Beware of breaches from vendors and consultants
Beware of breaches from vendors and consultants
Technology vendors and consultants also pose a risk to patient confidentiality. They often are involved in developing and maintaining computerized patient information systems, but they may not be subject to the same legal and ethical obligations regarding patient information.
"If a vendor discloses patient information, you can expect to be named in a lawsuit," says Jill Callahan Dennis, JD, RRA, a principal with Health Risk Advantage, a consulting firm in Winfield, IL. "You will need to show that you took reasonable precautions to prevent the disclosure."
Contractual safeguards are important in showing that you made the effort. Dennis suggests taking these precautions in the contract:
• Require all vendors or other third parties to keep patient information confidential.
• Restrict the use of patient information to only what is necessary to provide the contract services.
• Limit the third party’s employees’ access to patient information. Only those employees who have signed confidentiality agreements and undergone appropriate training should have access to the information. And only if they need access to do the contracted work.
• Prohibit the third party from disclosing patient information to anyone else except as required by law, and require that you be notified of any requests for patient information.
• Include a requirement that records and data be returned in usable form upon request or at the end of the contract.
• Have the third party indemnify your organization for any breaches of confidentiality.
No matter how cautious you and your staff are, Smith warns that high-tech resources always will pose some confidentiality risk.
"Technology is giving us the ability to use information in new and exciting ways, but the other side is that more convenience means more opportunity for inappropriate use," Smith says. "It always will be a balancing act."
Questions to ask
Experts advise asking yourself these questions, among many others, to test your facility’s ability to protect confidentiality against high-tech threats:
• Do you have a system for notifying the computer system administrators to deactivate user identification and passwords in the event of employee termination or retirement? A similar policy should address employees who are out on leave or disability.
• Do unit "whiteboards" or bulletin boards listing patient information include patients’ full names? They should not if the area is accessible to the public.
• If a contractor must physically move dictation tapes, computer disks, printed reports, or similar items containing confidential information, will they be moved in a locked container? Your contract with the company should require transport in locked containers.
• Does your computer system record failed attempts to access confidential information? Many systems can be set up to record information concerning failed attempts to log on repeatedly with invalid passwords, for instance. The information can be used to track down those attempting to access the data and can show weak spots in your security.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.