I am often asked about storing sensitive, confidential patient information in Microsoft Office365 specifically SharePoint Online, Microsoft Teams and Microsoft Dynamics365.
Sensitive and or confidential patient information can come in many forms. It could be paper based forms completed by a participant taking part in a researh project, copies of medical records, biological samples or even recordings for assessments of a student talking to a patient about a medical condition and a patients physical or mental illness.
There are a few things you must consider when capturing and recording patient interviews and storing the content. One key thing to remember is that video records mean that participants are far more identifiable.
As a starting point the General Medical Council provides ethical guidance for practioners on Making and using visual and audio recordings of patients. This can be found at
Before any recording can be made or stored the patient should have provided informed consent for the recording to be made and stored. Consent should be recorded and stored securely.
Making it simple for the user to upload confidential content
A very important issue to consider is how end-users will upload the recordings into Office365. This should be made as simple and secure as possible because users will find a way around issues especially where deadlines are an issue.
A particular concern is where users may store recordings on USB drives or within OneDrive for Business as a temporary measure while they wait to upload the material. I often come across users who have temporarily stored material and then forgotten to remove it.
Automatic provisioning of SharePoint sites
Some organisations allow users to spin up SharePoint sites with limited involvement of the Information Compliance teams. This represents a challenge for compliance teams trying to monitor sites or Teams where confidential and sensitive information is stored.
Storage and retention
As part of the informed consent a participant should understand how you will store the recordings and that it will be stored in a secure location. A patient or participant should also understand how long the content will be retained for.
You should work with your information compliance team to understand which retention and disposition policies should be applied to the content that you are storing.
There may be occassions when the information being stored is so sensitive that it should not be stored in the cloud. Some organisations use a hybrid solution whereby extrememly confidential material or research data is stored in an on-premise version of Microsoft SharePoint or Microsoft Dynamics.
Permission Management, maintaining security
As we have seen in the news recently incidents of patients being able to see other patients files or records does happen. This can be the death of a research project once participant confidence has been broken engagement can become a significant problem.
It is important for the manager of the site or team to fully understand permissions and how they should be set up. It is also vital that anybody who sets permissions on files, folders or sites fully understands the impact of those changes and what their particular repsonsibilities are.
Security and protecting patient information is the responsbilility of everybody!
The removal or disposition of confidential and sensitive information should be carefully considered. Some organisations will insist that the physical media used to store confidential material should be securely destroyed. Where this is the case then material should be hosted on-premise and on specific hardware used solely to store that material.
When the physical media is destroyed serial numbers should be recorded and photographs of the destroyed media should be retained for an appropriate period. Where 3rd parties are used to destroy the media certification and evidence should be provided that the media has been destroyed.
Microsoft Office365, the Security and Compliance Centre and Microsoft Azure make it very easy to protect and dispose of your information for those projects where hardware does not need to be physically destroyed at the end of a project.
It is important to audit a service to ensure that users and site managers are following information security and compliance best practice. All too often I find services that have been running for a number of years and nobody is responsible for ensuring content is being managed correctly.
Information and Compliance teams should regaularly audit access to sites and Teams where patient data is stored.
Continually educating users and site owners about their responsibilities of protecting patient information is a vital step. This can be done in many ways and from different sources such as IT Services, Security and Compliance teams.
Additionally adding material to the pages of the service is a great way to remind users about their responsibility.
Documentation and training
Ensure the solution and processes are well documented. Staff leave organisations and information leaves with them. As part of the documentation ensure that when staff do leave that new staff understand their responsibilities in understanding how the service works and how to maintain security.
This isn’t an exhaustive list of your responsibilites when recording, storing and dipsosing of sensitive or confidential patient recordings. However, it should provide you with a few thoughts around some of the common issues I see on a regular basis when using Office365 to store senstive content.
If you are concerned about your Office365 environment or need any further information about storing confidential and or sensitive information in Microsoft Office365 then please telephone +44 07515 969630 or e-mail firstname.lastname@example.org.