This work encourages healthcare organizations to make a goal to improve LGBTQ+ health in their community. LGBTQ+ individuals have experienced and continue to experience significant barriers to healthcare. These barriers contribute to serious health discrepancies. Training stakeholders like doctors and nurses about LGBTQ+ inclusive and competent is important, but it is not enough. This work presents a broad strategy to improve LGBTQ+ health. While training and communication are a vital part of the strategy, IT policy must also be encompassed. Many LGBTQ+ stakeholders hold concerns about confidentiality, and creating secure IT policies could address those concerns. IT policies also sets rules for analytics which could potentially change and improve practice. The strategy involves assessing security, research, and making alterations to the IT policies important to LGBTQ+ health or LGBTQ+ patient concerns. The strategy also encourages making rules for data. Analyzing LGBTQ+ health records could lead to improving preventative care. Ultimately training, collecting analytics, and building a security-mined culture through IT policies are ways to minimize healthcare barriers and improve LGBTQ+ health outcomes.
Thinking about IT policy and technology is needed in providing LGBTQ+ competent healthcare. Training is necessary for doctors to learn inclusive and comprehensive LGBTQ+ healthcare. Training individuals to provide inclusive healthcare is essential, yet it is not enough. Organizations must think about their technologies when striving to provide inclusive care. Considering IT policy and organizational technologies is a strategy to improve LGBTQ+ healthcare. This work provides background on LGBTQ+ individuals seeking healthcare and presents a practical IT strategy for healthcare providers in the United States to make their organization LGBTQ+ inclusive.
For many LGBTQ+ individuals finding an LGBTQ+ competent doctor or health care provider is a challenge. The challenge lies in social and structural constructs. Healthcare providers may not be educated on LGBTQ+ matters and may have biases, making it hard for LGBTQ+ people to disclose their identity or feel safe disclosing their identity [2, 6, 18, 22]. When researching LGBTQ+ populations in Arctic Canada, Logie et al. found three main concerns for LGBTQ+ individuals: heterosexism and cisnormativity, intersectional stigma, and concerns involving limited services and confidentiality [11].
Heterosexism and cisnormativity is the assumption that each patient is heterosexual and cisgender. Intersectional stigma is hearing how a patient identifies their gender or sexuality and how others form judgments and assumptions about them. An example would be that a patient identifies as pansexual, and the doctor assumes that they have many partners and are practicing unsafe sex. As people are more than their gender and sexuality, other intersections of identity amplify this stigma; like race, culture, socioeconomics, or religion. Limited services are not providing all the services that are needed. Confidentiality concerns were rooted in data concerns and people in the office talking.
These concerns are not unfounded for LGBTQ+ individuals. Mirza and Rooney examined the data found in a Center for American Progress survey [12]. Out of Lesbian, gay, bisexual, and queer (LGBQ) respondents, 8% stated that a doctor refused to see them due to their actual or perceived sexual orientation, and 9% had a doctor, or other health care provider used harsh or abusive language when treating them. Mirza and Rooney also looked at transgender population statistics. Twenty-nine percent of respondents stated that a doctor or other health care provider refused to see them because of their actual or perceived gender identity, and 23% said a doctor or other health care provider intentionally misgendered them or used the wrong name [12].
There are ways of searching for to finding LGBTQ+ competent doctors online. However, not every LGBTQ+ person has a way of getting to an LGBTQ+ competent doctor. The person might be underage or living in a rural area. Shaver et al. examined rural health care providers and found considerable gaps in providers' knowledge [17]. As a result, many LGBTQ+ people do omit their identity in a doctor's office. Arbeit et al. studied bisexual female youth and found that 73% of their doctors assumed heterosexuality, and only 18% of the sample spoke to their doctor about having an LGBT identity [2].
Minority status, stigma, biases, discrimination, microaggressions, erasure, and lack of knowledge and healthcare training are enormous barriers for LGBTQ+ individuals, especially if they have multiple minority identities [4,6]. These barriers lead to profound health disparities. The Office of Disease Prevention and Health Promotion describes that the disparities can depend on how the person identifies [15]. However, in general, the disparities are higher rates of mental health distress, tobacco, alcohol, and drug use, obesity, and females are less likely to seek out cancer screenings. There is also a need for sexual health screenings that aren't being met.
