Privacy and security

Can I safely and securely deploy this at my hospital?

Yes. At present, we do not store personal or identifiable health information. In a future version, we may store the patient phone number to assist with generating analytical data. All patient phone numbers will be stored under password-grade encryption with data housed in servers physically located in Canada, and patients will have the option to opt out on a per-text-message basis from having their phone number stored.

Does my data stay inside Canada?

Currently, our database does not store data that is legally required to remain in Canada. In a future version, we may store patient phone numbers with password-grade encryption with data housed in servers physically located in Canada.

Do you track or use physician phone numbers?

At present, we do not obtain, track, store, or utilize physician phone numbers. In a future version, we may enable physician account creation that links your cell phone number to your account. This will make login easy and permit verified logins using text-message verification (similar to how banks text you a code to securely login to their websites). If we implement this functionality, physician phone numbers will never be sent to patients, or to anyone else, and will be used only to allow you to use our site. Note that text messages sent to patients come from a separate phone number that we at dchome.ca control; the message does not come from and is not associated with a physician's phone number.

What is your encryption strategy?

Our database does not currently store private information. In future versions, we will store information such as patient phone numbers using password-grade encryption. In particular, patient phone numbers will be one-way encrypted using the cryptographic security algorithms SHA-256 and PBKDF2. These take a phone number xxx-xxx-xxxx and return a 64-character string of letters and numbers from which it is computationally infeasible to get back the original phone number. After sending a text message to the phone number, our software discards the phone number and only the encrypted version is stored in the database. Physician phone numbers, if we utilize them in the future to facilitate simple and secure physician login, will also be stored using password-grade encryption. Any custom instructions provided are also stored with password-grade encryption.

How do you defend against data breaches?

At present we do not store private information. Therefore, even in the event of a data breach, there is no private data to be lost. In future versions, we will store any private information with password-grade encryption from which it will be computationally infeasible for a nefarious entity to decrypt the stored information.

Do you have ethics approval for this work?

We operate as a research project under the University of Saskatchewan Behavioural Research Ethics Board (BEH 4404). Feel free to contact us for further information.

Can I delegate sending discharge instructions to a nurse or other healthcare professional?

Yes. The CMPA has answered this question in an article. Specifically they ask:

Have you considered if the medical trainee or health professional providing discharge instructions:

• has sufficient knowledge and experience to provide adequate instructions?
• knows the patient sufficiently well to ascertain discharge requirements?
• knows the special risks, if any, for the specific patient?

What does the CMPA have to say about sending discharge instructions?

The CMPA does not specify a modality for delivering discharge instructions. However, they do encourage both verbal and written instructions and this project falls under the latter category. The CMPA article on "informed discharge" states:

Handouts support the informed discharge discussion but do not replace the personal interaction. It can be very helpful to give the patient (or the person taking the patient home) written instructions. These are supplements to personal interaction, but cannot replace it.

Have you documented copies of the handouts used?

Discharge instructions as per the dchome.ca handout on [handout name].