Case Study 3: Privacy of Personal Health Information
Insert NameCSIA 412 6381
In 2008, a document entitled “Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identified Health Information” was released by the Office of National Coordinator for Health Information Technology (ONC) providing eight principles by which health providers could operate their practices in order to ensure compliance with HIPAA standards as it relates to electronic health records (EHR) and the privacy of personal health information (PHI) (Brown, 2009). These eight guiding principles have been enacted by various health practices around the United States and have prevented various practices from coming under review for failure to protect patient privacy. Specifically, the two principles the physician has neglected to ensure compliance with and that will be addressed by the suggestions for improvement in this case study are the principles of safeguards and accountability.
What I would do
A patient’s confidence in and sense of comfortability with their health professional is often in direct correlation to the management of their health records and the professionalism of the employees of the practice; both of these entities came into question in the recent case study and in order to stay in practice, it will be necessary that both of these issues be resolved. The first action that I would take in order to assess the situation and begin remediation would be to evaluate the current security standards and practices in place as it pertains to patient records. According to Wilkina (2014), a large majority of health data breaches are the result of human error either in management or transference; therefore, I would assess not only the written policy but also take into account how that policy translates into the physical layout of the office and the use of EHRs in the presence of patients. Secondly, I would review the quality, frequency, and content of staff/office trainings and the orientation of temporary employees. Next, I would assess the use of technology in examination rooms and at vitals stations as well as conduct a risk assessment of the network used to transmit this information. Finally, I would engage in a conversation with the physician outlining in detail the weak points in his systems and network, identifying programs in need of updates or upgrades, and provide considerations as it pertains to the physical layout of the office and staff communication with patients.
PHI Security Policy Advisement
The most efficient way to safeguard against health data breaches are to ensure proper management of PHI, ensure the security of location of the EHRs, and to ensure that an accountability system is in place. Avancha, Baxi, and Kotz (2012) provide an extensive overlook into the strengths and weaknesses of PHI legislation as enforced globally. The standards outlined in the article make it very clear that healthcare providers are responsible for safeguarding against PHI data breaches and also point out that most often a breach occurs due to a lack of implementation of administrative safeguards, as can be seen in the case of the physician.
The first advisement to the physician would be to ensure that all conversations take place in private areas and, if possible, behind closed doors. This first advisement has little to do with technology and is a somewhat easier fix as it simply requires that the staff member employ the use of discretionary practices to ensure the privacy of the patient. By requiring that all conversations that surround a patient’s care, test procedures or results, and/or health history take place behind closed doors, the physician ensures that PHI is kept confidential as it verbally communicated. This also allows the physician to ensure HIPAA compliance as it creates a policy that requires personnel to abide by privacy guidelines and implements administrative safeguards as it pertains to patient treatment (Avancha, Baxi, & Kotz, 2012).
The second advisement surrounds the record keeping and review of the office staff. Staging a data breach in a health office can be as simple as looking over the shoulder of a nurse or other staff member as they update the health information of another patient. The data breach is much easier to perform when the computer screen can be seen from the waiting area as is the case in this scenario. To ensure the safeguarding of information, the advisement would be to take into consideration moving all computer screens to the back portion of the front desk against a wall and using privacy screens in order to ensure that information is not compromised as it is uploaded into the system. Another consideration would be to invest in privacy screens only allow the user to view the information being displayed. In terms of accountability, which this evaluator feels is the true issue, the physician needs to take into account how often an internal audit or other technical processes are performed. As Brown (2009) states, there is no formal sanction provided when the standards of ONC are not adhered to, however by performing internal audits and ensuring compliance with these standards practices set themselves apart and provide a quality level of service to their patients. Performing internal audits will not only allow for quality service to be provided but it will also allow the physician to evaluate the performance of his employees and provide comprehensive feedback as it pertains to all processes within the office.
Finally, it is the advisement of this evaluator that the physician takes into account how EHRs are managed and stored. Keeping in mind that a large majority of data breach is a result of human error (Wilkina, 2014), the physician would need to consider the encryption level of the network that hosts the EHRs, the time limit on passwords used to access the system, how authorization is granted and revoked, as well as the level of access that temporary employees are granted. The use of a quick key command on the keyboard and/or a time out display on the computer screen would be one of the most efficient ways to ensure that one patient’s PHI is not viewed by an unauthorized party. In addition, requiring a change of passwords and authorization procedures would ensure that access is granted only to identified, authorized users who have up-to-date security clearance and that even if their passwords have been compromised, the level of damage that can be done is minimal.
Future Prevention
In addition to the aforementioned advisements, the greatest way to ensure that something of this nature does not occur again is through staff training. According to Wilkina’s study (2014), 44% of data breaches could be attributed to x-ray films, CDs, flash drives, etc. while desktop computers alone accounted for the data breach in 16% of the cases. Effective training and accountability processes as it pertains to file management and storage, use of computers in the presence of patients, communicating procedures and health considerations to patients, and securing confidential information can address approximately 60% of data breaches as identified by Wilkina (2014). In addition to addressing the areas of breach, it will also enhance patient confidence and ensure patient privacy as information will not be easily accessible.
Conclusion
Security policies pertaining to personal health information of patients is a critical area of operation for any modern day physician’s office and is an area in which many new private practices struggle due to lack of information (Brown, 2009). However, there are various ways to ensure compliance with HIPAA and patient satisfaction while also ensuring business efficiency and staff accountability. Effective use of office space allows for personal information to stay personal when the physician sets aside a room to be used specifically for the explanation of procedures and summation of services to be provided, strategic office layout and the use of privacy technology allows staff to complete required documentation without compromising privacy, and well drawn out policy as it pertains to the use of office technology allows for data security and efficient software management. In addition, staff trainings and internal audits allow for reminders of office policy and a review of day-to-day operations. The physician’s practice is still very new and will continue to encounter various obstacles, however, if the physician effectively addresses all of these components now, the obstacles will be much less daunting in the future.
References
Avancha, S., Baxi, A., & Kotz, D. (2012). Privacy in Mobile Technology for Personal Healthcare. ACM Computing Surveys, 45(1), 3:1-3:54. doi:10.1145/2379776.2379779
Brown, B. (2009). Improving the Privacy and Security of Personal Health Records. Journal Of Health Care Compliance, 11(2), 39-68.
Wikina, S. B. (2014). What Caused the Breach? An Examination of Use of Information Technology and Health Data Breaches. Perspectives In Health Information Management, 1-16.