The first step is to make an organizational goal and commit to improving LGBTQ+ healthcare. Take time to form a committee dedicated to this pursuit. Start by researching literature regarding LGBTQ+ healthcare. While the above section offers an overview, it is by no means comprehensive. Stakeholders performing research need to remember that different LGBTQ+ identities have different needs and experience different stigmas. However, even within the same identity label, two individuals may have entirely different needs and very different lives as there are many ways of being an LGBTQ+ person. It is important to remember that people are more than how they identify, so avoid thinking in terms of universals. Have the committee scour databases looking for journal articles relevant to LGBTQ+ health and create literature reviews or PowerPoint presentations to understand and reflect on the findings. Research like Shaver et al. has shown that doctors, nurses, and other care providers may have gaps in their knowledge regarding LGBTQ+ individuals, especially in rural settings [17]. Research if there are training opportunities for stakeholders to learn more about LGBTQ+ patients or make a mandatory meeting with an informative presentation.
IT and organizational goals need an alignment. Therefore, it is necessary to assess current technology practices and IT policies. Perform a security assessment. In evaluating the findings, think about what was discovered about LGBTQ+ individuals and their concerns, compare other organizations' IT practices, and identify any IT policies' weaknesses. Where applicable, be sure LGBTQ+ inclusive language is used in the IT policies.
Making and storing electronic healthcare records (EHR) must meet standards. These standards include Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH), and the Affordable Care Act (ACA). Even with standards in place, Logie et al. found confidentiality remains a concern for LGBTQ+ individuals [11]. Sexual orientation and gender identity (SOGI) data and EHR data are sensitive pieces of data. Healthcare providers are targets of cybercriminals. Cybercriminals' motivation is varied. Typically, a cyber-attack is financially motivated, and cybercriminals go after personally identifiable information (PII) and protected health information (PHI) [1]. These pieces of information can be bought and sold by criminals and are used for phishing messages, financial fraud, and identity theft.
Confidentiality remaining a concern for LGBTQ+ people is not unfounded. Lemberg wrote for a law journal and found instances where hacked (SOGI) data and medical records have been used in blackmail scenarios [10]. There are no anti-discrimination laws at the federal level, so the outcome of a blackmail scenario falls into anti-discrimination laws at the state level. Not all 50 states have state-level laws to protect LGBTQ+ individuals from discrimination. As a result of the lack of legal protections, Lemberg found instances where people were fired, denied housing, evicted, and had their family lives damaged or destroyed [10].
Healthcare organizations need to firmly keep in mind that meeting HIPAA, HITECH, ACA compliance, and any other healthcare compliance does not mean the organization is secure or holding good security practices. It is essential to review what was discovered in the security assessment. While reviewing, consider the predominant cybersecurity challenges in healthcare which are; employee errors, cloud threats, phishing attacks, malware and ransomware, encryption creating blindspots that hackers can hide from the tools used to detect breaches, and cybercriminals slightly devising a similar URL to give the illusion that their duplicitous creation it is part of the organization [20]. Think critically about the findings and predominant cybersecurity challenges in healthcare. Use this moment of assessment to think about the IT policy portfolio to build a security-minded culture at the organization.
This section outlines the areas of IT portfolio alterations that should be considered in meeting the goal of providing LGBTQ+ competent healthcare. Remember that there are no definitive ways or all-encompassing blank templates in addressing policy. While there are guidelines, research, and policies from other organizations that serve as a solid basis for emulation, the committee must keep in mind that every organization is different. Therefore, each policy document must be molded to fit the organization and its identity. When approaching each document, it is necessary to consider relevant compliances and laws. Research those while working on each document and address them in the document's body.
Make it part of the organization's IT policy portfolio to collect and protect sexual orientation and gender identity (SOGI) data. Healthcare is a data-driven field. Cruz's commentary on collecting SOGI was that big data analytics systems using artificial intelligence and machine learning have the potential to improve healthcare rapidly [3]. The data has the potential to transform health care policies, administration, and clinical practice. Understanding SOGI and other sociodemographics through artificial intelligence and machine learning is a predictive way of intervening and reducing health disparities.
Collecting SOGI should make it, so LGBTQ+ individuals don't have to come out repeatedly at every doctor's appointment and minimize erasure. Gessner et al. interviewed an individual where every appointment they had to explain that they are a lesbian [6]. Every appointment, the doctor said they would note it in the person's chart. The doctor never made a note. The repeated incident left the individual feeling erased, not taken seriously, and not listened to at the doctor's office. Prioritizing SOGI data in an IT policy could reduce such incidents.
There will likely be a need to optimize or customize EHR systems to make accurate and consistent SOGI data collection a reality. Commonly the IT staff at the healthcare organization works directly with the EHR vendor. Upon making SOGI part of IT policy and getting the EHR software configured, training to collect, read, and prioritize SOGI data will all be necessary. Have a team examine the analytics regarding SOGI and report the findings. The findings will improve organizational practices and services to help fight disparities.
