Back to all blog posts

A visit to a new doctor raises privacy questions

Recently my wife and I have begun finding new doctors and dentists. While filling out the paperwork at each office we are being asked for our driver’s license numbers and I was not sure why.  Also, being a privacy person, I read the privacy policies at these offices and sometimes had questions.  So, much to my wife’s chagrin, I asked about these two items.

Why do you need to scan my license?

Among the information that is being collected on the medical forms is name, address, birth date and gender.  Ancillary to this, my signature is collected on the bottom of the form when I acknowledge I will pay for the services I receive. All of this information, including my signature, is also found on my driver’s license.

So, without filling in the license number, I returned the form to the receptionist. She asked for my insurance card and license. I provided the former and asked why she needed the latter.

“We use it to verify the information on the form and scan a copy of it for our records” I was told by the receptionist.

I couldn’t resist…”I understand you visually verifying my information, but  why do you keep a copy?”.

A look of frustration came across the receptionist’s face. “Jane”, she called out, “why do we need to scan the driver’s licenses?”

“We don’t need to, we just always have.”

  “I don’t know. But it’s a tradition…”

Throughout the musical Fiddler on the Roof Tevye  explains the importance of traditions to his community and weighs the need for the community to evolve against maintaining tradition. Traditions help define who people are and what is expected of them. This story can be applied to business as well.

Like Tevye’s community, if a business doesn’t react to changes in the environment they may be “run out of town”. For a privacy professional this means constantly challenging business traditions; challenging why information is being collected, why it is needed, how it is used, how it is protected, and when it is destroyed.

Now, about that privacy policy…

I then had some time as I waited for the doctor to see me. I decided to read a copy of the office’s privacy policy instead of an old magazine.

The policy was a standard boilerplate document that had been taken from somewhere else. It became obvious that it had not been reviewed very closely when I found blank fields for effective date and charges a patient may incur for access to records. I wondered what else was not looked at by this office.

Since I was about to be poked and prodded by the doctor, and in light of the questions about the scanning of licenses, I thought it better to keep these items to myself (at least for now).

Don’t just copy someone else’s privacy policy

It is a common practice to “borrow” someone else’s policies or policy frameworks for your own use. Documents like these are readily available from many sources for just this purpose. However borrowing is just a first step.

When using these items for your organization, be sure to fill in all the blanks, that is the obvious step. You must also read through the policy to be sure your organization does what the policy claims you do.

Every organization has unique practices and procedures. If the policy you borrow and publish states that you protect information a specific way or that you do not share information and your organization does not actually operate this way, your privacy policy may be viewed as deceptive.