Arguably, privacy has become one of the biggest issues facing our society today, particularly as our reliance on technology grows. Nowhere is this more evident than in the healthcare space, where patient privacy is becoming an increasing concern. Take the response to My Health Record. As at September last year, close to one million Australians chose to opt out of the centralised government system. Many for concerns over privacy.

In light of this increasing concern, it is becoming more important than ever that medical organisations view privacy compliance differently — not just as a box to check, but rather as something that affects every Australian in a very personal way.  This means adopting a human-centred privacy approach, which should be at the foundation of every medical organisation.

A human-centred approach to privacy recognises that communication between patients and clinics should be transparent and accessible.

 

It also means that patients need to have a solid understanding of how and why their medical information may be shared.

From a medical provider standpoint, it has become increasingly important for clinics to seriously evaluate their privacy standards to determine whether they are poised to deal with emerging privacy issues. As we’ve learned time and time again from seeing how the public reacts to reports of privacy breaches, a failure to do so can erode trust, oftentimes permanently.

Hive Legal and HotDoc partner to improve patient privacy

 

Because HotDoc is committed to preserving patient privacy, last year we decided to evaluate our own privacy policies and processes to determine whether we were doing absolutely everything we could to provide a human-centred approach to privacy compliance that is transparent, patient-friendly and easy to understand.

In doing this, we asked ourselves questions like: Are there areas we can do better in this regard? And, how can we better communicate with patients and medical centres that rely on our services, to ensure that we are all on the same page regarding patient privacy?

To answer these questions, we teamed up with Hive Legal, who could review our privacy policies and processes and provide us with any recommendations for the future. We chose Hive Legal because their values are very much aligned with those of HotDoc. Like our organisation, they similarly focus on a human-centred, purpose-driven approach to design solutions.

Dr Ben Hurst, HotDoc’s CEO, shared, “I knew that [Hive Legal] had worked with various other technology companies in the healthcare space. Having that domain knowledge was important. Patient privacy is more complex and sensitive than consumer privacy, so we wanted to work with a provider who understood this landscape. We also appreciated their deep knowledge of patient privacy and data sovereignty”.

Both Hive Legal and HotDoc also share the ultimate goal of avoiding unnecessary legal jargon and creating legal documents (including privacy policies) that are clear, straightforward and transparent for end users.

“Hive Legal were excellent at helping us take the complex concepts of patient privacy and data sovereignty and boil these down to language that our customers and patient users could easily understand”, Dr Ben Hurst explains.

We didn’t want to put together an impossibly long Terms and Conditions document with incomprehensible legal jargon. We wanted to, as best we could, help our customers and users understand what they were agreeing to

 

Hive Legal also share our belief that empathy with our end users is critical for any legal solution and should be an important consideration when undertaking any privacy initiative.

For these reasons, we retained Hive Legal to review our Privacy Policy, Terms and Conditions, and customer contracts with a new eye. As Melissa Lyon, Associate Principal of Hive Legal, explains, “We used our design thinking approach (HiveThinkP) to look at who was actually involved in the process and their needs. We needed to understand it really well, so we could look at how it was going to work with that overlay of empathy.

“What resulted was a much more human-centred way of dealing with the process than it would have been, had we just assumed that the best way to do it was to start with how it had always been done. It is a very fresh and different way of looking at privacy.

“I think traditional law firms would see this as a compliance checkbox exercise for their client, but we love to go beyond that. That’s really how we tailor our legal services to look beyond compliance only — putting the needs of users at the centre of our legal services.

“We like to work with clients like HotDoc who have a similar approach, where they’re not just looking for a short, sharp and often retrospective answer… they want to build compliance into the way they work in a way that works for their customers”.

As it turned out, Hive Legal’s approach meshed perfectly with our own mission, which is to enable the best possible patient experience and improve health outcomes for every patient. Because communicating with patients in a straightforward and transparent way, without the fear and confusion, is a big part of ensuring patients receive the best possible experience.

