Feature story

Protecting the confidentiality and security of personal health information

23 November 2016

Health services are being scaled up in many low- and middle-income countries. This has resulted in a substantial increase in the amount of personal health information collected in order to develop and maintain comprehensive health records of a person’s use of the services and to monitor and evaluate the use, cost, outcomes and impacts of programmes or services. Detailed personal health information is also needed to evaluate success towards achieving, for example, the 90–90–90 targets, universal health coverage and the Sustainable Development Goals.

However, if personal health information is not held confidentially and securely, people may be reluctant to use health services, owing to fear of being stigmatized or discriminated against. The confidentiality and security of personally identifiable information therefore has to be protected at all levels of the health system. In many countries, this will require the development and implementation of privacy laws and a confidentiality and security framework for protecting personal health information.

Based on the principles of privacy, confidentiality and security, UNAIDS and PEPFAR have developed an assessment tool and an user manual to support countries to assess the degree that the confidentiality and security of personal health information is protected at facility and data warehouse levels and whether national guidelines that include privacy laws exist.

Many countries are in the process of developing and implementing national health identifiers (NHIDs) to ensure that each patient has a unique identity within the health system. This facilitates the development of comprehensive medical records and allows users of services to be tracked across health-care sectors. The development and use of NHIDs in a country’s health-care system promotes the effectiveness and efficiency of data gathering, but their use further underlines the need to protect the confidentiality and security of personal health information.

While policy-makers and other stakeholders in several countries recognize the need to develop and implement policies for protecting the privacy, confidentiality and security of personal health information, to date few countries have developed, let alone implemented, such policies. A workbook has also been developed that can be used to perform the actual assessments in country to assess to what extent policies have been developed and implemented at facility, data warehouse and national levels. 

Privacy, Confidentiality and Security Assessment Tool

User manual

Protecting personal health information

Workbook