HIMSS: Create a prevention plan for protecting patient privacy
LAS VEGAS—Healthcare organizations have dual, sometimes conflicting, responsibilities to provide safe, high-quality care and safeguard patients' sensitive information, said Eric M. Liederman, MD, MPH, director of medical informatics at the Kaiser Permanente Medical Group in Sacramento, Calif., during a presentation at the 2012 Healthcare Information and Management Systems Society (HIMSS) conference.
Access to information equals quality, Liederman said. Without information, clinicians are challenged in delivering other drivers of quality. The key is finding the right balance between the goals of quality care and privacy.
Privacy is like any other protective measure, he said—silent until there is a problem and then there is a frantic response. To prevent those problems, Liederman discussed the two main approaches to privacy protection: access restriction and accountability. Access restriction involves passwords and other fairly straightforward measures while accountability is more complex.
Liederman suggested running proactive reports on data access. His surveillance reports have resulted in a 90 percent reduction in hits which the organization has been able to sustain at a very low level. Proactive monitoring is more effective than investigating allegations, he said. The reports, however, must be highly specific, which requires testing and refining.
Liederman said IT leaders must secure the resources they need, which is probably less than they think. Kaiser, for example, has two report writers for an organization with almost nine million members.
He also suggested involving human resources early for consistency. "This is not a workforce reduction effort," he cautioned. "The goal is deterrence, an effort to prevent normal, fallible people from giving in to momentary temptation."
Kaiser also uses alerts as part of its deterrence efforts. A "Break the Glass" button allows users to access data in an emergency, but its mere presence has cut access rates by 8 to 25 percent, Liederman said. The alert "gives people an opportunity to make the right decision."
Be ready to address tough policy issues, he warned. For example, can physicians look up their own family members? "I don’t have the answers. We’ve certainly wrestled with questions like these and come up with our own answers."
Access to information equals quality, Liederman said. Without information, clinicians are challenged in delivering other drivers of quality. The key is finding the right balance between the goals of quality care and privacy.
Privacy is like any other protective measure, he said—silent until there is a problem and then there is a frantic response. To prevent those problems, Liederman discussed the two main approaches to privacy protection: access restriction and accountability. Access restriction involves passwords and other fairly straightforward measures while accountability is more complex.
Liederman suggested running proactive reports on data access. His surveillance reports have resulted in a 90 percent reduction in hits which the organization has been able to sustain at a very low level. Proactive monitoring is more effective than investigating allegations, he said. The reports, however, must be highly specific, which requires testing and refining.
Liederman said IT leaders must secure the resources they need, which is probably less than they think. Kaiser, for example, has two report writers for an organization with almost nine million members.
He also suggested involving human resources early for consistency. "This is not a workforce reduction effort," he cautioned. "The goal is deterrence, an effort to prevent normal, fallible people from giving in to momentary temptation."
Kaiser also uses alerts as part of its deterrence efforts. A "Break the Glass" button allows users to access data in an emergency, but its mere presence has cut access rates by 8 to 25 percent, Liederman said. The alert "gives people an opportunity to make the right decision."
Be ready to address tough policy issues, he warned. For example, can physicians look up their own family members? "I don’t have the answers. We’ve certainly wrestled with questions like these and come up with our own answers."