How Hive Legal and HotDoc collaborated

 

Our partnership began with a design thinking workshop, so Hive Legal could better understand where we were starting from. “During the workshop, we looked at all of HotDoc’s key internal and external stakeholders, and focused on what matters to them from a privacy perspective”, Ella Cannon, Senior Associate at Hive Legal, explains.

“We then worked through how HotDoc collects, uses and handles data. Once we had a deeper understanding of this, we were able to look at HotDoc’s approach to privacy compliance in a more holistic way, rather than just with the aim of ticking a box and saying, ‘Yes, we’ve got a compliant privacy policy,’ or ‘Yes, we have processes in place to cover each requirement.’

“Our goal, from the outset, was to actually take a much broader approach, and to then use the information we obtained about HotDoc’s customers and other stakeholders to build more user-centred solutions”, Ella Cannon explains.

Of course the goal of this information gathering was to put HotDoc’s customers and their patients at the heart of this work.

While the workshop was a good start, we knew that it was just the beginning. For Hive Legal to get the most comprehensive understanding of our business process, the law firm really needed to delve deep into the issues at hand.

Ella Cannon explains,

HotDoc engaged us to work onsite, one day a week for a few months, so that we could really understand the products and services it provides and the way that it’s business operates.  

 

“This deeper insight helped us to ensure that privacy considerations and implications were really being worked through proactively across many stages of product development, implementation and operations.

“For HotDoc to have a privacy specialist onsite, working like the rest of the team and actively invested in making sure privacy considerations were on track, this provided a unique opportunity to engage in a really practical privacy compliance review”.

How privacy is now handled differently at HotDoc

 

As a result of our two teams’ collaboration, we’ve since made a number of changes to the way we handle privacy at HotDoc. For example, we have revised our Privacy Policy and Terms of Service to try and make these legal documents more accessible and clear. This includes adding call out sections in our Terms of Use that make it super simple for clinics and patients to understand what the different sections mean, particularly in relation to the relevant privacy provisions.


Above: An excerpt from our Terms of Service showing call out sections (in green) which have been added to make it easier for clinics and patients to decipher the key points


Senior Associate, Ella Cannon explains,

We have also worked with HotDoc to initiate an educational and awareness strategy through which HotDoc can share its privacy compliance learnings with its customers. This is geared at encouraging transparency and collaboration.

 

“We created materials, which aim to help GPs to understand their own privacy compliance obligations, and to know what they should be doing in terms of obtaining their patients’ consent before they share data with service providers such as HotDoc. So, we drafted sample clauses that HotDoc clinics could put in their new patient registration forms or privacy policies and content for posters that could go up in their reception area.

“Really, the aim here was to encourage GPs and clinics to be talking to their patients about the data flows between the clinics and HotDoc. To ensure HotDoc was well-placed to deal with any patient requests or enquiries that it received directly, we also prepared a number of internal guides for HotDoc’s team and rolled out privacy training across the entire organisation.

“We really focused on empowering HotDoc’s team to communicate clearly and fairly with patients, and to identify how it can respond to privacy related requests and concerns. If a patient has a concern, it was really important to HotDoc’s leadership team that the team would be trained to take that concern seriously.

“Those methods and solutions are just some examples of what was really quite a big project and one which looked at many aspects of HotDoc’s business and relationships.”

What clinics can do to improve patient privacy

 

At HotDoc, we understand that our privacy project is just the beginning. Patient privacy is an ongoing concern and it is a topic that should be looked at continuously, as an organisation changes and grows. It is also an issue that doesn’t just stop and start with HotDoc.

We understand that the medical providers we work with are similarly concerned about privacy and want to know what they can do on their end to better manage patients’ personal medical data. To that end, we turned to Ella Cannon at Hive Legal and asked for her tips for clinics.

