Don’t wait for Congress: Protect patient records now
Don’t wait for Congress: Protect patient records now
Medical record privacy legislation may be at a standstill in Congress, but that doesn’t mean your practice has to hold off implementing effective safeguards to protect the confidentiality of your electronic records, says John Glaser, PhD, vice president and chief information officer for HealthCare Partners, a group of 4,000 physicians and three hospitals in the Boston area.
Glaser offers the following checklist of instructions for your practice to follow to ensure appropriate security:
Technical practices and policies.— Individual "log-in" identifiers. To establish individual accountability, assign each authorized user in your practice a unique identifier, or log-on ID, to get access into the information system. Strict procedures should be established for issuing and revoking these identifiers.
— Automatic log-off functions. Wherever appropriate, program computer workstations to automatically log off when left idle for a specified period of time. You should be able to adjust the time period easily.
— Access controls. Implement procedures that ensure users can access and retrieve only information that they have a legitimate need to know. Methods of doing this can vary, and they should be worked out with your system vendor.
— Audit trails. Maintain easily retrievable and usable form audit trails that log all accesses to clinical information. The logs should include the date and time of access, the information or record accessed, and the user ID of the person who accessed the information.
— Protection of remote access points. If your practice has a centralized Internet connection, install a "firewall" or electronic barrier that provides strong, centralized security and allows outside access only to those systems critical to outside users. Vendors are equipped to install these firewalls, but you generally have to ask for them specifically.
— Protection of external electronic communications. Encrypt all patient-identifiable information before transmitting it over public networks, such as the Internet. Any group that doesn’t meet this requirement should either refrain from transmitting information electronically outside the organization, or they should do so only over secure, dedicated lines.
— Routine security assessments. Formally assess the security and vulnerabilities of information systems on a routine basis. For example, run existing "hacker scripts" and password "crackers" against systems on a monthly basis.
Organizational practices.— Clear, explicit security policies. If you don’t have them, develop and publish in-house security and confidentiality policies that express your dedication to protecting health care information. If you do have them, it may be wise to review them and get them up-to-date with current public sentiment regarding patient record confidentiality.
— Security and confidentiality committees. Establish formal points of responsibility — standing committees for large organizations, small or single-person committees for small organizations. Their task should be to develop and revise policies for protecting patient privacy and for ensuring the security of information systems.
— Education and training programs. Establish programs to ensure that all users of information systems receive some minimum level of training in relevant security practices and knowledge regarding existing confidentiality policies before being granted access to any information systems.
— Sanctions. Develop a clear set of sanctions for violations of confidentiality and security policies that are applied uniformly and consistently to all violators, regardless of job title.
— Patient access to audit logs. Make sure patients know they have the right to request audits of all accesses to their electronic medical records and to review these logs.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.