Implementation Experiences of the COACH Privacy & Security Guidelines Series – Results of the COACH National Survey

COACH has long been recognized for its Guidelines for the Protection of Health Information Series (the Guidelines) on the privacy and security of health information. With the first publication in 1988, COACH has over 25 years of experience in publishing the main edition of the series. In recent years, the main edition has been supplemented with several special editions on topics such as privacy and security for electronic medical records (EMRs), patient portals and most recently, access audits for electronic health records (EHRs).

Notwithstanding this strong legacy, COACH wanted to learn more about Canadian organizations’ experiences using the health information privacy and security best practices as recommended by the Guidelines, and how the Guidelines can be evolved to better meet health informatics (HI) and information technology (IT) users’ current and future needs even more effectively. A task force was therefore created by COACH’s Privacy and Security (P&S) Steering Committee in the late summer of 2013 to design and conduct the National Guidelines for the Protection of Health Information Survey. (See About the National Survey sidebar.)

Survey Results
There were a total of 91 respondents to the survey, reflecting a wide range of backgrounds beyond privacy and security specialists. In terms of years of experience:

  • 55% had more than 10 years of experience,
  • 17% had 6-10 years, and
  • 28% had up to 5 years of experience.

As to primary healthcare role,

  • 29% were IT staff,
  • 26% were information privacy and security professionals,
  • 15% were general management/administration,
  • 15% were HI professionals,
  • 1% were researchers, and
  • 14% had other roles.

Reference Tool & Guidance
Individual Use of Guidelines
In terms of the respondents’ individual use of the Guidelines (which allowed for choice of all those uses that applied), the large majority used the Guidelines as either a reference tool (87%) or for guidance (70%); other substantial uses included training and education, benchmarking and also to better understand legal requirements, as illustrated above.

Other Key Results

  • Half of the respondents used the Guidelines on at least a monthly basis.
  • Considering adoption in a particular setting, 62% of the respondents were aware that the Guidelines were used on an organization-wide basis; for 65% of these, this was by organization policy or preference. Just over half (52%) were furthermore aware that their organization used the Guidelines for information privacy or security training of staff.

Ongoing Use

  • As to the likelihood of ongoing use, 77% responded that they were either very likely or likely to continue to use the Guidelines, as illustrated above.
  • The rest of the survey provided a very rich amount of data, too much to examine in this article, but what follows are two particular highlights for consideration.
  • Responding to what they appreciated most, qualitatively, about the Guidelines, respondents noted that they reflect a variety of perspectives, are updated on a regular basis and offer a “canvas of national and international standards and best practices.” The Guidelines were “clear and understandable” and noteworthy for being “well written and very helpful for organizations and practitioners.” The Guidelines were also considered as “up-to-date with emerging issues and needs of organizations” and that they “usually have at least a high level guideline for most issues/questions.”
  • On the question of how COACH can improve future editions of the Guidelines, very helpful feedback was also offered including:
  • the development of “one-pagers” on key or “cameo” topic areas,
  • a stronger focus in addressing various healthcare provider settings to better reflect important differences, and
  • the potential for establishing an active feedback channel for users to communicate with COACH on the Guidelines and one another, on health information privacy and security issues of the day.

Next Steps
COACH is sincerely grateful to all the respondents to the national survey, and thanks them for taking the time to contribute their experiences, views and suggestions. COACH also thanks the volunteer members of the P&S Survey Task Force for their professional diligence and expert endeavour in contributing to this project:

Jane Dargie (Chair)

Kikelomo Akinbobola

Jeff Barnett

Michelle Macmillan

Maria Rotondi

Anubha Sant

Sarah Courtney and Grant Gillis, COACH, were also task force members.

The P&S Steering Committee will be carefully considering all survey results and the report’s recommendations, in particular with respect to enhanced adoption activities (including awareness building, networking and education opportunities) as well as opportunities to address particularly contemporary topics through the publication of cameo or brief papers that can further enhance the already highly-valued Guidelines series. Stay tuned for further details from COACH!

The complete survey report, including the respondent data, the analysis and the recommendations is available via the COACH website at

www.coachorg.com/en/practices/Privacy_Security_Guidelines_Series.asp

About the National Survey
The Privacy and Security Survey Task Force was created by COACH’s Privacy and Security Steering Committee in the late summer of 2013, and assigned four key objectives:

  • To understand how and why individuals and organizations use the Guidelines for the Protection of Health Information Series (the Guidelines);
  • To solicit organizations’ use experiences in following the privacy and security best practices as recommended in the Guidelines;
  • To identify particular areas of satisfaction, concern or priority for organizations with respect to the Guidelines; and
  • To inform COACH on the strengths of the Guidelines, as well as how the Guidelines can better ensure the privacy and security of HI in Canada.

Approach
The task force undertook a methodological approach to the design and administration of the survey, as well as its analysis and reporting, as follows:

  1. Conducting an initial review of existing, relevant surveys on privacy and security concerns in Canada, the USA and elsewhere.
  2. Identifying survey participants and their roles, and developing strategies for engagement.
  3. Utilization of appropriate survey design methodologies in developing the survey.
  4. Administration of the survey.
  5. Analysis of survey results.
  6. Publication of the survey results.

The review of existing surveys on privacy and security of health information identified a primary focus on attitudes of patients regarding privacy concerns, as opposed to experiences in using or following various privacy and security guidelines and best practices. 1,2 The most noteworthy survey, the HIMSS Annual Security Survey, reported the opinions of health informatics (HI) and information technology (IT) professionals from healthcare provider organizations regarding the tools and policies to secure electronic health information.3

With this research in hand, and careful development of the survey tool by the task force, the survey was launched, running from Feb. 5 to 28, 2014. The target audience included HI and IT privacy and security professionals at the local, regional and jurisdictional levels; COACH’s jurisdictional partners that hold licenses to the Guidelines were also included in the survey population. The survey was furthermore geared both to people who use the Guidelines as well as those who currently do not.

Using the iSurvey© online tool, the survey was organized into three components: a demographics section and respective sections for users as well as non-users of the Guidelines as mentioned above. The survey was composed of 37 questions and offered a mixture of response formats (e.g., “Select the best answer” and “Choose all that apply”) as well as free text response opportunities.

Footnotes

1 Canada Health Infoway & IPSOS Reid. (2012). What Canadians Think: Electronic Health Information and Privacy Survey 2012.

2 Fairwarning. (2011). Canada: How Privacy Considerations Drive Patient Decisions and Impact Patient Care Outcomes.

3 HIMSS. (2012). The 5th Annual HIMSS Security Survey.

share this article...
Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedIn