Healthcare’s "dirty little secret" can create a big security challenge
EMAIL THIS STORY
| PRINT THIS STORY
December 1, 2008
Healthcare’s ‘dirty little secret’ can create a big security challenge
Prevent staff members from snooping
In October 2007, a New Jersey hospital suspended 27 workers for accessing actor George Clooney’s confidential medical records after he’d been treated there following a motorcycle accident.
Elsewhere, a former employee of the UCLA Medical Center in Los Angeles was indicted in May on charges she accessed medical information on dozens of celebrity patients and sold that information to a media outlet.
And a 38-year-old Brooklyn man who worked in the admissions office at a prestigious New York City hospital was charged earlier this year with stealing and selling information about 50,000 patients.
There are plenty of reasons staff members snoop in patient records: curiosity, malice, a desire to be helpful or harmful, a brief lapse of judgment, because they have a plan to steal thousands of identities and sell them on the Internet, or because a supermarket tabloid offers them money. Their reasons are as varied as the employees themselves.
“I’ve sometimes called it the dirty little secret inside healthcare because it has been a problem for a very long time,” says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA.
So what can you do? Catching a snoop can be like looking for a needle in a haystack, but there are steps hospitals can take to try to prevent the problem.
From bad to worse
Keeping staff members from inappropriately accessing patient records has always been difficult. But as an increasing number of healthcare organizations implement electronic systems, snooping is becoming an even bigger problem, Borten says.
Paper records tended to be more secure by nature, says Mary D. Brandt, MBA, RHIA, CHE, CHPS, president of Brandt & Associates, Inc., in Bellaire, TX. “They’re not that easy to access,” Brandt says, and it can be difficult to find the information a snoop is looking for.
Electronic records tend to be far less secure, simply because so many people have access to them and it’s easy to find, download, and copy them. Without good audit trails, a hospital may not even know it happened, Brandt says.
“It’s easier for people to snoop in an electronic environment without feeling guilty and without getting caught,” Borten says. “Even really nice people, when they get in cars, they feel anonymous, and they do things like cut you off. There is the same sense of anonymity when you are sitting in front of your computer screen doing legitimate work, and you say, ‘Oh, well, I’m logged on. I’m just going to take a quick look at this record; nobody will ever notice.’ ”
Although the problem is unlikely to go away soon, you can mitigate your hospital’s risk and manage staff members.
Start with training
The first step involves teaching staff members why it is not permitted to view records that are not required for their jobs.
Make sure staff members are aware of the need to protect patient privacy. Include this message during orientation of new employees and reinforce it at departmental meetings. If you have a hospital newsletter, publish reminders there.
At Trinity Health, a system with 45 hospitals and 46,000 full-time employees in seven states, staff members and nonemployees sign confidentiality agreements that clearly describe prohibited behaviors, including snooping.
If your hospital has audit trails, emphasize to new staff members that the facility monitors computer access. Staff members might think twice before peeking if they’re aware others will know.
“Most of us generally follow the rules if we know somebody is watching. If you’re zipping around doing 45 miles in a 35 m.p.h. speed zone and suddenly you see a police car, what do you do? You hit the brakes. You slow down,” Brandt says.
Limit access if possible
Work with your hospital’s Health Insurance Portability and Accountability Act of 1996 (HIPAA) compliance officer and health information management personnel to control access to records. Decide which employees and which external individuals need access to electronic records. Consider other methods of making patient information available to nonemployees.
“As we learned more about electronic health records, we realized that there is a broad range of people, both employees and external individuals such as doctors, office staff, students, and vendors, who need access to patient information for various purposes,” says Camille Orso, CHP, corporate director of HIPAA compliance and privacy officer at Trinity Health, which is currently implementing a systemwide electronic health records (EHR) initiative.
“We realized we needed to think about managing access to the EHR more creatively and in a more focused way,” Orso says.
It’s also important to create a plan, including a detailed explanation of the steps to take if a privacy investigation becomes necessary. Document all investigations.
If a patient complains that a staff member has accessed his or her record inappropriately or an employee observes a colleague viewing patient records without a job-related reason, you need to investigate to determine whether a HIPAA violation has occurred.
Your hospital’s computer systems may be able to generate a report that lists every medical record a staff member has accessed, which is important if you suspect a specific individual of snooping. The ability to identify all staff members who viewed a particular record is also important if the hospital suspects someone accessed a particular person’s record improperly.
Software with the ability to flag suspicious behavior is also becoming more common. For example, such programs may automatically flag a record accessed an unusually high number of times.
Take corrective action
It is important to have a policy outlining sanctions the hospital will take against employees who violate patient privacy. You should tie the severity of an incident to appropriate disciplinary action.
Take into account the intention of the individual responsible for the privacy breach and the level of harm to the patient and the hospital.
Make staff members aware of potential disciplinary actions during training. “I hate to be heavy-handed,” Borten says. “But this is an area where you have to remind people of the consequences because you don’t have much else to work with here, other than a threat.”
Take disciplinary action if it becomes necessary, and be consistent. “You can’t make an exception for the absolute best nurse on staff,” Borten says. “You have to be consistent and follow through.”
Remember that disciplining employees for violations demonstrates that your organization is serious about protecting patient privacy. “You probably can’t make it so public as sending out an e-mail to everybody saying, ‘We fired Sally in the ICU, and this is what she did,’ ” Brandt explains. “But you can bet if you take discip-linary action against an employee, that word spreads pretty fast.”