As paper record-keeping becomes a thing of the past, the Health Information Management field is facing new challenges, particularly in regards to ensuring the privacy of patient information. As the ease of access and storage increases, the opportunity for potential data breaches increases as well. As with professionals in any other area of health care, Health Information Managers are expected to adhere to certain ethical standards for maintaining patient privacy. The privacy of patient health information is protected by state laws, as well as the Health Insurance Portability and Accountability Act (HIPAA). In order to comply with these laws, patient information can only be disclosed and used for certain purposes unless patients sign their consent over to the doctor.
Yet, patient information does at times become vulnerable. Whether it’s the media trying to gain information about a high-profile patient or someone seeking to steal and profit off someone’s identity, there are numerous reasons why an individual might try to gain access to personal health data. Though the Internet age has certainly made life easier in many respects, it has also made accessing computerized data easier so the threat of stolen information is greater than it has ever been. For example, Bitglass’ 2016 Healthcare Breach report states that in 2015 there was an 80% increase in attacks on health care databases. These attacks equate to an average cost of $154 per stolen record, which can certainly add up when considering that approximately a third of Americans have been the victim of stolen health records.
Healthcare Privacy Begins with Education
In order to ensure that personal health information remains private, it is important to educate anyone with access to patient data on laws, ethical standards and institutional policies. An effective training program will not only educate professionals how to keep data safe, but also why it must be kept safe. Handling patient information is a huge responsibility from both a financial and ethical perspective, and personnel must have access to ongoing training in order to ensure compliance. Along with educating health care professionals, health care organizations should also ensure that patients are aware of their rights. Patients or legal representatives should clearly understand what will or will not be shared and why.
Strategies for Keeping Private Medical Data Safe
Along with educating anyone who might has access to personal patient information on privacy practices, certain safety protocols should also be implemented. Technical safeguards, such as the use of encryption should be used, along with any appropriate physical protection. This is especially important when providers can access medical data via portable devices, such as laptop computers or smartphones. Periodic data security audits and risk assessments should also be conducted. Systems should be developed to appropriately track the use, access or disclosure of health records and a plan for emergency data recovery created.
Guidelines should also be developed to mask patient identifiers where patient identifiers are unnecessary. For example, treatment meeting minutes or other working documents should not include personal patient information when it is not required. Clear guidelines should also be in place for the collection of necessary permissions for the release of personal medical information for education, research or other purposes.
Sensitive information, such as HIV status, sexually transmitted disease information, substance abuse treatment or psychiatric records should be further protected by special processes. Certain information should require consultation with institutional senior management prior to use or release.
While what happens after personal medical information is released to a third-party is often out of the control of health care professionals, it is still important to conduct due diligence by the reviewing policies and procedures of the entity, and, when applicable, requiring them to adhere to the same terms and restrictions regarding private health information. If security is breached, a thorough and timely investigation should be conducted and patients should be notified as soon as possible. Excellus BlueCross BlueShield is an excellent example of a healthcare information manager responding to a data breach in an ethical and intelligent manner. In 2015, Excellus BlueCross BlueShield became aware that their data system was infiltrated and that the data of approximately 10.5 million individuals may have been stolen. Immediately, Excellus BlueCross BlueShield informed patients about the attack, noting that they should pay close attention to their accounts, and opened up an internal investigation. The health care providers took matters a step further by asking the FBI to investigate the situation as well.
Recent studies indicate that data breaches cost the health care industry approximately $5.6 billion per year, so health care managers are continually seeking ways to avoid errors and keep data secure. Along with the security of data, Health Information Managers should also be concerned with the accuracy of health information. Inaccurate health information can lead to life-threatening consequences. The importance of accurate data entry should be shared with anyone responsible for inputting patient information. Certain computer design functions, such as “force functions” can also be utilized to prevent users from skipping fields.
Health Information Managers are expected to keep personal patient information confidential and accurate. Now, more than ever before, it’s important to stay informed on changes to the law, technology and security standards.
Read Similar Articles
Patient Identification and the HIM Professional’s Role