Your SlideShare is downloading. ×
  • Like
Developing a Privacy Culture in Health Care Organizations:The Experiences of eHealth Ontario
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Developing a Privacy Culture in Health Care Organizations:The Experiences of eHealth Ontario

  • 1,395 views
Published

Smart Systems for Health Agency (now part of eHealth Ontario) developed an award-winning privacy training and awareness program in 2007 to foster a culture of privacy within the organization. This …

Smart Systems for Health Agency (now part of eHealth Ontario) developed an award-winning privacy training and awareness program in 2007 to foster a culture of privacy within the organization. This slideshow, presented to benefit other healthcare organizations at GTEC 2008 (October 2008) , highlights the approach, messaging and tools used in that program.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
1,395
On SlideShare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
53
Comments
1
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Developing a Privacy Culture in Health Care Organizations The Experiences of eHealth Ontario
  • 2. Notes
    • eHealth Ontario formed by regulation in September 2008
    • The transition of SSHA into eHealth Ontario has commenced.
    • Comments today reflect experiences of SSHA and not new Agency.
  • 3. Personal Health Information is Increasingly Vulnerable
  • 4. Canada: Privacy & Healthcare
    • 2007 Canada Health Infoway survey
    • Canadians reasonably confident that responsible stewardship of personal health data exists.
        • 79% considers the health information that exists about them to be at least moderately secure.
        • Trust in health professionals (e.g., doctors, nurses, pharmacists) is very high; but slightly lower for other groups (e.g., administrators, government departments).
        • Trust levels are more mixed outside the realm of immediate health care providers (e.g., computer technicians, insurance companies, researchers).
    • “ If you can protect my privacy, I am okay with [electronic health records].”
  • 5. United States: Privacy & Healthcare
    • May 2008 CDT report on privacy and healthcare cites 2006 survey
    • When Americans were asked about the benefits of and concerns about online health information:
        • 80% said they are very concerned about identity theft or fraud;
        • 77% reported being very concerned about their medical information being used for marketing purposes;
        • 56% were concerned about employers having access to their health information; and
        • 53% were concerned about insurers gaining access to this information.
  • 6. The Problem is Not External
    • Gartner Group:
        • Employees commit 70% of data breaches.
    • 2006 CSI/FBI survey:
        • 92% of insider data thieves had negative work evaluations before breach.
    • Univ. of Washington research:
        • 31% of data breaches between 1980 and 2006 were committed by external parties (e.g. “hackers”).
  • 7. What to Do?
    • In building a culture of privacy, an organization must:
        • clearly articulate privacy as an organizational priority;
        • communicate key privacy and security messages;
        • educate across the organization;
        • raise awareness of the importance of registering privacy incidents and breaches;
        • build privacy into the fabric of the organization’s activities; and
        • make privacy information and guidance readily accessible.
    • Think Training AND Awareness
  • 8. Management Communication
    • Management must have effective messaging:
        • Information protection isn’t solely a technical or policy issue; it also involves behavior.
        • The protection of personal information is a personal responsible for each staff member.
        • Information protection is an ongoing initiative, not a short-term project or goal.
        • Objective is to change organizational behavior to develop a “culture of privacy”.
  • 9. Use Marketing Approach
    • Brand “privacy awareness,”
        • Integrate all the materials into a coherent, consistent, and instantly recognizable campaign.
        • Strategy should be to continuously inform and motivate staff and managers.
    • SSHA adopted its own theme
        • “Get Caught! Doing the Right Thing.”
  • 10. SSHA Awareness Campaigns
    • Objectives:
        • Tie campaign to:
            • Updated Privacy and Security Standard of Conduct.
            • Mandatory staff training.
            • Enterprise Security and Privacy Incident Management.
        • Raise profile of Privacy and Security:
            • “Desk tour”
            • Poster campaign
            • Telephone hotline and central e-mail
            • “Jeopardy” sessions
  • 11.  
  • 12.  
  • 13. Award-Winning Program
    • GET CAUGHT! won the following International Association of Business Communicators (IABC) awards:
    • An international Gold Quill Award of Merit in the Other Graphic Design category;
    • A Canadian Silver Leaf Award of Merit in the Other Graphic Design category
    • A Toronto chapter Ovation Award of Excellence for Other Graphic Design; and
    • A Toronto chapter Ovation Award of Merit for Employee/Member Communications
  • 14.  
  • 15. Privacy Training @ SSHA
    • Online Learning Management System (LMS) with two modules for Privacy and Information Security.
    • Mandatory for new employees: to be completed within 30 days of on-boarding date.
    • Compliance monitoring done by PS from HR data.
    • Non-compliance with requirement results in system lockout.
  • 16. Privacy Training
  • 17. Privacy Training
  • 18. Privacy Training
  • 19. Conclusion
    • A “culture of privacy” is privacy-aware conduct in day-to-day business activities.
    • Developing a “culture of privacy”
        • Is a long-term exercise;
        • Intended to create environment in which personnel automatically behave appropriately with respect to privacy requirements.
    • A “culture of privacy” fosters greater confidence among stakeholders in your organization’s information-handling practices.
    • A “culture of privacy” requires committed leadership to promote active participation by all staff.
  • 20. www.ssha.on.ca/privacy
  • 21. Questions
    • Michael Power
    • Vice President, Privacy and Security
    • eHealth Ontario
    • [email_address]