From the moment patients get into a hospital and give their personal information to nurses, to vitals being taken, to collecting prescriptions and getting lab results, patients leave a trail of their unique personal information all over a health facility.
But do we understand the risks of all this? What happens if a health facility decides to sell this information? What happens if the computer systems at the facility are hacked into and patient records get publicized? Do we care who reads about our most intimate health information?
This summer I spent seven weeks working with MicroClinic Technologies, a company that developed a heath management system called ZiDi™ -- a prepaid service application that enables clinics and hospitals across Africa to improve the efficiency of health services through enhanced monitoring and evaluation of patient care, revenue, medicines, and personnel. ZiDi™ aims to reduce the burden of administrative duties on health workers by helping health facilities to collect and store personal health records. Recognizing the amount of personal health records captured and stored using ZiDi™, MicroClinic Technologies understands the risks of collecting and storing sensitive information and the need to keep such information private and confidential. However, the absence of a legal and regulatory policy environment for e-health records in Kenya means that MicroClinic Technologies has no guidelines to help them.
It was based on this need, that I worked with MicroClinic to develop an internal e-health privacy and data security policy. This project required extensive engagement with the developers, legal counsel, owners of clinics and government officials. Most challenging was the need to balance privacy with enforceability; comprehensiveness with cost; and jurisprudence with acceptability. No easy fit for the resource-limited settings under consideration. The policy I developed this summer will serve as guidelines and standards on privacy and security for all personnel and also clearly outlines specific privacy and security obligations that 3rd party users of ZiDi™ must comply with before and while using the application.
This policy puts MicroClinic Technologies ahead of both government efforts to regulate the e-health sector and most other e-health companies in Kenya. Patients are often understandably more concerned about their health and not about what companies and health facilities may do with their personal information. The implementation of this privacy policy by MicroClinic Technologies upholds patient rights even when neither the market nor the government is demanding them to do so.
I am fortunate and grateful for the opportunity to have been a part of this pioneering movement towards creating standards aimed at upholding privacy and data security for health information in East Africa.