Confidentiality

Question 1

Define privacy

Answer 1

To the control that people have over information about themselves

Question 2

Define confidentiality

Answer 2

The obligation that you may have to not disclose someone’s private information

Question 3

What is the difference between privacy and confidentiality

Answer 3

Privacy is a right you have
Confidentiality is a duty you owe

Question 4

Give some examples of things which are confidential
(2)

Answer 4

Any records containing personal identifiable information such as name, address, date of birth, PPS number, or medical records are deemed confidential

Other records may also be confidential if they contain information about HSEbusiness or finances

Question 5

Give some examples of confidential documents
(4)

Answer 5

Financial records
Payroll records
Personnel files
Legal documents

Question 6

What is patient centred care

Answer 6

The patient is the most important person in the hospital

Question 7

How do you interpret patient centred care?
(2)

Answer 7

Treat the patient how you would want you relation to be treated

The sample is not just another specimen to process, it represents the patient and informs their treatment or diagnosis. We are not patient facing, but this does not dilute our responsibility

Question 8

How do medical scientists remain anonymous to patients

Answer 8

Medical scientists report to the requesting clinician and the clinician informs the patient

Question 9

What are the five ways confidentiality is governed?

Answer 9

Legislation
Guidelines
Accreditation
National and local policies
Professionalism and Ethics

Question 10

What international legislation governs confidentiality?

Answer 10

National legislation may be independent of or adopted international legislation e.g. General Data Protection Regulation (GDPR)

The EU directive set up to deal with social media companies using personal information, storing it and possibly passing it on to a third party

Consequences spread to the health care sector, especially if doing follow up studies or research. Data retention and using the patient information for a different purpose than originally planned

EU Blood Directive 2002/98/EC became S.I. No.360 of 2005

Question 11

What are the seven key principles of GDPR

Answer 11

Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality
Accountability - appoint a data protection officer (DPO)

Question 12

Define a data processor

Answer 12

A person, company, or other body which processes personal data on behalf or a data controller

Question 13

Define a data controller

Answer 13

A person, company, or other body which decides the purposes and methods of processing personal data

Question 14

Define a data protection officer (DPO)

Answer 14

GDPR requires data controllers and data processors to appoint a DPO in certain circumstances

Question 15

What is DPC

Answer 15

Data protection commission

Question 16

What national legislation is there for data protection?
(7)

Answer 16

Data protection act 1988

Data protection ammendment act 2003

Health and Social Care Professionals Act 2005

The Health Act 2007

Freedom of Information Act 2014

Data Protection Act 2018 - GDPR

Patient Safety (notifiable patient safety incidents) Bill 2019 - Currently before the Dail

Question 17

How legislation is applied by the HSE
(4)

Answer 17

Service users must be assured that their feedback and their personal details will be treated in confidence to the greatest extent possible consistent with the public interest and the right to privacy

The Data Protection Acts place an obligation on the HSE and staff to safeguard the right of individuals in relation to the processing of their personal data

Under the Data Protection Acts, personal information should only be used or disclosed for the purpose for which it was collected or another directly related purpose

Feedback information required for reporting and statistical purposes will be anonymised and all identifiable data will be removed

Question 18

Write a note on the Freedom of Information Act 2014
(3)

Answer 18

Confers on all persons the right of access to information held by public bodies, to the greatest extend possible, consistent with the public interest and the right to privacy

The right of the Service User to access any information held by the HSE in relation to the management of their feedback

Staff must ensure that consent to access patient confidential information is obtained where required

Question 19

What is the point of guidelines in labs

Answer 19

They can inform a laboratory how to put structures in place that meet best practice in relation to confidentiality

Question 20

How are guidelines put in place in a lab

Answer 20

An expert group is formed, they take submissions from informed sources and based on the evidence supplied they issue guidelines

Question 21

What are guidelines in terms of the lab
(2)

Answer 21

Guidelines are best practice, standards are minimum requirements to be met to achieve accreditation.

They may not be required by law

Question 22

How can a lab put guidelines to use

Answer 22

They can follow guidelines by putting in place appropriate Standard Operating Procedures (SOPs), but not actually be accredited

Question 23

What are the guidelines surrounding information management

Answer 23

Effective information management must ensure that information is available when and where it is needed: confidentiality is ensured to prevent access by unauthorised individuals or systems: the integrity of the information “accuracy and consistency” is maintained and the durability of information storage for the required time periods is ensured

Question 24

What is HIQA
(2)

Answer 24

The Health Information and Quality Authority

Established to drive continuous improvement in Ireland’s health and personal social care services, monitor the safety and quality of these services and promote person centred care for the benefit of the public

Question 25

What does HIQA have statutory responsibility for:
(5)

