Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Bermuda: PrivCom issues guidance on protecting personal information in medical field

On August 19, 2024, the Office of the Privacy Commissioner for Bermuda (PrivCom) published new guidance on protecting personal information within the medical field. The guidance, delivered through question-and-answer scenarios, addresses several privacy-related issues relevant to medical professionals and organizations handling personal information in Bermuda.

Patient contact information

PrivCom clarified that patient contact information is considered personal information under the Personal Information Protection Act (PIPA), and healthcare organizations or practitioners act as stewards of this data. The guidance explained that Individuals have rights under PIPA to access their personal information, request access to their medical records, and seek corrections or deletion, though these rights are not absolute.

Medical records compliance

The guidance emphasized that while compliance with regulations like the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulations (GDPR) may inform best practices, organizations in Bermuda must specifically adhere to PIPA requirements when managing personal information and implement a privacy program that aligns with PIPA's obligations.

Security safeguards

The guidance noted that under PIPA, organizations must implement appropriate safeguards to protect personal information. While PIPA does not prescribe specific security measures, the guidance recommended encryption as a best practice to mitigate risks of unauthorized access or data breaches.

Email communications in healthcare

The guidance addressed the privacy implications of email communications, particularly when a healthcare practitioner moves from one practice to another. The guidance advised that, with patient consent, organizations may send general email announcements but must make privacy-driven decisions on a need-to-know basis.

Privacy considerations with email marketing tools

The guidance highlighted potential privacy concerns when using email marketing tools, such as data collection, behavioral tracking, data sharing, and data security. The guidance explained that organizations should ensure that overseas transfers of personal information provide a level of protection comparable to that required under PIPA.

You can read the guidance here.