Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Bermuda: PrivCom issues guidance on protecting personal information in medical field
On August 19, 2024, the Office of the Privacy Commissioner for Bermuda (PrivCom) published new guidance on protecting personal information within the medical field. The guidance, delivered through question-and-answer scenarios, addresses several privacy-related issues relevant to medical professionals and organizations handling personal information in Bermuda.
Patient contact information
PrivCom clarified that patient contact information is considered personal information under the Personal Information Protection Act (PIPA), and healthcare organizations or practitioners act as stewards of this data. The guidance explained that Individuals have rights under PIPA to access their personal information, request access to their medical records, and seek corrections or deletion, though these rights are not absolute.
Medical records compliance
The guidance emphasized that while compliance with regulations like the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulations (GDPR) may inform best practices, organizations in Bermuda must specifically adhere to PIPA requirements when managing personal information and implement a privacy program that aligns with PIPA's obligations.
Security safeguards
The guidance noted that under PIPA, organizations must implement appropriate safeguards to protect personal information. While PIPA does not prescribe specific security measures, the guidance recommended encryption as a best practice to mitigate risks of unauthorized access or data breaches.
Email communications in healthcare
The guidance addressed the privacy implications of email communications, particularly when a healthcare practitioner moves from one practice to another. The guidance advised that, with patient consent, organizations may send general email announcements but must make privacy-driven decisions on a need-to-know basis.
Privacy considerations with email marketing tools
The guidance highlighted potential privacy concerns when using email marketing tools, such as data collection, behavioral tracking, data sharing, and data security. The guidance explained that organizations should ensure that overseas transfers of personal information provide a level of protection comparable to that required under PIPA.
You can read the guidance here.