Best practices for securing patient information

Since the Oath of Hippocrates, patient confidentiality has been an intricate part of the overall healthcare experience. It was not until 1996 that the right of the patient to receive confidential care was federally legislated in the form of the Health Insurance Portability and Accountability Act (HIPAA). The HIPAA rules direct the manner in which patient privacy should be conducted with an emphasis on safeguarding electronic patient information. Under the HIPPA Act, healthcare providers are required to:

- Develop and implement a privacy policy.
- Train employees to facilitate their understanding of and compliance with the privacy policies and procedures.
- Designate a person to see that the healthcare provider's privacy policies are in place and followed.
- Ensure that patient records are secure and accessible only to those who have a need for them.

According to "Protecting Patient Information Privacy," an article written by Qahim Moosavi and Lawrence S. Simon, which appeared in the June 2008 edition of Physicians News Digest, two of the rules within the HIPAA legislation are the Privacy Rule and the Security Rule. The Privacy Rule directs the healthcare provider to control how the patient's health information is utilized. The Privacy Rule requires the healthcare provider to create and enforce policies to protect the privacy of that health information. The Security Rule requires that the healthcare provider protect all of the electronic "Protected Health Information" (PHI) that is transmitted or stored electronically. "The Privacy Rule requires that administrative, physical and technical safeguards be enforced to ensure that data is protected from inappropriate access, modification, dissemination and destruction," wrote Moosavi and Simon.

A violation of the HIPAA regulations can result in both civil and criminal penalties. Additionally, anyone who knowingly obtains or discloses PHI in violation of HIPAA can be fined up to $50,000 and be imprisoned for up to one year. If the offense is committed with intent to sell or otherwise use PHI for personal gain or malicious harm, fines can be as high as $250,000 with imprisonment for up to 10 years.

Much of the action taken by healthcare providers occurs within the information technology area. However, the electronic safeguards are only as good as the physical and administrative processes which surround those electronic processes. It is within these physical and administrative processes that the healthcare security department's involvement is vital.

High-profile patients add layers of concern as a healthcare facility (HCF) is charged with maintaining the privacy for that patient. It can be tempting for HCF employees to obtain unauthorized information regarding the high-profile patient. "Just in time" HIPAA compliance training should be considered for all HCF staff. It is also imperative that the patient-specific electronic medical records audits be increased for the duration of the high-profile stay. The fact that these audits are being increased (and that the audits can determine exactly who and when the record was accessed) should be communicated to the HCF staff. Consideration should be given to registering the high-profile patient under an alias name. The healthcare security department could oversee this entire process (alias name bank, communication to appropriate entities, etc.). This alias name would be changed back to the legal name at the conclusion of the stay. The electronic systems should be configured to only allow access to those positions within the HCF who would have a need to know in the performance of providing care.

The HCF public information officer and the healthcare security department representative should work together to ensure that the media is given clear direction as to expectations of behavior as well as continuous status updates. This type of coordination reduces the temptation by the media to circumvent the process and breach security procedures. In addition to succinct policies and procedures, signed confidentiality agreements, employee orientation and in-service training, it is imperative that the healthcare security department representative be consulted when there are reports of non-compliance by anyone within or outside the organization. The healthcare security department representative should coordinate with the healthcare legal counsel and be well versed in the HIPAA rules and criminal law. The healthcare security department representative should also be well versed in the state specific PHI laws and rules which may be more stringent than the federal HIPAA regulations in order to provide recommended consistent and prompt actions.

Local law enforcement may also present at the hospital with various requests for patient information. For consistency, these law enforcement officers should be directed to the hospital security department. In turn, the hospital security department officers must be knowledgeable in not only the hospital policy for release of PHI but also the state and federal laws which guide this release prior to escorting the law enforcement officer to the area specific to the release of the information. At no time should patient care be compromised during the release of patient information. Thus, it is imperative that coordination be maintained between the affected healthcare clinical staff and the healthcare security department representative.

The healthcare security department representative should be an intricate participant during the design and renovation of Healthcare Facilities (HCFs) areas with PHI. The healthcare security department representative should be familiar with the International Association of Healthcare Security and Safety's (IAHSS) Security Design and Renovation Guidelines for Healthcare Facilities. The "Areas with PHI" section of this document details the manner in which this type of area should be designed to address the multiple ways in which privileged information can be compromised. "The design should include access and audit systems to be applied, as appropriate, to electronic and written PHI locations in areas including - but not limited to - registration, interview, clinical, storage, and waste areas as well as within data systems," the guidelines state.

The "Areas with PHI" section of this guideline includes specific recommendations in all of the following subjects as well as others:

- Signage/directions specific to PHI
- Furniture and/or barriers to reduce intentional or accidental sharing of PHI
- Secure receptacles for the pickup, delivery, and distribution of mail/records/imaging/lab results, etc.
- Location of bed/condition boards
- Secure areas for printers, facsimile machines, pneumatic tube stations, etc.
- Lighting conducive to the use of privacy screens on computer monitors
- Penetration-resistant construction design for areas housing PHI
- Integrated physical and electronic security systems

The healthcare security department representative should serve as the conduit between Health Information Management (HIM) and IT as well as the Facilities Engineer and Construction Designer, according to the guidelines.

Policies and Procedures should be very inclusive. However, HCF staff should be able to identify exactly who is authorized to have access to PHI, proper security procedures for handling all types of PHI and the proper procedures for destroying PHI. Staff should also understand that they should report any suspected criminal activity or threats from a patient to the healthcare security department. Criminal or threatening behavior by a patient is not considered protected information and should be reported immediately.

Maintaining a safe, secure and private patient care environment is of utmost importance. Patient confidentiality is a cornerstone in maintaining a high standard of ethics within healthcare. It cannot be accomplished in a vacuum and the healthcare security department plays an intricate role.

About the author: Lisa Pryse currently serves as the Division President of Healthcare with Old Dominion Security in Richmond, Virginia. Prior to this position, Pryse was the system Chief of Police and Public Safety for Eastern Virginia Medical School in Norfolk, Va. Before moving to the Virginia area, Pryse served as the Campus Police and Public Safety Chief for WakeMed Health and Hospitals in Raleigh, NC for more than 18 years. She currently holds the office of President-Elect of the International Association of Healthcare Safety and Security (IAHSS) and serves on the ASIS International Healthcare Council.