She said, “The first tip I would give is to take privacy seriously. It sounds simple, but to do that, clinics and other participants in the health industry should really be thinking about privacy considerations every time they work through a new initiative, make a change to the way their business operates, or engage with a new service provider or use new software.

“One way to build this into the way a business operates is to implement a protocol for what we call Privacy Impact Assessments. A Privacy Impact Assessment can be doing using a simple template form, which prompts you to think about privacy implications and protections before any new initiative or change to business operations is implemented.

This is very much a privacy-by-design approach, which can result in privacy compliance being designed into projects and new activities right from the start, rather than tacking it on later and trying to reverse-engineer what might have already become a compliance issue or concern.

 

“This sort of protocol is a reasonably easy one to implement, but might not be particularly common within small businesses.

“The second tip comes from the need to build trust and be transparent in the privacy space. Health service providers should aim to be really clear with their patients about how their health information will be handled. In my view, this is critical, so that GPs can build and keep their patients’ trust, which will ultimately improve the clinical relationship.

“One good way for doing this can be through your privacy policy — making sure you have an accurate and clear policy that’s easy to read. It should be up-to-date and tailored for your business so that it accurately addresses how you will collect, use or disclose personal or health data. Where you can, you should bring your patients’ attention to that privacy policy.

“You might include a copy of it with your new patient registration form and train your medical receptionists to understand the privacy policy and direct patients to it whenever new data is being collected by reception, such as if a new patient books an appointment over the phone. You could also include a notice on your reception desk which outlines where and how patients can access the privacy policy.

“Aside from the privacy policy, the other way clinics can improve their transparency is through encouraging clear conversations between GPs (and other staff) and patients about how patients’ personal and health information will be handled.  

Having this openness and taking the time to help patients understand how the clinic protects their privacy is an important way to ensure patients are comfortable with, and consenting to, the clinic’s management of their health information.

 

“I guess the third tip is to really review the ways in which your clinic shares and discloses data and to ultimately ensure that such disclosures do comply with privacy laws. To do that, the best thing is to be working towards obtaining your patients’ clear and informed consent to all disclosures you make.

“Your privacy policy is again a handy tool for this. If it is accurate and up-to-date, you can ask patients to read and provide their consent to that privacy policy. For one-off disclosures, such as when you are making a referral, the best way to obtain consent is through having a conversation with the patient, ensuring they understand, and asking them to confirm whether or not they are happy with that disclosure. Where that’s not practical or possible, GPs need to be confident that, at the very least, any disclosures they make will meet two key requirements (assuming they are made to Australian entities or individuals).

“The first is that the relevant disclosure must be one that your patients’ would  reasonably expect. And the second is that the disclosure must be made for a purpose which is directly related to the purpose for which you collected the personal or health information, which might often be the purpose of providing health services.

“For that first requirement, this really comes back to the goal of transparency. To ensure your patients will have the ‘reasonable expectation’ required, you need to have taken enough steps to provide them with information about the relevant disclosures, such as on your website, in your privacy policy, on posters or notices in the clinic and also through conversations with the patient”.

Patient-centred privacy is key

 

If there’s one thing we’ve learned over the past few years, it is that more and more patients are growing increasingly concerned about how their medical data is being handled. Knowing how critical trust is to the patient-GP relationship, we strongly believe that every medical provider should consider a patient-centred privacy approach to be not just a ‘nice to have’, but rather a ‘must have’.

At HotDoc, we’re committed to helping our customers achieve this objective. We’ve recently put together a privacy pack to help HotDoc clinics make their own privacy communications more transparent, straightforward and human-centred. We’re also in the final stages of performing a complete overhaul of all of our processes to ensure our business practices are not just compliant but clear-cut and understandable.

If you’re a HotDoc clinic and are interested in receiving a privacy pack, please reach out to your Customer Success Manager. If you’re not a HotDoc clinic, but you would like to learn more about what we do to ensure the privacy of your clinic and patients, please call 1300 468 362.