Answer 25

Setting Standards for Health and Social Services

Social Services Inspectorate

Monitoring Healthcare Quality and Safety

Health Technology Assessment

Health Information

Question 26

What does HIQA publish
(4)

Answer 26

Publishes information management standards for national health and social care data collections

This aims to improve the quality of national health information and data, contributing to the delivery of safe and reliable healthcare

Guidance on Information Governance for Health and Social Care Service in Ireland

This guidance aimed at supporting the successful implementation of the National Standards for Safer Better Healthcare (the National Standards) published by HIQA

Question 27

Write a note on HIQA and enforcement
(5)

Answer 27

HIQA has no power to regulate acute general hospital services

No enforcement powers

Can monitor hospitals based on national stanfards

Investigation can be requested by the minister

Reports and recommendation are made public

Question 28

Write a note on accreditation
(4)

Answer 28

Irish National Accreditation Board (INAB), Clinical Pathology Accreditation (CPA) now UKAS.

There is an increasing amount of patient information which the medical scientist is privy to or being asked to process.

Accrediting bodies may require information on medical scientists, such as, qualifications, employment history and performance reviews.

There may be a requirement to report results to an external body,
for example for surveillance . Blood transfusion reports to the National Hemovigilance Office and Microbiology use the CIDR system

Question 29

Write a note on national and local policies
(3)

Answer 29

These can be generic or specific to an organisation. You may be asked to sign a separate confidentiality agreement or your contract usually has a confidentiality clause

Local policies exist in addition to national laws/acts

Most laboratories, even if not accredited, would have a pathology user manual and a quality manual. These documents should contain details on the laboratory’s commitment to patient confidentiality

Question 30

Write a note on HSE Data Protection policy

Answer 30

The Health Service Executive (HSE)must comply with all applicable data protection, privacy and security laws and regulations in the locations in which we operate .

Through maintaining a high standard of data protection the HSEwants to foster a culture that is honest, compassionate, transparent and accountable .

Data Protection Policy sets out the requirements of the HSE relating to
the protection of personal data where we act as a Data Controller and / or Data Processor, and the measures we will take to protect the rights of data subjects, in line with EUand Irish legislation

Question 31

Write a note on laboratory policy
(3)

Answer 31

“The laboratory is fully compliant with the national standards on protection of personal information”

All staff working in the HSE are legally required under the Data Protection Acts 1988 and 2003 to ensure the security and confidentiality of all personal data they collect and process on behalf of service users and employees

Data Protection rights apply whether the personal data is held in electronic format or in a manual or paper based form

Question 32

Write a note on laboratory policy
(2)

Answer 32

Procedures should be in place to detail the requirements for security, access, confidentiality and data protection, backup systems, storage, archive and retrieval and safe disposal of laboratory equipment and the pathology computerised systems.

This procedure applies to any system that captures, stores, controls, manages or reports data subject to review

Question 33

Write a note on laboratory based controls
(8)

Answer 33

Training, CORU registration

IT, end to end encryption, security

Information storage must be safe and be retrievable .

Password protection

Facilities access, swipe card protected .

Reporting structures . Reports only sent to requesting clinician .

Quality management system (QMS) and document control, not only the correct version of forms are in use but are stored securely

Back ups and recovery

Question 34

List some laboratory controversies

Answer 34

IT Crash May 2021

Question 35

Write a note on the IT crash MAY 2021

Answer 35

• Friday 14/05/21 a cyber attack on the HSE IT system.
• Sophisticated “Conti” ransomware.
• $20 million demand.
• 700 Gigabytes of data stolen.
• 85,000 computers across HSE shut down.
• 2,000 systems.
• Laboratory services running at 10%.
• 4,000 day cases and 12,000 outpatient appointments affected

Question 36

Write a note on the enforcement of confidentiality

Answer 36

The HSE reserves the right to take such action as it deems appropriate against individuals who breach the conditions of this policy.
* HSE staff who breach this policy may be subject to disciplinary action as provided for in the HSE disciplinary procedure.
* If a breach occurs due to reckless behaviour and a breach occurs and is knowingly not reported , the person responsible may be held accountable .
* ISO 15189 is inspected by INAB. INAB a reemployed by the He a lth
Products Regulatory Authority (HPRA), formerly the Irish Medicines Board.
If not compliant Blood bank c a n be c lo se d do wn.
* Lo c a l c o nfide ntia lity a gre e me nt

Question 37

Write a note on the Medical Scientists Registration Board Code of Professional Conduct and Ethics

