Many health plans, hospitals, and even physician offices are putting patient data on the web to help connect to consumers. Many of us are also using service providers (SaaS, ASP, etc) to manage our data. All of these things are great and many of us have thought about the security implications: don’t put things on laptops, keep data from traveling onto USB drives, etc. Lots of thought goes into security these (though probably not as much as is really required).
But, what about privacy implications? Who owns the data that we capture from our end users? Sure, HIPAA lays out some privacy guidelines but what about sharing rules and data ownership guidelines? Have you looked at your contracts recently to see what rights vendors/consultants who have access to your data have with respect to that data? When all the systems are in your own environment you have a bit more control but in the case of ASPs and SaaS providers you’ll want to be sure you have roles, rights, and responsibilities fully worked out so you don’t get caught with a privacy violation due to an error in omission. I think giving your partners and vendors shared data rights and reuse rights makes sense for many reasons but how do you articulate those rights?
The presumption of privacy and security by visitors to our sites is fundamentally tied to the confidence they hold in us. If our policies and procedures aren’t clearly identified internally we can never really tell our visitors what they should expect.
One of the biggest issues in data sharing is the agreement on data ownership and privacy guidelines. If you’ve done some work in this area and would like to share your thoughts, drop me an email, leave a comment here, or better yet give us the opportunity to learn from you by posting a guest article.