Note taking privacy and security
Privacy regulations
Clinical Notes contain sensitive information that a patient would not expect is available to those not authorised to see the details.
As a result many countries regulate the collection and use of this information. Either under general privacy regulations or, in some cases, specific requirements. The USA has the Health Insurance Portability and Accountability Act (HIPAA), Europe has the General Data Protection Regulations (GDPR) and Australia has the Australian Privacy Principals (APP).
Whether you record your notes electronically or on paper you will need to understand and comply with these requirements.
Note taking privacy
In general, when you think about privacy for clinical notes, what you are actually considering is how to secure the notes so that only authorised people have access to them. It is the actions you take to secure your note taking which will keep a patient’s sensitive information private.
This leads to the general recommendations below which focus on the security and availability of your notes.
Please note that the recommendations specifically cover privacy and security aspects related to clinical note taking, although the list is not exhaustive. There will also be non-note taking actions that you must take to comply with the regulations. So make sure you don’t skip the first recommendation, review your relevant privacy regulations.
Take action with online notes
We recommend the following to improve the security of your online or electronic notes:
Review relevant privacy regulations
General advice for online storage
Secure your accounts
Secure your devices
Review privacy regulations
The privacy regulations in your country will apply to you, don’t ignore them. You must take appropriate actions to ensure patient privacy is protected and reviewing the regulations is the first step.
It terms of privacy regulations there are likely many more actions beyond those relating to clinical notes that you will need to take to ensure you comply with the rules. Actions like having a privacy policy in place, training your staff on privacy or documenting what information you store and why are generally required to meet the regulations.
The additional actions outlined below will focus on strengthening the security of your clinical notes. For other privacy matters we recommend understanding the privacy rules for your country and industry.
To assist you with this here are some links to relevant privacy regulations
General advice for online storage of notes
When you are making a decision to store any data online it is important that you trust the organisation you are dealing with. This is even more important when you are storing potentially sensitive clinical information about your patients. There may be industry regulations that you must follow when dealing with information of a medical nature and there will certainly be privacy legislation which may impact some of your choices.
We can’t provide specific advice on how to meet all these industry and privacy requirements but there are some features of online storage which will provide stronger protection if you confirm and utilise them. So, please do some homework before you decide to store patient clinical data online.
In particular you should prioritise or require the following if possible:
Have data stored in your country, or a nearby country with a similar approach to privacy
Ensure the physical location where data is stored is secured, with access controlled to international standards
Have your data encrypted, both when transmitted and at rest, so that unauthorised access will not be possible
Have backup and redundancy options are in place to minimise the likelihood of a service losing your data
Check if there is any sharing of data with third parties, in what circumstances and if there are any limitations
What controls are in place to limit access to data to those authorised
These simple checks will go a long way to ensuring that the clinical notes you store online will be private and secure to meet many of the standard regulations and laws.
Secure your accounts
You should secure all online accounts where you are storing patient information.
Each individual should have their own account to access the service. There should be no shared accounts. If you use shared accounts you must share passwords which is less secure. Online audit systems become much less useful as you will not know which individual was taking which actions.
Require strong passwords for all accounts. Ensure that staff know that they should set strong passwords. We recommend word combinations instead of special characters (eg snoopy-train-melbourne-grass rather than $dhyFHJ&jgyuDH79) as they are recognised by security experts as being just as secure, but they are much more easily remembered.
If remembering passwords is an issue for your staff then consider using a password manager like 1Password or similar. They have many features to record and use your passwords securely so you can have different secure passwords for each service. Many of these services also have team features so you can share passwords securely between your team while keeping control over the use of the password itself.
If a service offers 2-factor authentication then turn them on. You can even use services like 1Password to provide the one time codes so that administration of your 2-factor accounts is easier.
Secure your devices
The devices you use to access and record your clinical notes will also have features to improve the security of your information. We will focus on Apple devices here, as that’s what we know, but most other devices (Android and Windows) will have similar features.