Answer 37

The code specifies the standards of ethics, conduct and performance expected of
registered medical scientists .
* The purpose of CORU is to protect the public by promoting high standards of
professional conduct, professional education, training and competence among
registrants .
* Each year registrants will be asked to pledge that they comply with the code .
* “Professional misconduct” as defined by the Health and Social Care Professionals
Act 2005 as amended means any act, omission or pattern of conduct of the
registrant that is a breach of the code of professional conduct and ethics adopted
by the registration board of that profession .
* In ones conduct a Medical scientist must “respect the confidentiality and privacy of
service users”

Question 38

How should a medical scientist do to adhere to ethics regulations
(5)

Answer 38

Do not use patient information in “WhatsApp” group chats

Dont casually discuss a patient with a colleague in a corridor

Be careful taking “on Call” phone calls in public

You must anonymise any sensitive information to be released to the public and to prevent panic Education may be required during a public announcement

Maintain the professional standards when on Social Media. If in doubt do not post it.

Question 39

Write a note on fitness to practice

Answer 39

• CORU is now able to process complaints against registered health and social
  care professionals in respect of events that occurred on or after the 31
  December 2014.
• Fitness to Practise is concerned with those issues that affect a person’s
  ability to practise in their profession, not just in their current role .
• This inc lude s pro fe ssio na l misc o nduc t a nd po o r profe ssio na l pe rfo rma nc e . It
  do e s no t re pla c e the e xisting c o mpla ints pro c e sse s to e mplo ye rs.
• The Co de o f Pro fe ssio na l Conduc t a nd Ethic s, fo r e a c h pro fe ssio n, se ts o ut
  the sta nda rds o f c o nduc t, pe rfo rma nc e a nd e thic s, whic h a pply to a ll
  re giste re d he a lth a nd so c ia l c a re pro fe ssio na ls. It is a ga inst the se sta nda rds
  tha t a n individua l will be me a sure d in a ny Fitne ss to Pra c tise c o mpla int.

Question 40

What are the two stages to fitness to practice

Answer 40

Preliminary Stage
Hearing Stage

Question 41

What is the preliminary stage

Answer 41

Complaint received in writing

Reviewed by the Preliminary Proceedings committee

Mediation

Question 42

What is the hearing stage

Answer 42

Committee of inquiry for a hearing

The professional conduct committee or the health committee

Public

Question 43

List some possible sanctions
(5)

Answer 43

Admonishment or censure

Attachment of conditions to the registrant’s registration, including restriction on the practice of the designated profession by the registrant

Suspension of the registrant’s registration for a specified period

Cancellation of the registrant’s registration

Prohibition from applying for a specified period for the restoration of the registrant’s registration

Question 44

Under what act can a registrant be suspended from the register immediately

Answer 44

Under section 60 of the Health and Social Care Professionals Act 2005

Question 45

List some policies used to combat error
(5)

Answer 45

HSSE Electronic Communications Policy: reports are not faxed unless a delay in communicating the results would cause harm to the patient or result in treatment delay

End to end security

Local policies reinforce good practice, always document the phone call. Name of recipient and job title, HCAs have been given clinical information

IT security. Different access levels e.g. lab aides can book in but not alter results. Password protected access with automatic log out after 30 seconds. Individual logs ins, not generic

Audit trails are in place to show where results came from, who authorised them and who viewed the information. Do not look up your friends results

Question 46

What happens when there’s a data breach
(6)

Answer 46

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data

If you suspect a breach has occurred inform your line manager and the data protection officer

Follow procedure

Documented investigation

The HSE has a network of regional DPOs

The controller must notify the DPC within 72hours

Question 47

What data breach occurred in 2003
(5)

Answer 47

69 health service laptops, USB sticks, and smartphones have been stolen or lost

61 were stolen

51 contained unspecified “sensitive” information

20 had no encryption codes whatsoever

Highly sensitive files were also found on top of a car park ticket machine

Question 48

What data breach occurred in 2019?
(4)

Answer 48

There were 363 data-protection breaches recorded by the HSE

Patient’s records were found in recycling bins, public streets and car parks

There were several instances of patient’s information sent to the wrong people

Patient’s records were found in public car parks and patient listings were found on a street in Cork

Question 49

What happened when an IBTS laptop was stolen?
(6)

Answer 49

The IBTS was upgrading software and engaged the services of the New York Blood Centre, under a data protection and transfer agreement

The records were on a CD that was encrypted with a 256 bit encryption key. These records were transferred to a laptop and re-encrypted with a bit encryption key

This represents one of the highest levels of security available and to our knowledge there is no record a successful attack against this level of encryption

However, the IBTS member was mugged outside his home and the laptop was stolen

The IBTS notified the Data Protection Commissioner

The IBTS wrote to each donor affected by this incident to reassure them and to advise them of the possibility, however remote, that their personal data might be accessed