patient’s condition
necessitates the health worker, or the care giver obtains unconsented information for medical purposes especially in case of medical emergencies. This information should be shared with
the patient or the next of kin at the earliest opportunity and must be concealed from any other third party at all costs. Health care institutions should limit access to patient’s data by ensuring that only authorized personnel handle patient records, and that strict access control measures are in place. Casually many health workers have asked an unauthorized person to pass over a report file or even a prescription sheet to the next person in the care giving chain. Such innocent acts can lad the concerned persons in a lot of trouble incase of a data breach.
To enhance data security, healthcare institutions must implement encryption, cybersecurity measures, and secure storage for patient information. It is also important to minimize data capture by ensuring that only necessary patient data is collected and avoiding excessive or irrelevant information. A health care worker who plugs in an external storage device like a flash disk on computers hosting the institution core system whether to download personal things or play music poses a risk to the patient data security. Healthcare institutions should have a policy in place for ensuring their data management systems are not vulnerable. If a hacker gains access to the institution database and accesses patient’s personal data including insurance policy and even at times details of money transfer towards settling the bill, such a breach potentially exposes the client to extortion, malicious release of such data to public domain of even money swindling.
The Office of Data Protection Commissioner (ODPC) oversees compliance to Data Protection Act, 2019. Any health care worker who experiences an incident should report data breaches to the ODPC to avoid legal consequences.