Reviewing and altering the access controls standards policy is a place to document the rules for keeping both physical and digital assets safe, which addresses LGBTQ+ confidentiality concerns. This minimizes the potential of someone being inadvertently outed or in a blackmail situation. Healthcare Information and Management Systems Society stresses that IT policies in healthcare strongly need policies that establish rules for protecting physical security [8]. Having policies around physical security is a way of protecting digital assets. Healthcare Information and Management Systems Society states that other physical hacking techniques like installing a keylogger record passwords and additional sensitive information also need to be factored into an organization's plan [8]. Make relevant rules for keeping physical security safe.
This policy also sets controls for digital security. These rules are about logging in and out, walking away from the computer station, and a permission scheme about who can access data. Permissions and passwords keep people out of sensitive data like EHR and SOGI. National Institute of Standards Technology notes, ensure whatever control configuration scheme in place makes sure it doesn't leak data [13]. Testing for data leaks is important to test. Testing ensures that work in this area and the policy is not pointless.
While the access controls standards set security rules, the security awareness and training policy will set rules to inform and train relevant stakeholders about security protocols and practices essential to the healthcare organization. Anyone with access to organizational computers and accessing sensitive data needs to have it stressed that they play an integral role in keeping private data private. Once again, this document should reduce the odds of an LGBTQ+ stakeholder from being inadvertently outed or having aspects of their medical chart known by others that they did not disclose personal information to.
A security awareness and training policy need to include advanced staff training, but it also needs to encompass patients. Having something like a website or small online module informing patients on best practice security practices for accessing their cloud data is also important. Most individuals are not IT experts, and it needs to be assumed that they likely do not know best security practices. Assuming stakeholders have no previous knowledge is a way of informing all in an easy-to-understand manner. If patients don't understand security practices for accessing health data on a cloud, they may as well be handing over their medical records, possibly to strangers or people in their lives who shouldn't see the charts.
A developed acceptable use policy is essential to addressing LGBTQ+ stakeholders' concerns about confidentiality [10, 11]. The policy tells employees how organizational technology can be used and stresses that technology must be used in ethical, legal, and responsible ways. It will emphasize the appropriate compliances and state that unauthorized access or misappropriation of access like saving organizational files has serious repercussions.
Since the pandemic, the worlds between work and home are increasingly blurred as people need to work remotely. During the COVID-19 pandemic, up to half of the American workers worked remotely from home [9]. Bring your own device (BYOD) policies are a way to increase employee productivity and save money on the IT budget. However, BYOD has security risks that need to be addressed. Addressing the security risks is integral to keeping LGBTQ+ patients' information and all patient data secure and safe. Shahane listed that an ideal BYOD in healthcare addresses legislation and compliances, controls the use of third-party apps on the network, containerizes personal and professional data to maintain employee privacy, enforces organizational security and privacy policies, provides an uninterrupted communication channel for staff, deploys specifically approved apps, and specifies plans to wipe data should a device end up lost or stolen [16].
Ultimately a BYOD policy needs to explicitly state which stakeholders can participate and explain the purpose of BYOD. Explain what devices are eligible for BYOD and have the IT department use a mobile device management (MDM) solution to control corporate-owned devices' configurations. An MDM should help with security as it makes it so the device owner can't sidestep around necessary security configurations, and it should reduce the threat of shadow IT. In the case of healthcare, an MDM will assist in maintaining legislation and compliances.
The MDM will come in handy should someone exit or have a device lost or stolen. The MDM will partition personal data, and IT staff can remotely wipe company files from the individual's device. This is great for healthcare scenarios because a remote wipe could stop people from accessing PII, PHI, SOGI, and EHR data. In the case of LGBTQ+ stakeholders, this helps keep them safe from being outed, blackmailed, or discriminated against. Ensure that the policy addresses important contacts. Stakeholders need to know who to contact if there are any security concerns or suspect a breach. Knowing who to communicate with should a concerning situation arise is vital in building a security-minded culture.
Information technology planning. Information technology planning is how organizations plan to upgrade their technology. When this is done regularly, organizations can plan to allocate IT budgets to refresh and upgrade their IT. Planning makes getting new IT a more affordable process with an easier transition. While strict budgets regarding IT are a reality, it is necessary to make upgrades. While upgrading takes time, planning, money, and training, it is necessary for keeping all patient data safe.
