Your SlideShare is downloading. ×
Developing a Privacy Culture in Health Care Organizations:The Experiences of eHealth Ontario
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Developing a Privacy Culture in Health Care Organizations:The Experiences of eHealth Ontario


Published on

Smart Systems for Health Agency (now part of eHealth Ontario) developed an award-winning privacy training and awareness program in 2007 to foster a culture of privacy within the organization. This …

Smart Systems for Health Agency (now part of eHealth Ontario) developed an award-winning privacy training and awareness program in 2007 to foster a culture of privacy within the organization. This slideshow, presented to benefit other healthcare organizations at GTEC 2008 (October 2008) , highlights the approach, messaging and tools used in that program.

1 Comment
1 Like
No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • Transcript

    • 1. Developing a Privacy Culture in Health Care Organizations The Experiences of eHealth Ontario
    • 2. Notes
      • eHealth Ontario formed by regulation in September 2008
      • The transition of SSHA into eHealth Ontario has commenced.
      • Comments today reflect experiences of SSHA and not new Agency.
    • 3. Personal Health Information is Increasingly Vulnerable
    • 4. Canada: Privacy & Healthcare
      • 2007 Canada Health Infoway survey
      • Canadians reasonably confident that responsible stewardship of personal health data exists.
          • 79% considers the health information that exists about them to be at least moderately secure.
          • Trust in health professionals (e.g., doctors, nurses, pharmacists) is very high; but slightly lower for other groups (e.g., administrators, government departments).
          • Trust levels are more mixed outside the realm of immediate health care providers (e.g., computer technicians, insurance companies, researchers).
      • “ If you can protect my privacy, I am okay with [electronic health records].”
    • 5. United States: Privacy & Healthcare
      • May 2008 CDT report on privacy and healthcare cites 2006 survey
      • When Americans were asked about the benefits of and concerns about online health information:
          • 80% said they are very concerned about identity theft or fraud;
          • 77% reported being very concerned about their medical information being used for marketing purposes;
          • 56% were concerned about employers having access to their health information; and
          • 53% were concerned about insurers gaining access to this information.
    • 6. The Problem is Not External
      • Gartner Group:
          • Employees commit 70% of data breaches.
      • 2006 CSI/FBI survey:
          • 92% of insider data thieves had negative work evaluations before breach.
      • Univ. of Washington research:
          • 31% of data breaches between 1980 and 2006 were committed by external parties (e.g. “hackers”).
    • 7. What to Do?
      • In building a culture of privacy, an organization must:
          • clearly articulate privacy as an organizational priority;
          • communicate key privacy and security messages;
          • educate across the organization;
          • raise awareness of the importance of registering privacy incidents and breaches;
          • build privacy into the fabric of the organization’s activities; and
          • make privacy information and guidance readily accessible.
      • Think Training AND Awareness
    • 8. Management Communication
      • Management must have effective messaging:
          • Information protection isn’t solely a technical or policy issue; it also involves behavior.
          • The protection of personal information is a personal responsible for each staff member.
          • Information protection is an ongoing initiative, not a short-term project or goal.
          • Objective is to change organizational behavior to develop a “culture of privacy”.
    • 9. Use Marketing Approach
      • Brand “privacy awareness,”
          • Integrate all the materials into a coherent, consistent, and instantly recognizable campaign.
          • Strategy should be to continuously inform and motivate staff and managers.
      • SSHA adopted its own theme
          • “Get Caught! Doing the Right Thing.”
    • 10. SSHA Awareness Campaigns
      • Objectives:
          • Tie campaign to:
              • Updated Privacy and Security Standard of Conduct.
              • Mandatory staff training.
              • Enterprise Security and Privacy Incident Management.
          • Raise profile of Privacy and Security:
              • “Desk tour”
              • Poster campaign
              • Telephone hotline and central e-mail
              • “Jeopardy” sessions
    • 11.  
    • 12.  
    • 13. Award-Winning Program
      • GET CAUGHT! won the following International Association of Business Communicators (IABC) awards:
      • An international Gold Quill Award of Merit in the Other Graphic Design category;
      • A Canadian Silver Leaf Award of Merit in the Other Graphic Design category
      • A Toronto chapter Ovation Award of Excellence for Other Graphic Design; and
      • A Toronto chapter Ovation Award of Merit for Employee/Member Communications
    • 14.  
    • 15. Privacy Training @ SSHA
      • Online Learning Management System (LMS) with two modules for Privacy and Information Security.
      • Mandatory for new employees: to be completed within 30 days of on-boarding date.
      • Compliance monitoring done by PS from HR data.
      • Non-compliance with requirement results in system lockout.
    • 16. Privacy Training
    • 17. Privacy Training
    • 18. Privacy Training
    • 19. Conclusion
      • A “culture of privacy” is privacy-aware conduct in day-to-day business activities.
      • Developing a “culture of privacy”
          • Is a long-term exercise;
          • Intended to create environment in which personnel automatically behave appropriately with respect to privacy requirements.
      • A “culture of privacy” fosters greater confidence among stakeholders in your organization’s information-handling practices.
      • A “culture of privacy” requires committed leadership to promote active participation by all staff.
    • 20.
    • 21. Questions
      • Michael Power
      • Vice President, Privacy and Security
      • eHealth Ontario
      • [email_address]