Access Denied: Avoiding Patient Data Disasters
 |
When a data loss or theft occurs, most facilities are reluctant to discuss it beyond what is required to comply with breach disclosure regulations. But better data security may ultimately depend on having this conversation. The problem is growing:
- Laptop theft is the leading cause of PHI breaches affecting more than 500 people, according to the Department of Health and Human Services, which has been tracking data breaches by healthcare organizations since the Breach Notification Rule of the Health Information Technology for Economic and Clinical Health (HITECH) Act was issued in August 2009.
- Data breaches of patient information cost the healthcare industry $6 billion annually, according to Privacy researcher Ponemon Institute’s “Benchmark Study on Patient Privacy and Data Security,” published in November 2010.
- A total of 225 breaches of protected health information affecting more than 6 million individuals have been recorded since August 2009, says a breach report by Redspin, an IT security auditing firm. (The report does not include recent breaches reported in New York and Oklahoma, which potentially affected close to 1.8 million patients and others.)
Systems behind discovery
In one recent case, the University of Iowa Hospitals and Clinics (UIHC) disclosed a potential data breach involving 13 University of Iowa football players’ EMRs. The incident resulted in negative publicity and ultimately led to the termination of several employees. Yet, the event is also an example, to some degree, of a system that works. UIHC had policies and IT in place that enabled the fast discovery of the breach and quickly prevented it from expanding to additional patients.“The critical component in this scenario was our clinical information systems,” says Lee Carmen, CIO and associate vice president of IT at UIHC. The organization, which includes an adult and children’s hospital, as well ambulatory clinics, uses an EPIC EMR systemwide. UIHC handles more than 900,000 outpatient visits and more than 30,000 hospital patients annually. “Everything about the patient is recorded in the EMR. The application has extensive auditing capabilities. And it has somewhat robust functionality to limit access,” says Carmen.
UIHC uses a “break the glass” policy for access control when a person of interest comes into the facility, he says. At the highest level, access is restricted until a central authority, usually the organization’s compliance or privacy group, deems the request appropriate, he says. At a lower level, when a staff member tries to access patient information when break the glass has been set, a warning appears on the screen asking if the user wants to proceed. “If he or she says yes, access is granted for 24 hours, and that access spools off to a log that is immediately visible to compliance people, which makes it very easy for them to see who’s getting in and doing things,” Carmen says. In the case of the football players, a lower setting, which allows access for 24 hours with high visibility, was in place, he adds.
In addition, “we can go [into the EMR] and say ‘show me everybody who accessed patient John Smith’s record from January 2008 to today,’ and it will show all those accesses—the name of the staff member, what service or department the staff member belongs to. It will tell us date and timestamp, and will even give us indicators as to … what functionality they were trying to execute within the system,” he says.
“All staff are educated about the confidentiality of patient information and are required to annually sign an online attestation, saying ‘this is the policy and I’m aware of the policy,’ ” Carmen says. “Often, if we have people of interest in-house, we’ll communicate through an enterprise email broadcast. We’re modifying the EMR login screen to include text that says ‘please respect the privacy of our patients.’ ”
UIHC has hardware protections in place for laptops, such as hard drive data encryption. “Thumb drives get to be a little difficult for us. As an academic medical center, [a] good portion of our physicians also are active investigators, so we have controls in place in terms of electronically extracting data out of the enterprise system. But it becomes challenging” in terms of preventing someone at a workstation from transposing information into a spreadsheet or Word document, he says.
“Although we do a lot of education, that’s more of an enforcement by policy just because today’s technology has so many different ways somebody could do something. We plug the holes as we identify the holes, but it’s an ongoing challenge.
“The thing I’m proudest of is that we are very transparent in how we approach patient privacy. We treat everybody the same, so if there’s a potential breach, the rules and repercussions are the same for a clerk as they are for a nurse, as they are for a physician. We don’t have different rules depending on who you are in the organization.
“Although it’s somewhat of a problem—there are marketing implications to having the newspaper writing stories about people inappropriately accessing the system—we still feel it’s the best thing possible to communicate to both our customers and our own staff that we take patient privacy very seriously and we’re very transparent in what we’re doing.”
| Keeping the ‘Protected’ in PHI |
| HIPAA’s rules for security and privacy safeguards were extended by the HITECH Act, but gaps still exist and can cause security breaches, according to Raj Chaudhary, leader of the Security and Privacy practice at Crowe Horwath LLP, an Oak Brook, Ill., public accounting and consulting firm. Chaudhary suggests that providers evaluate their risk of compromising all forms of protected health information (PHI) for improper use or disclosure, loss of data and breach of confidentiality. Providers should take the following steps to protect the security and privacy of PHI:
|