Phones/Tablets
Be sure to review the following settings:
Set an auto-lock time on your device so that even if you forget to lock it your data will be safe after a short time
Set a minimum 6 digit passcode, and if you are more concerned about security change the passcode into an alpha-numeric code
Set the passcode to be required immediately the device is locked
Set up biometric authentication like Touch ID or Face ID
Consider turning off your voice assistant and other features while the device is locked
Work through the privacy sections and ensure that individual Apps are only allow to access the features of your device that make sense for those Apps
Make sure iCloud Backup’s are turned on so a backup will be taken every day, provided the device is connected to power, locked and on Wi-Fi
Note that if you are sharing a tablet between practitioners to take note then we recommend a Touch ID based approach (like the iPad Air) rather than a Face ID approach (like the iPad Pro) as you can register multiple fingerprints but you cannot register multiple faces.
With all these options in place your device, and the notes on it, will be as secure as they can be. You will also be able to get back up and running quickly if a device is lost, stolen or fails. Simply restore your backup to your new device and you will be up and running.
Computers
PC’s have many of the same security features as phones. Set auto-lock. Have a strong password and require it immediately. Biometric authentication like Touch ID. On a Mac it is worth working through the “Security & Privacy” section of the System Preferences.
One setting which is automatically enabled on an iPhone but not on a Mac is full disk encryption. With encryption turned on it is much harder to get access to information on your computers disk drives if the PC is stolen. On the Mac look for the FileVault setting and we recommend turning this setting on for all Mac’s. FileVault works seamlessly in the background and you won’t even know it is there. It is important that you back up your machine before you turn on this setting.
If you are using a Windows computer you will have the additional concern of viruses and malware to contend with. A reputable virus protection program will be required to keep your computer safe and the files protected. Note that we generally don’t recommend anti-virus programs for the Mac, Apple’s built in defences provide a secure environment, although you will need to do your own research and decide whether you need one or not.
Take action physical notes
Notes should only be seen by authorised staff
Notes should be securely stored
Note locations should be limited
Limit access to authorised staff
Most privacy regulations have the concept of minimising access to personal information to the minimum number of people possible.
You should review all the potential touch points as notes travel around your practice and confirm who has access to them.
At a minimum the following should be considered:
Should all employees in your practice have access to notes. It is likely that your internal processes will require most staff members to have some level of access to notes to help our with patient and practice requirements but it’s worth confirming if there are any exceptions.
How do staff members access notes? You should consider a maintaingin a log of who accesses the notes if it is not directly for a practitioner who is recording a note for a consultation.
Is there any chance that a patient may have access, however brief, to a note? If notes are left in consultation rooms before practitioners arrive, or around the reception area, there is a chance that a patient may see private details relating to another patient which is a significant breach of privacy.
Are practitioners allowed to remove notes from the practice for any reason? Again they should be logged, but if they can be removed then there is a chance that, outside of the more secure practice environment, an unauthorised person may view the notes.
We recommend limiting that access to only the practitioners and support staff which required to deliver your services and optimise patient care. This extends to never leaving notes in a place where another patient may have access to the notes.
Ideally notes should be collected and returned to the reception desk by a practitioner at the start and end of every consultations. Notes for the day should be stored in the reception area well away from any areas with patient access.
Secure storage
The security of any location where notes are stored should be assessed to ensure that only authorised staff are able to access notes.
When stored in your practice notes should be under lock and key at all times. A staff member should be present wherever notes are not in secure storage, either in the practice rooms or at the reception desk.
If you have decided to place some of your notes into long term storage then you must review and understand what security is in place. If in commercial storage then there is likely to be site access control, video camera systems and access control into the storage unit. You could also place notes into lockable filing cabinets inside a unit for additional security. If long term storage is at a personal address (like your house) then you should consider the security and privacy requirements of storing notes when setting up any home security approach.
Limited Locations
We highly recommend only allowing notes to only be held in your practice rooms or in your long term storage. This will significantly reduce the possibly of privacy or security breaches, and reduce the chance of lost or misplaced notes.
In particular notes should not be allow to be taken out of the practice by a practitioner to complete after hours unless the note already has a full digital copy.
If you know that notes may only be stored in one or two places then any missing note will be much easier to find and it will be much less likely that a non-authorised person will have access to the notes.
Take your time
There are a number of recommendations here, and this is only one of the five tenets of effective clinical note taking that we are covering. Take your time as you add these and other changes to your practice. You may find that just securing the devices you use to record notes will improve the security of your patient information substantially.
Want to learn more
This article is part of the series “Effective clinical note taking for Allied Health practitioners”. Please see the other emails in the series for further details and recommendations. If you were sent this link directly and want to subscribe to the whole series, please sign up.