By Mary Anne Gates
As electronic health records (EHRs) become more prevalent, maintaining the privacy and security of the patient health information stored in that format has become more of an issue. A recent roundtable discussion by privacy experts held in conjunction with the AHIMA’s Health Information Privacy and Security Week highlighted the many challenges facing healthcare facilities.
Among these, as noted in the report “Online, on Message, on Duty: Privacy Experts Share Their Challenges,” are the following:
• employee education and the review of access policies to preserve the privacy and security of information;
• the ability of privacy officers to continue resolving issues with differing federal and state privacy laws while correcting HIPAA misinformation and addressing medical identity theft and portable device security;
• preparation and a proactive approach to privacy and security, which are
recommended as the Centers for Medicare & Medicaid Services collaborates with PricewaterhouseCoopers to conduct security compliance reviews; and
• ensuring that an organization’s privacy and security function effectively while promoting good communication and collaboration.
“An organizational commitment keeping patients’ health information private and secure is key. ... A critical element is enforcement of sanctions when breaches or attempted breaches occur,” says Jamie Husher, RHIA, CHPS, the HIM director and privacy officer at The Evangelical Lutheran Good Samaritan Society in Sioux Falls, S.D.
Privacy or security breaches can occur anytime in a healthcare facility. Examples cited in the report include a stolen computer, a hard drive that is not wiped clean before being discarded, and unauthorized employees accessing patient records.
“Facilities demonstrate a continued commitment to privacy and security of patient information by naming it an organizational priority and demonstrating such. A sound training program, including ongoing awareness, is critical,” says Husher.
New employees at Good Samaritan Hospital in Vincennes, Ind., learn early on that privacy and security of patient health records are important. “We discuss it at new employee orientation,” explains Wendy Mangin, MS, RHIA, the hospital’s director of medical records and privacy officer. “We talk about scenarios they might encounter and how to handle them (eg, questions about patients from someone outside the hospital).”
Husher says case studies or scenarios that are reported in the media can be helpful in bringing privacy and security to life. Also, applying the information to the employee’s job helps him or her understand the need to maintain patient information in a private and secure manner, says Husher.
For example, Good Samaritan Hospital practices safety and security daily, such as disposing of protected health information (PHI) in special green bags. “We have done it for a good while, so it’s standard operating procedure. During our safety inspections, proper disposal of PHI is checked. Problems are reported for follow-up and correction,” says Mangin.
Access to patient records varies depending on the format—paper, electronic, or hybrid. Limiting access also depends on the format. An EHR is typically controlled through role-based security access, limiting the amount of information someone can access based on his or her job function, explains Husher.
Differing state and federal privacy laws are a concern, as it can be difficult to interpret and apply the laws, understand the differences between the laws, and stay current with changes, says Husher.
“HIPAA currently allows state laws that are more stringent to take precedence. … Some states require patient authorization before releasing any information, even for treatment purposes—this puts up a roadblock to quick access of information by caregivers. HIPAA allows the release of health information for treatment without an authorization. When a state continues to require an authorization, this prevents the prompt exchange of patient information needed for timely patient care,” says Mangin.
“Collaboration, collaboration, collaboration,” says Husher of working toward successful compliance. “There is so much happening in healthcare—it takes a team approach and the need to work together to stay in continued compliance.”
— Mary Anne Gates is a medical writer based in the Chicago area.