Just how private is your patient information?
Just how private is your patient information?
The biggest culprit might surprise you
When actress and fitness guru Suzanne Somers disclosed her battle with breast cancer on CNN’s "Larry King Live," it wasn’t a discussion she planned to have. However, detailed information about procedures the famous actress had undergone at a California plastic surgery clinic were published days before in a supermarket tabloid.
Upset by the article’s insinuation that she relied on cosmetic surgery and not the diet tips published in a best-selling self-help book, the actress told King she felt forced to reveal her illness and explain that the surgeries were to repair parts of her body she felt were "disfigured" by cancer treatments.
The fact that Somers was coerced into discussing her private medical information on a national television talk show indicates the difficulty health care facilities often have keeping patient medical information private. Before your ethics committee is asked to investigate an alleged breach of confidentiality, there are steps you can take to avoid similar situations.
Despite the Joint Commission on the Accreditation of Healthcare Organizations’ standards on maintaining patient confidentiality, state laws prohibiting the release of personal patient information without consent, and most hospitals making inappropriate disclosure of patient information a firing offense, confidential material sometimes seems to be available for the asking.
"A lot of times, it isn’t even the National Enquirer that is hacking in getting information. Internal hacking can be a problem. People are curious," says Emily Friedman, an independent health policy and ethics analyst based in Chicago. "If Elizabeth Taylor’s in the hospital, they want to know if Elizabeth Taylor has cancer or not. No harm is intended. But, once one person gets the information, it travels through the hospital by word of mouth. Then, anybody can call the Enquirer."
Put records under lock and key
In some cases, breaches of patient confidentiality occur — not because someone who works for the hospital deliberately disclosed the information — but because medical record information often is left in nonsecure environments. And, the danger to privacy is not just limited to celebrities. "In one of the hospitals I’ve worked in, I could have seen any chart in the place and I was the lab slip delivery girl," she says. "I could have taken it, photocopied it, and returned it without anyone knowing."
A CEO of a large health system in the Pacific Northwest told Friedman that when he first came to his current hospital, staff would transport records on large carts and, if they took a break, would leave the carts unattended in the hall, she continues. "He used to find the carts and take them to his office. The employee would then have to come to his office to get the medical records back."
Part of the problem is that, because medical personnel deal with patient information all day long, they often forget that the information they work with every day is confidential and could be damaging to the patient if released into the wrong hands.
"I think, in general, hospital employees are aware of the patients’ rights to privacy and that medical information should be kept confidential," says Karen Czirr, MS, RHIA, information security manager at Children’s Hospital of Philadelphia (CHOP). "But dealing with patient information becomes second nature to you. Sometimes, it is hard to remember that there may be people out there who want to find out someone else’s medical information. I have seen minutes from meetings thrown into trash cans near the elevator. The person who drops it there might not even think that anyone would pull that out of the trash to see what was on it — that someone waiting for the elevator might see [his or her] neighbor’s name on that list."
It is not enough to have polices prohibiting employees from disclosing patient information without consent, say Friedman and Czirr. Hospitals must make every effort to set up security measures to protect information as it moves from one site of care to another and from one department to the next.
"Paper medical records need to be kept in a secure area," says Friedman. "For patients in the hospital, that is more difficult because those records might be needed right away for patient care. But records of patients not currently admitted should be under lock and key. And, there should be a sign-out procedure. If someone wants the record, they sign a sheet and show hospital ID."
Systems must be in place to keep info secure
Systems should in place because, with more and more contract health care workers, floating shifts, and outside vendors working in hospitals, staff cannot be expected to recognize who is authorized to look at records and who is not, she adds. "In a small, rural facility, you might have a shot at it," she continues. "At a large, academic medical center — no way."
The issue of electronic records is much more tricky. "We have the technology to make electronic medical records, but we don’t have the technology to make them totally secure," Friedman believes. Good computer hackers looking for patient information can get it. "If Microsoft can be hacked, you can be hacked," she adds.
CHOP is moving toward having a completely electronic patient medical record, says Czirr. And, information technology personnel have implemented extensive security measures to secure the information, limit access to information, and track who sees what patient information in case a problem arises.
"It is very controlled, and there are lots of levels of access," she explains. "I don’t train the people who work for me; they go to our training center and are trained and given their computer password. I don’t know their passwords and they don’t know mine."
