Best practices for securing patient information

A look at how healthcare facilities can safeguard data from a physical security standpoint


The HCF public information officer and the healthcare security department representative should work together to ensure that the media is given clear direction as to expectations of behavior as well as continuous status updates. This type of coordination reduces the temptation by the media to circumvent the process and breach security procedures. In addition to succinct policies and procedures, signed confidentiality agreements, employee orientation and in-service training, it is imperative that the healthcare security department representative be consulted when there are reports of non-compliance by anyone within or outside the organization. The healthcare security department representative should coordinate with the healthcare legal counsel and be well versed in the HIPAA rules and criminal law. The healthcare security department representative should also be well versed in the state specific PHI laws and rules which may be more stringent than the federal HIPAA regulations in order to provide recommended consistent and prompt actions.

Local law enforcement may also present at the hospital with various requests for patient information. For consistency, these law enforcement officers should be directed to the hospital security department. In turn, the hospital security department officers must be knowledgeable in not only the hospital policy for release of PHI but also the state and federal laws which guide this release prior to escorting the law enforcement officer to the area specific to the release of the information. At no time should patient care be compromised during the release of patient information. Thus, it is imperative that coordination be maintained between the affected healthcare clinical staff and the healthcare security department representative.

The healthcare security department representative should be an intricate participant during the design and renovation of Healthcare Facilities (HCFs) areas with PHI. The healthcare security department representative should be familiar with the International Association of Healthcare Security and Safety's (IAHSS) Security Design and Renovation Guidelines for Healthcare Facilities. The "Areas with PHI" section of this document details the manner in which this type of area should be designed to address the multiple ways in which privileged information can be compromised. "The design should include access and audit systems to be applied, as appropriate, to electronic and written PHI locations in areas including - but not limited to - registration, interview, clinical, storage, and waste areas as well as within data systems," the guidelines state.

The "Areas with PHI" section of this guideline includes specific recommendations in all of the following subjects as well as others:

- Signage/directions specific to PHI
- Furniture and/or barriers to reduce intentional or accidental sharing of PHI
- Secure receptacles for the pickup, delivery, and distribution of mail/records/imaging/lab results, etc.
- Location of bed/condition boards
- Secure areas for printers, facsimile machines, pneumatic tube stations, etc.
- Lighting conducive to the use of privacy screens on computer monitors
- Penetration-resistant construction design for areas housing PHI
- Integrated physical and electronic security systems

The healthcare security department representative should serve as the conduit between Health Information Management (HIM) and IT as well as the Facilities Engineer and Construction Designer, according to the guidelines.

Policies and Procedures should be very inclusive. However, HCF staff should be able to identify exactly who is authorized to have access to PHI, proper security procedures for handling all types of PHI and the proper procedures for destroying PHI. Staff should also understand that they should report any suspected criminal activity or threats from a patient to the healthcare security department. Criminal or threatening behavior by a patient is not considered protected information and should be reported immediately.

Maintaining a safe, secure and private patient care environment is of utmost importance. Patient confidentiality is a cornerstone in maintaining a high standard of ethics within healthcare. It cannot be accomplished in a vacuum and the healthcare security department plays an intricate role.

About the author: Lisa Pryse currently serves as the Division President of Healthcare with Old Dominion Security in Richmond, Virginia. Prior to this position, Pryse was the system Chief of Police and Public Safety for Eastern Virginia Medical School in Norfolk, Va. Before moving to the Virginia area, Pryse served as the Campus Police and Public Safety Chief for WakeMed Health and Hospitals in Raleigh, NC for more than 18 years. She currently holds the office of President-Elect of the International Association of Healthcare Safety and Security (IAHSS) and serves on the ASIS International Healthcare Council.