One of the largest threats to patient privacy comes from hospital staff, but it is difficult to prevent improper accessing of patient data by employees and impossible to totally eliminate risk.
It is not clear whether employee snooping is on the rise, or whether healthcare providers are getting better at identifying improper access to records. However, what is clear is employee theft of healthcare data is a big problem, and is happening on a frequent basis across the United States. If databases need to be accessed by hundreds or thousands of individuals, it can be a real challenge to provide the staff with access to medical records to enable them to do their jobs while simultaneously implementing controls that restricts access to the same records.
Systems which log access requests can help healthcare providers identify breaches promptly when they occur, but unless considerable resources are available to monitor and analyze access logs, it can take time before any improper access of patient health records is discovered.
West Virginia United Health System Effectively Reduces the Risk of Improper Accessing of Patient Data by Employees
While it is not possible to reduce the risk of improper accessing of patient data to zero, there are a number of strategies that can be adopted to keep it to a minimum level, and West Virginia United Health System believes it has done just that.
Mark Combs is the assistant chief information officer at West Virginia United Health System and believes the strategies adopted for the WVUHS 6-hospital system is evidence that improper accessing of patient data by employees is an issue that can be tackled effectively, albeit with a considerable investment in time and resources.
The system used by WVUHS is much more involved than simply using computer modules with incorporated privacy controls. He believes that patient privacy and data security are issues that must be instilled in the staff from the moment they are employed. WVUHS has appointed a privacy officer to provide training and instruction to the staff to make sure everyone understands what is required from them, when PHI can be accessed, to whom it can be disclosed and under what circumstances.
Security and privacy isn’t something that can be covered in a one-time training session, instead the staff is reminded of its importance via regular notices on digital media boards and presentations are regularly given to leadership groups and enterprise management.
Combs believes that audits are not only for the OCR to conduct, but should be conducted routinely by covered entities, in fact at WVUHS internal audits take place on an almost daily basis.
This is vital if an organization really wants to prevent improper accessing of patient data by employees. There must be a real threat of the staff being caught. For WVUHS, this means many millions of accesses to records need to be checked and monitored on an annual basis, although it has implemented the software and hardware to be able to process this information in a timely matter. Those results are them passed on for analysis by a dedicated team.
According to Combs, “What’s measured is what matters… So people know we’re measuring and watching their access; it gives them pause when they start to consider to do something like this.”
The policies and procedures the company has adopted are proving to be successful, but it has taken a lot of hard work and the results were not instantaneous. The groundwork was laid over a number of years and the system is subject to constant improvement to ensure it continues to be successful. It is hard work, but it is hoped that patients will appreciate the efforts being put in to protect their privacy.
Combs is scheduled to present the organization’s privacy case study at this year’s HIMSS15 in April, in a session called “Stop Insider Snooping and Protect Your Patient Trust”.