Talk of civil rights – human rights – is in the air. There are a lot of large-scale, national
worries on this front. But today I want
to talk about something that’s easier to get hold of – how the Department on Disability
Services and provider agencies handle sensitive data about the people they
support.
Over the years I’ve had conversations with former DDS
director Laura Nuss, Erin Leveton (erin.leveton@dc.gov)
and others on this subject. I know there
are existing secure systems such as Therap and MCIS that DDS uses to share
sensitive information with agencies providing services and supports. In the past, DDS also has explored secure email
communications systems for its interactions with agencies. But here’s the problem: no secure email system has ever been adopted,
and the secure systems that exist aren’t available to family members or other
supportive decision makers. This means
that everything that’s shared by email – sometimes very sensitive information -
is insecure, and until DDS finds and adopts some sort of secure email system,
that will continue to be the case.
I’ve asked over and over again for our son’s full name not
to be included in emails that contain sensitive health information, but no
matter how many times I ask this it seems the professionals who should know
better keep on including his full name in their messages. Even if I send an email specifically
including only initials, or avoid being too specific in an email about some
problem he’s having, they will write back with his full name and very detailed
discussion of his personal business.
This needs to stop. At
a minimum, until such time as DDS has a secure email system for communicating
sensitive information, guidelines should be provided to DDS and agencies receiving
DDS funding about how to communicate in emails about people’s personal
business. Just because someone is
receiving government assistance doesn’t mean that they lose their right to
privacy. Not my son, not your daughter,
brother, sister or cousin. We all have
the right to privacy.
I know this can be cumbersome. In the past I’ve had to work with secure
systems and their logins, passwords, etc.
They’re a hassle, but they have a purpose, and they don’t have to be set
up so that every email has to be sent this way:
if you’re just scheduling a meeting it’s clearly not necessary. Let’s remember, though, that we owe it to the
people we support to protect sensitive personal information. DDS needs to set an example, starting now.