In addition, the hospital managers can monitor "audit trails" of which employees access which files, she says. "We have nursing managers who look at what the nursing personnel are doing," Czirr says. "Is a nurse on 2 West looking at patient data on 4 East? We look at particularly sensitive data, communicable diseases, HIV, child abuse cases [and], information that is in our database because of violent acts. We look at who is accessing this information. As security manager, I have access to everything, but there are some things I don’t know how to use. And, if someone sees my name on an audit trail maneuvering around the system in the lab, something would pop up on my screen or I would get a phone call asking if I had a reason for doing this."
In addition to setting up security protocols and technology, it is essential that hospitals strictly enforce patient privacy regulations and severely punish employees who violate them. "You have to create a culture of privacy, of maintaining confidentiality," says Friedman. "Part of all training and re-education should include reminders of patient privacy standards."
Some hospitals have signs in the corridors and in elevators reminding employees not to discuss patient information in public areas, she says. "You want to say that, We are here to take care of people and part of that is to keep their business private," she explains. "If somebody is playing fast and loose with patient information, if someone is talking in the elevator, they can be reported, be it a patient care associate, the CEO, or the chief of staff."
Adopt strict policies
At CHOP, employees go through a formal patient privacy awareness program when they are hired and are required to attend retraining on the topic annually. "We go over privacy of medical records, use of the computer messaging systems, use of e-mail, the difference between our intranet and the Internet," says Czirr. "Many people don’t realize that even though mail sent over our system internally is encrypted, once it goes to another facility — even one around the corner — it is no longer protected." The program also covers information that is left on patient or physician office answering machines, she notes.
The hospital also has strict policies governing punishment for violations of its privacy standards — even if no harm occurs. "Violation of privacy or confidentiality here hits on two levels," she explains. "If it was unconscious, you weren’t thinking, for example, and logged in on your computer system and left the desk. Or, you are dashing to a meeting and don’t have time to send a new employee to training and you let them log in with your password and they wander into an area they are not supposed to be in, etc. A lot of people are hurrying and trying to get their work done, and they just don’t think about it. For that, you can be suspended for up to three days with or without pay. In every instance, if you are not terminated, your password and access to data are taken away and you have to go through retraining and re-sign the confidentiality agreement before you can go back to work. Everybody has to meet with me or someone on my team, watch a video, and listen to us lecture you. For employees who have been here a long time and who genuinely just made a mistake, it is humiliating to them."
Second, for employees who deliberately violate patient confidentiality, the punishment usually is termination. "We have fired people for deliberately going into databases and accessing data that they were not supposed to, and it has not been limited to people who punch a time clock, or middle management," she adds. "We have fired upper management and physicians on our payroll who have consistently violated our policies on patient confidentiality."
No such thing as a little leak
Although leaks of patient information about celebrities, presidential candidates, and others grab the headlines, hospitals need to be especially vigilant about the "small" ways that patient confidentiality can be compromised, often without bad intentions, by hospital employees, says Czirr. A worker employed by a hospital contract vendor was working in their patient records department and previously had been employed by one of CHOP’s physician offices, she relates.
"We do not release incomplete records from our department unless it is for patient care," she continues. "So, if a physician still has to sign the operative note or the discharge summary, they have a certain number of days in which to do that, but the record cannot leave the department."
A particular physician office wanted information from a patient’s record that was not complete, and the office was told it would have to send someone down in person to examine the record. Not wanting to go to the trouble, someone at the office contacted the contract worker who had been a former employee. The worker obtained the record, made photocopies, and was on her way out the door when she was stopped, says Czirr.
"No. 1, she was not an employee," she says. "No. 2, we caught her leaving the department with the copies. We just happened to be in the right place at the wrong time, from her perspective. We told the vendor that they didn’t have to terminate her, but she could no longer work in our hospital."
In another situation, a staff person’s grandchild was brought in to the hospital emergency department, Czirr says. The staff member accessed the lab results of toxicology tests administered to see whether the child, a teen-ager, had tested positive for drug or alcohol use. The employee’s name turned up on an audit trail. "She felt justified in that it was her grandchild, and she lived with her daughter," she says. "But she was not the party responsible for his medical care, and we had to tell her she had no right to the information and could not violate his confidentiality."
Recommended reading
• Czirr K. Three steps to increasing employee information security awareness. J AHIMA 2000; 71:30-31. Available at: www.ahima.org/journal/cutting.edge/0007.html.
• Friedman E. Who shouldn’t have access to your information? Privacy through the ethics lens. J AHIMA 2001; 72:24-27. Available at: www.ahima.org/journal/features/feature.0103.3.html.
Sources
• Karen Czirr, Children’s Hospital of Philadelphia, 34th Street and Civic Center Boulevard, Philadelphia, PA 19104-4399.
• Emily Friedman, 851 W. Gunnison St., Chicago, IL 60640.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.