Developing a Privacy Culture in Health Care Organizations:The Experiences of eHealth Ontario
Upcoming SlideShare
Loading in...5
×
 

Developing a Privacy Culture in Health Care Organizations:The Experiences of eHealth Ontario

on

  • 2,953 views

Smart Systems for Health Agency (now part of eHealth Ontario) developed an award-winning privacy training and awareness program in 2007 to foster a culture of privacy within the organization. This ...

Smart Systems for Health Agency (now part of eHealth Ontario) developed an award-winning privacy training and awareness program in 2007 to foster a culture of privacy within the organization. This slideshow, presented to benefit other healthcare organizations at GTEC 2008 (October 2008) , highlights the approach, messaging and tools used in that program.

Statistics

Views

Total Views
2,953
Views on SlideShare
2,945
Embed Views
8

Actions

Likes
1
Downloads
53
Comments
1

3 Embeds 8

http://www.slideshare.net 4
http://www.linkedin.com 3
http://www.lmodules.com 1

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Developing a Privacy Culture in Health Care Organizations:The Experiences of eHealth Ontario Developing a Privacy Culture in Health Care Organizations:The Experiences of eHealth Ontario Presentation Transcript

  • Developing a Privacy Culture in Health Care Organizations The Experiences of eHealth Ontario
  • Notes
    • eHealth Ontario formed by regulation in September 2008
    • The transition of SSHA into eHealth Ontario has commenced.
    • Comments today reflect experiences of SSHA and not new Agency.
  • Personal Health Information is Increasingly Vulnerable
  • Canada: Privacy & Healthcare
    • 2007 Canada Health Infoway survey
    • Canadians reasonably confident that responsible stewardship of personal health data exists.
        • 79% considers the health information that exists about them to be at least moderately secure.
        • Trust in health professionals (e.g., doctors, nurses, pharmacists) is very high; but slightly lower for other groups (e.g., administrators, government departments).
        • Trust levels are more mixed outside the realm of immediate health care providers (e.g., computer technicians, insurance companies, researchers).
    • “ If you can protect my privacy, I am okay with [electronic health records].”
  • United States: Privacy & Healthcare
    • May 2008 CDT report on privacy and healthcare cites 2006 survey
    • When Americans were asked about the benefits of and concerns about online health information:
        • 80% said they are very concerned about identity theft or fraud;
        • 77% reported being very concerned about their medical information being used for marketing purposes;
        • 56% were concerned about employers having access to their health information; and
        • 53% were concerned about insurers gaining access to this information.
  • The Problem is Not External
    • Gartner Group:
        • Employees commit 70% of data breaches.
    • 2006 CSI/FBI survey:
        • 92% of insider data thieves had negative work evaluations before breach.
    • Univ. of Washington research:
        • 31% of data breaches between 1980 and 2006 were committed by external parties (e.g. “hackers”).
  • What to Do?
    • In building a culture of privacy, an organization must:
        • clearly articulate privacy as an organizational priority;
        • communicate key privacy and security messages;
        • educate across the organization;
        • raise awareness of the importance of registering privacy incidents and breaches;
        • build privacy into the fabric of the organization’s activities; and
        • make privacy information and guidance readily accessible.
    • Think Training AND Awareness
  • Management Communication
    • Management must have effective messaging:
        • Information protection isn’t solely a technical or policy issue; it also involves behavior.
        • The protection of personal information is a personal responsible for each staff member.
        • Information protection is an ongoing initiative, not a short-term project or goal.
        • Objective is to change organizational behavior to develop a “culture of privacy”.
  • Use Marketing Approach
    • Brand “privacy awareness,”
        • Integrate all the materials into a coherent, consistent, and instantly recognizable campaign.
        • Strategy should be to continuously inform and motivate staff and managers.
    • SSHA adopted its own theme
        • “Get Caught! Doing the Right Thing.”
  • SSHA Awareness Campaigns
    • Objectives:
        • Tie campaign to:
            • Updated Privacy and Security Standard of Conduct.
            • Mandatory staff training.
            • Enterprise Security and Privacy Incident Management.
        • Raise profile of Privacy and Security:
            • “Desk tour”
            • Poster campaign
            • Telephone hotline and central e-mail
            • “Jeopardy” sessions
  •  
  •  
  • Award-Winning Program
    • GET CAUGHT! won the following International Association of Business Communicators (IABC) awards:
    • An international Gold Quill Award of Merit in the Other Graphic Design category;
    • A Canadian Silver Leaf Award of Merit in the Other Graphic Design category
    • A Toronto chapter Ovation Award of Excellence for Other Graphic Design; and
    • A Toronto chapter Ovation Award of Merit for Employee/Member Communications
  •  
  • Privacy Training @ SSHA
    • Online Learning Management System (LMS) with two modules for Privacy and Information Security.
    • Mandatory for new employees: to be completed within 30 days of on-boarding date.
    • Compliance monitoring done by PS from HR data.
    • Non-compliance with requirement results in system lockout.
  • Privacy Training
  • Privacy Training
  • Privacy Training
  • Conclusion
    • A “culture of privacy” is privacy-aware conduct in day-to-day business activities.
    • Developing a “culture of privacy”
        • Is a long-term exercise;
        • Intended to create environment in which personnel automatically behave appropriately with respect to privacy requirements.
    • A “culture of privacy” fosters greater confidence among stakeholders in your organization’s information-handling practices.
    • A “culture of privacy” requires committed leadership to promote active participation by all staff.
  • www.ssha.on.ca/privacy
  • Questions
    • Michael Power
    • Vice President, Privacy and Security
    • eHealth Ontario
    • [email_address]