Legacy systems are computer operating systems that aren't supported anymore. While legacy systems still technically work, they pose a considerable security risk to the organization. The lack of support means that they are no longer receiving updates and security patches, which leaves all systems and data, including LGBTQ+ patient data, vulnerable. Leaving people vulnerable hurts the credibility of the organization. Besides dodging the potential for imminent danger taking upgrading IT means that there are better clinician-patient experiences, current software available, and the potential to have a higher return on investment (14).
When new technology is acquired, there is a need to get rid of old technology. Therefore, there need to be rules regarding the disposal of old technology. It can't just go in a dumpster or straight to an electronic recycling center. It needs to be done safely so no one can obtain anyone's PHI. Steps to dispose of technology safely are especially important for LGBTQ+ stakeholders. This is another way others could access SOGI or any other sensitive health record related to their identity, leading to incidences like Lemberg noted involving discrimination, damage, and harm [10]. A computer in a dumpster or that went straight to electronic recycling is essentially allowing strangers a chance to access the organization and all its sensitive records. —Health and Human Services state HIPAA compliant ways of getting rid of old electronics [7]. The first is clearing, which is when software or hardware overwrites the media with non-sensitive data. There is also purging, which is when a strong magnet is taken to media to disrupt recorded data. Lastly, destruction is also an option where it can be melted, incinerated, disintegrated, or any other measure which destroys the media.
The point of a data governance policy is to preserve data integrity and keep confidential records confidential. While this policy will keep EHR protected, it also dictates how data can be used in healthcare. Data governance is vital in healthcare as the policy's goals should be to improve populations' health, reduce health care costs, and improve patient experiences and care [21]. The point of collecting SOGI, besides making it, so people don't have to come out every appointment, is to inform practice and policy. Making rules about data governance will allow organizations to harness the potential of SOGI data collection. Analyzing this data is integral to improving LGBTQ+ health outcomes and patient care. Spending time crafting governance policies doesn't just protect data; it allows informed stakeholders to analyze data. The results of the analysis could potentially predict or address serious LGBTQ+ health disparities.
Telemedicine is a growing way for people to gain access to healthcare. FOLX Health is an LGBTQ+ telemedicine platform specializing in queer and trans health [5]. Because using their platform is a way of getting healthcare FOLX Health has an extensive privacy policy [5]. The privacy policy aims to explain what data is collected and what pieces of data will be shared with the patient's healthcare provider. FOLX Health also states how they are handling PHI according to HIPAA regulations [5]. Making IT, policies explaining data collection and security practices for telemedicine may help LGBTQ+ individuals feel comfortable in seeking healthcare. On a telemedicine platform, LGBTQ+ patients can talk to a professional in an environment that they are comfortable in, which may help with the patient's anxiety and stress regarding stigma, judgment, and confidentiality.
The committee needs to go through the organization's procedures to pass policy changes. Build the security culture and make sure that the IT policies are saved to easily accessible cloud storage. Saving to cloud storage allows for all stakeholders to reference IT policies at any necessary point. Make sure that stakeholders receive training or watch presentations about LGBTQ+ patients. Employees will need to know about the IT policy changes, so ensure that there are meetings and training about the changes. Stress that security is essential and that every stakeholder's actions impact the organization's security and patient data. Making time for questions, clarifications, and concerns is vital to creating a culture concerned with security. Ensure that employees know how to contact people in the IT department and other supervisors to answer questions.
LGBTQ+ individuals need to know the organization's commitment to inclusive and confidential care. Make targeted advertising campaigns to reach LGBTQ+ individuals and tell them that LGBTQ+ healthcare is important and that the organization is committed to LGBTQ+ care in practice and policy. Advertise on LGBTQ+ social media and websites.
he commitment to LGBTQ+ health outcomes is a two-pronged approach. The first is educating and training stakeholders about LGBTQ+ individuals and their health. The second is the presented IT policy strategy because training is not enough to minimize LGBTQ+ health disparities. While the strategy catered to considering LGBTQ+ health, much of this is mostly thinking thoroughly about practicing good security. Use IT policy to make a security culture at healthcare organizations, and if possible, Lemberg states to offer incentives [10]. Reinforce good security practices and make security part of everyday conversations. LGBTQ+ patients need to know that they have a safe place to get competent and up-to-date healthcare. Many LGBTQ+ people put off health care appointments due to stigma, judgments, and having to explain their identity. Putting off cancer tests or other necessary screenings can be a life-or-death matter for anyone, but LGBTQ+ populations have extra barriers to getting care. Training staff and making IT policies stressing security and analytics can be used to minimize LGBTQ+ health barriers and disparities.
