Best practices for securing patient information

A look at how healthcare facilities can safeguard data from a physical security standpoint

Since the Oath of Hippocrates, patient confidentiality has been an intricate part of the overall healthcare experience. It was not until 1996 that the right of the patient to receive confidential care was federally legislated in the form of the Health Insurance Portability and Accountability Act (HIPAA). The HIPAA rules direct the manner in which patient privacy should be conducted with an emphasis on safeguarding electronic patient information. Under the HIPPA Act, healthcare providers are required to:

- Develop and implement a privacy policy.
- Train employees to facilitate their understanding of and compliance with the privacy policies and procedures.
- Designate a person to see that the healthcare provider's privacy policies are in place and followed.
- Ensure that patient records are secure and accessible only to those who have a need for them.

According to "Protecting Patient Information Privacy," an article written by Qahim Moosavi and Lawrence S. Simon, which appeared in the June 2008 edition of Physicians News Digest, two of the rules within the HIPAA legislation are the Privacy Rule and the Security Rule. The Privacy Rule directs the healthcare provider to control how the patient's health information is utilized. The Privacy Rule requires the healthcare provider to create and enforce policies to protect the privacy of that health information. The Security Rule requires that the healthcare provider protect all of the electronic "Protected Health Information" (PHI) that is transmitted or stored electronically. "The Privacy Rule requires that administrative, physical and technical safeguards be enforced to ensure that data is protected from inappropriate access, modification, dissemination and destruction," wrote Moosavi and Simon.

A violation of the HIPAA regulations can result in both civil and criminal penalties. Additionally, anyone who knowingly obtains or discloses PHI in violation of HIPAA can be fined up to $50,000 and be imprisoned for up to one year. If the offense is committed with intent to sell or otherwise use PHI for personal gain or malicious harm, fines can be as high as $250,000 with imprisonment for up to 10 years.

Much of the action taken by healthcare providers occurs within the information technology area. However, the electronic safeguards are only as good as the physical and administrative processes which surround those electronic processes. It is within these physical and administrative processes that the healthcare security department's involvement is vital.

High-profile patients add layers of concern as a healthcare facility (HCF) is charged with maintaining the privacy for that patient. It can be tempting for HCF employees to obtain unauthorized information regarding the high-profile patient. "Just in time" HIPAA compliance training should be considered for all HCF staff. It is also imperative that the patient-specific electronic medical records audits be increased for the duration of the high-profile stay. The fact that these audits are being increased (and that the audits can determine exactly who and when the record was accessed) should be communicated to the HCF staff. Consideration should be given to registering the high-profile patient under an alias name. The healthcare security department could oversee this entire process (alias name bank, communication to appropriate entities, etc.). This alias name would be changed back to the legal name at the conclusion of the stay. The electronic systems should be configured to only allow access to those positions within the HCF who would have a need to know in the performance of providing care.

This content continues onto the next page...