I speak with resorts who use paper based reporting of incidents, and always check a couple of things with them. First that the reports are locked away in a safe place, to protect from unauthorised access, or from theft. Secondly that the reports are in a fireproof safe, or room, to protect against destruction from fires.
Overwhelmingly I get the answer that neither is the case. This is of course, not ideal and it means that resort health information data security is not treated as a priority. If these reports are lost and the incident goes to insurance claim or litigation, then the resort will not have the evidence required to back up or disprove any allegations. I did meet with one resort recently who started scanning all of their paperwork to ensure they had a digital copy of these valuable reports. This is a good move because the penalties for a breach or loss of data can be $50,000+ as is the case for the first prosecution under HIPAA in the US. They started this practice because they had a fire and lost a significant amount of paperwork.
Ski resorts are organisation’s that deal in personal, identifiable, health related data and as such they are responsible for it’s safety. Each country has legislation around the privacy of a person’s information, and those responsibilities are more stringent now given the progress of the digital age. In the US for example electronically stored medical data falls under the Health Insurance Information and Portability Act (HIPAA) legislation, and in New South Wales, Australia Health Records and Information Privacy NSW Act (HRIP) 2002.
Safeguards for keeping personal health data safe are broken down into 3 categories Administrative, Physical and Technical. Each deals with a different aspect of the data life cycle, paper or digital. Here are some precautions you should consider with your accident records:
- Adopt policies and procedure to protect the data, that meet local legislation
- Train staff in the importance of the data, and in it’s safe keeping
- Only grant access to the data to those who need it
- Have a plan if a security breach occurs
- Back up your data e.g. scan your paperwork, duplicate the electronic data offsite
- Fire safe and secure storage for paperwork, and electronic equipment
- Limit access to secure areas, don’t store information in public areas
- Position computer terminals and forms in locations that cannot be seen by the public
- Contractors and agents to be briefed and escorted if necessary
- Sign in and out hardware from the network, or paper work from the storage
- Networks should have active digital intrusion systems
- Anti virus and malware scanning on workstations
- Passwords should be changed on a periodical basis
- Encryption of data in transport between networks
- Validation of data & authorisation of clients accessing the data
How many of these ideas do you have in place to protect your casualties information? Had you considered that paper based reports are just as vulnerable as electronic information to being compromised?