Maybe Einstein was talking about healthcare when he said insanity is “doing the same thing over and over again and expecting different results,” especially when it comes to protecting patient privacy.
Despite recent large and catastrophic data breaches, many hospitals still use manual processes to protect patient data.
A variety of elements, including policies, procedures, technology and culture, are involved in creating a workable and comprehensive patient privacy program, one that truly preserves patient trust and plays a distinct and important role in enhancing patient care.
Developing a Vision
Detailed patient privacy programs don’t grow on trees, nor do they pop up overnight. Creating them first requires developing a vision or direction for the broader program. That vision should be articulated through a solid foundation of policies.
Policies shouldn’t be a “security,” “technology” or even a “HIPAA” thing: they must convey the organization’s affirmative obligation and belief that protecting a patient’s information is the same as protecting the patient. The most effective policies are concise and easy to read. Engaging in a top-down approach that builds partnerships within the organization, such as with human resources, goes a long way to successful implementation and enforcement of those policies.
The insider threat to patient data is on the rise in healthcare systems across the county, but having policies in place that are clearly communicated to all plays a significant role in reducing insider threats. At West Virginia United Health System, we proactively audit access to patient data so we can see when and who accesses patient medical records. We kicked off our auditing initiative by ensuring we had solid policies that aligned with the culture we wanted to develop.
SEE ALSO: HIPAA Security Compliance
Policy Building Blocks
No matter how great your policies are, they’re only as good as the procedures and plans that put them into practice. A good patient privacy program has evolving procedures to meet the ever-changing needs of healthcare technology. For example, in our facility, we constantly learn from our risk assessments, real life situations we encounter, and employee feedback to make needed adjustments. We also look at industry trends, as well as existing and emerging threats to see where changes can be made.
Auditing patient data access to reduce insider snooping can’t be a hospital’s only way of protecting patient privacy. In addition to auditing patient access, other procedures, such as encrypting all laptops, desktop computers, and mobile devices, are critical to an overall patient privacy program.
Employee education of all policies and procedures is essential. Everyone with access to patient data must understand how patient privacy and security affect not only the patient and the organization as a whole, but the provider themselves. Making the connection between the patient and your information privacy/security program with providers helps them understand how crucial their role is in protecting that data.
Technology’s Role
In reviewing our patient privacy program, we realized that by manually auditing patient records, we were barely scratching the surface. The technology in place today, Security Audit Manager from Iatric Systems, allows us to monitor multiple applications across the enterprise at any time, and our team can filter through the millions of accesses to patient records.
You can’t change what isn’t measured, so our technology enables us to identify patterns that might indicate inappropriate behavior. Additionally, we run repetitive audits to remain consistent, a key variable in maintaining an enforceable program.
Even with technology in place, more events occur than a typical organization can possibly review, therefore, occurrences should be addressed in a risk-based manner, which helps you do what is “reasonable” and “appropriate” for the organization.
“Patients should not need to worry if their information will be protected by the health organization.”
It’s Not a HIPAA Thing
You must create a culture of privacy, as it’s the only way for privacy to permeate the organization. A major key to this is understanding that patient privacy is not solely about HIPAA, policies or regulations. It’s really an attitude that needs to be embraced by all executives, clinicians and staff.
By letting clinicians know their access is monitored and measured, they are much more attuned to the overall program – they are invested and informed. Maintaining patient privacy and compliance is hard enough, but it becomes increasingly more difficult if clinicians aren’t involved or don’t understand the program.
We have a duty to not only care for patients so they can become and remain healthy, but we are also tasked with ensuring their data is firmly protected. Patients should not need to worry if their information will be protected by the health organization. If patients believe the hospital can’t or won’t protect their data, they are less likely to share important health information with clinicians, which can adversely affect their care and treatment. Patient data must be viewed as important as the patients themselves.
Mark Combs is assistant vice president and assistant chief information officer for West Virginia United Health System in Morgantown, W.Va.
