Talk of civil rights – human rights – is in the air. There are a lot of large-scale, national worries on this front. But today I want to talk about something that’s easier to get hold of – how the Department on Disability Services and provider agencies handle sensitive data about the people they support.
Over the years I’ve had conversations with former DDS director Laura Nuss, Erin Leveton (email@example.com) and others on this subject. I know there are existing secure systems such as Therap and MCIS that DDS uses to share sensitive information with agencies providing services and supports. In the past, DDS also has explored secure email communications systems for its interactions with agencies. But here’s the problem: no secure email system has ever been adopted, and the secure systems that exist aren’t available to family members or other supportive decision makers. This means that everything that’s shared by email – sometimes very sensitive information - is insecure, and until DDS finds and adopts some sort of secure email system, that will continue to be the case.
I’ve asked over and over again for our son’s full name not to be included in emails that contain sensitive health information, but no matter how many times I ask this it seems the professionals who should know better keep on including his full name in their messages. Even if I send an email specifically including only initials, or avoid being too specific in an email about some problem he’s having, they will write back with his full name and very detailed discussion of his personal business.
This needs to stop. At a minimum, until such time as DDS has a secure email system for communicating sensitive information, guidelines should be provided to DDS and agencies receiving DDS funding about how to communicate in emails about people’s personal business. Just because someone is receiving government assistance doesn’t mean that they lose their right to privacy. Not my son, not your daughter, brother, sister or cousin. We all have the right to privacy.
I know this can be cumbersome. In the past I’ve had to work with secure systems and their logins, passwords, etc. They’re a hassle, but they have a purpose, and they don’t have to be set up so that every email has to be sent this way: if you’re just scheduling a meeting it’s clearly not necessary. Let’s remember, though, that we owe it to the people we support to protect sensitive personal information. DDS needs to set an example, starting now.