1. Adler, S. Why are hackers targeting the healthcare industry? HIPAA Journal. 2019.HIPAA Journal Accessed 15 Feb 2021.
2. Arbeit MR, Fisher CB, Macapagal K, Mustanski B. Bisexual invisibility and the sexual health needs of adolescent girls. LGBT Health. 2016; https://doi:10.1089/lgbt.2016.0035
3. Cruz TM. Shifting analytics within US biomedicine: From patient data to the institutional conditions of health care inequalities. Sexuality Research and Social Policy. 2021. https://doi.org/10.1007/s13178-021-00541-6
4. Dean MA., Victor E, Guidry-Grimes L. Inhospitable Healthcare Spaces: Why diversity training on LGBTQIA issues is not enough. Bioethical Inquiry. 2016; https://doi.org/10.1007/s11673-016-9738-9
5. FOLX Health. FOLX Queer & Trans Health. 2021. FOLX Health. Accessed 10 Feb 2021.
6. Gessner M, Bishop MD, Martos A, Wilson BDM, Russell ST. Sexual minority people's perspectives of sexual health care: Understanding minority stress in sexual health settings. Sexuality Research and Social Policy. 2020; 17(4):607.
7. Health and Human Services. What does HIPAA require of covered entities when they dispose of PHI. HHS.gov. 2016. HHS. Accessed 17 Jan 2021.
8. Healthcare Information and Management Systems Society. Cybersecurity in healthcare. 2021. HIMSS. Accessed 19 Feb 2021.
9. Knutson T. Telecommuting surge likely to last past COVID-19 crisis, predicts brookings report. Forbes. 2020. Forbes. Accessed 4 Jan 2021.
10. Lemberg A. Hackers made me lose my job: Health data privacy and its potentially devastating effect on the LGBTQ population. Golden Gate University Law Review. 2017; 47(2):175–204.
11. Logie CH, Lys CL, Dias L, Schott N, Zouboules MR, MacNeill N, et al. "Automatic assumption of your gender, sexuality and sexual practices is also discrimination": Exploring sexual healthcare experiences and recommendations among sexually and gender diverse persons in Arctic Canada. Health & Social Care in the Community. 2019; https://doi.org/10.1111/hsc.12757
12. Mirza SA, Rooney C. Discrimination prevents LGBTQ people from accessing health care. Center for American Progress. 2019. Center for American Progress. Accessed 20 Feb 2021.
13. National Institute of Standards Technology. Access control policy and implementation guides. NIST Computer Security Resource Center. 2020. NIST. Accessed 15 Feb 2021.
14. O'Dowd E. Dangers of legacy solutions to health IT infrastructure systems. HITInfrastructure. 2021. HITInfrastructure. Accessed 15 Feb 2021.
15. Office of Disease Prevention and Health Promotion. Lesbian, gay, bisexual, and transgender health. 2020. Office of Disease Prevention and Health Promotion. Accessed 23 Jan 2021.
16. Shahane, R. BYOD in healthcare: Benefits, challenges, solutions. Scalefusion Blog MDM, EMM, Product Updates Thought Leadership & SaaS. 2020. Scalefusion. Accessed 17 Feb 2021.
17. Shaver J, Sharma A, Stephenson R. Rural primary care providers' experiences and knowledge regarding LGBTQ health in a midwestern state. The Journal of rural health : official journal of the American Rural Health Association and the National Rural Health Care Association. 2019; https://doi.org/10.1111/jrh.12322
18. Sherman ADF, Cimino AN, Clark KD, Smith K, Klepper M, Bower KM. LGBTQ+ health education for nurses: An innovative approach to improving nursing curricula. Nurse Education Today. 2021; https://doi.org/10.1016/j.nedt.2020.104698
19. Taskiran Eskici G, Alan H, Eskin Bacaksiz F, Gumus E, Cakir H, Harmanci Seren AK. Under the same rainbow: A study on homophobia and discrimination among private sector health care professionals. Journal of Nursing Management. 2021; https://doi.org/ 10.1111/jonm.13167
20. University of Illinois Chicago. Cybersecurity in health care: How can it be improved. UIC Online Health Informatics. 2020. University of Illinois Chicago. Accessed 20 Feb 2021.
21. University of Wisconsin. What is data governance in healthcare? UW Health Information Management & Technology. 2017. University of Wisconsin. Accessed 17 Feb 2021.
22. Wahlen R, Bize R, Wang J, Merglen A, Ambresin A-E. Medical students' knowledge of and attitudes towards LGBT people and their health care needs: Impact of a lecture on LGBT health. PloS one. 2020; https://doi.org/10.1371/journal.pone.0234743