Recently we were asked to complete a few “security” questioner forms from both current customers and potential new customers. The second question on the form was “what type of data will be involved”? The choices were restricted, proprietary and public. Seems like an easy enough question, after all it was question number two of fifty. I was wrong, after careful thought it is a much larger question that we have not given enough thought to before filling out these forms. We have always taken the position that on-call information is most likely public information or at most proprietary because it’s only a doctor’s name and phone number, but here’s what we found upon further research.
Restricted information such as Personally Identifiable Information (PII) is information that can be used to identify, contact or locate a single person or to identify an individual in context. PII can include first and last name, social security number, date and place of birth, mother’s maiden name, email address, NPI number, telephone number or information that is linkable to an individual such as medical, educational, financial and employment information.
Another type of restricted PII is a patients Protected Health Information (PHI). This is individually identifiable health information that can include demographic data, that relates to: the individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
Proprietary information is information that is not public knowledge and is viewed as the property of the holder. This can include certain financial data, non-medical test results, trade secrets, inventions or data that is used to make a business more successful.
Public information is all information that is not considered confidential.
So basically considering the on-line definitions above made our decision even harder to decide which check-box we should use on the form. In the world of Call Scheduling software the data elements that we deal with are a providers first and last name, and a preferred method of contact such as office, cell home phone or pager number. Although to create a call schedule we also collect information about their medical specialty (cardiology, radiology, or family practice), education level (MD, DO, PAC, NP) and any special skills that they may have (OB skill, Interventional skill). Additionally we collect “day-off” information such as vacations, day’s off and CME. According to the definitions above, all of this information goes far beyond public and proprietary information and into restricted category of personally identifiable information (PII). Remember that other information in this “restricted” category is information like your medical record, your social security number and your credit card information. So is this implying that the information contained on a call schedule or in on-call scheduling software should or needs to be guarded the same way as your medical record, social security number of credit card information? Really? Is this the same information that when I started in the industry several years ago was being faxed to a hospital or an answering services without much regard for privacy? Is this the same information that today is sent via unsecured email, printed out via paper and put into a 3-ring binder and used daily by many hospital staffers to create a daily call roster? Could this really be that same information?
So how do we decide? I think in the end this must come down to impact. What happens if things go wrong and the information gets into the wrong persons hands? In the case of a medical record or social security number or credit card information, the impact level is quiet high. Worst case scenario on your medical record could be discrimination in some way. The impact of your social security number and credit card information becoming compromised could be financial fraud and identity fraud, which are a very large issue. All of these scenarios could potentially have a pretty substantial impact on your life both personally and financially.
If someone got a hold of a groups on-call schedule calendar for a particular month that information has a potential low impact because it has a very limited adverse effect on individuals. At most, the impact could result in minor harm to the individual, the harm would be much more of an inconvenience such as changing a telephone number. If in the end which category on-call information should go into does come down to impact, on-call information should not be in the “restricted” category. The impact is not great enough. But I think others may disagree.
By the way when we completed the security forms, each of the requesting organizations had a different interpretation as to which category they said we should fall into.
Key Takeaway: On-call information is important enough to at the very least be consider proprietary and by some organizations restricted information. The more important something is the more valuable it is to safeguard. The more valuable it is to safeguard, the more expensive it is. I guess that’s not bad….for us as a company.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net