Avoid the ‘dirty little secret’ inside healthcare
Stop staff members from snooping
After reading this article, you will be able to:
- Describe the differences between paper and electronic patient records
- Recall strategies to prevent staff members frominappropriately accessing patient records
Curiosity. Malice. Efficiency. Rivalry. To be helpful. To be hurtful. Because they have a brief lapse of judgment. Because they have a plan to steal thousands of identities and sell them on the Internet. The reasons why staff members snoop in patient records are as varied as the employees.
“I’ve sometimes called it the ‘dirty little secret’ inside healthcare because it has been a problem for a very long time,” says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA.
So what can you do? Catching a snoop is like looking for a needle in a haystack. But for the sake of your facility’s patient safety, you’d better try.
From bad to worse
Keeping staff members from inappropriately accessingpatient records has always been difficult. But as an increasing number of covered entities implement electronic health records (EHR), snooping is becoming an even bigger problem, Borten says.
Paper records tend to be more secure by nature, says Mary D. Brandt, MBA, RHIA, CHE, CHPS, president of Brandt & Associates, Inc., in Bellaire, TX. “They’re not that easy to access,” Brandt says. “I mean, we in health information management can’t even find the things when we’re looking for them, let alone somebody who wanders in and doesn’t know the system.”
Electronic records tend to be far less secure, simply because so many people have access to them and because of the ease of finding and opening a record, and then downloading, printing, and copying it. Without good audit trails, you might not even know it happened, Brandt says.
“It’s easier for people to snoop in an electronic environment without feeling guilty and without getting caught,” Borten says. “Even really nice people, when they get in cars, they feel anonymous, and they do things like cut you off. There is the same sense of anonymity when you are sitting in front of your computer screen doing legitimate work, and you say, ‘Oh, well, I’m logged on. I’m just going to take a quick look at this record; nobody will ever notice.’ ” So, although the problem is unlikely to go away soon, you can mitigate your risk and manage your staff members.
Camille Orso, CHP, is corporate director of HIPAA compliance and privacy officer at Trinity Health in Novi, MI. With 45 hospitals and 46,000 full-time employees in seven states, it is the fourth largest Catholic healthcare system in the country. Trinity Health is currently in the process of implementing a systemwide EHR. Orso says she has learned much in the process, including how people handle information when it becomes so easily accessible.
Start with training
The first step involves teaching staff members why viewing records they don’t need to see to perform their jobs is impermissible.
The privacy officers at each of Trinity Health’s hospitals use several methods to ensure constant staff awareness of the need to protect patient privacy. These include training during orientation, attending departmental meetings, publishing reminders in a newsletter, and hosting annual privacy week events on the anniversary of the HIPAA privacy rule implementation date. Staff members and nonemployees also sign confidentiality agreements that clearly describe prohibited behaviors, including snooping.
Limit access if possible
Facilities with an EHR system should consider using role-based access for employees and develop eligibility rules for external individuals to reduce the opportunities for snooping.
Don’t provide access to a system or database to staff members who don’t need access to perform their jobs. Consider other methods of making patient information available to nonemployees.
Trinity Health has worked hard to develop policies that address eligibility for access to clinical systems as it has implemented EHRs in its hospitals. This process included determining how Trinity Health wanted to manage access control at each hospital. To avoid inconsistency, Trinity Health determined that individual managers would not decide which of their staff members would have access to various systems. Instead, it established a system in which staff members’ positions determine their level of access.
Trinity Health considered various job categories, such as nurse and financial analyst, and determined which applications are necessary for each position, Orso says. Now, when a new employee begins work, access to applications and systems is predetermined. This eliminates a lot of inconsistency because you’ve already thoughtfully outlined what makes the most sense in your policies and procedures, she says.
Keep an eye on your audit trails
Borten says she believes that the HIPAA privacy and security rules intend for covered entities to prospectively monitor their audit trails.
Monitoring techniques aren’t well-developed yet, mostly due to the complexity of healthcare, Orso says. But facilities should strive to identify situations involving inappropriate access by monitoring overall access to the greatest extent possible. Many systems are capable of generating reports for a specific time period, such as 24 hours, and listing every access that occurred during that period.Alternatively, the ability to generate a report that lists every medical record a staff member has accessed is essential if you suspect a specific individual of noncompliance. The ability to identify all staff members who viewed a particular record is important when a patient suspects that someone accessed his or her record improperly. Supervisors and privacy officers may review reports together for evidence of suspicious behavior.
Launch an investigation
Develop a plan that gives a detailed explanation of the necessary steps in a privacy investigation, Orso says. Perhaps a patient has complained that a staff member has accessed his or her record inappropriately. Or perhaps an employee observes a colleague viewing patient records without a job-related reason. Be ready to launch an investigation to determine whether a HIPAA violation has occurred, she says.
Orso ensures that Trinity Health’s privacy officers document all investigations in a database by downloading summarized versions of all incidents on a quarterly basis. Creating a report for the corporate privacy office staff members in this manner allows them to monitor privacy compliance trends in the organization.
Take corrective action if necessary
It is important to have written sanctions and make staff members aware of them during training, Borten says. You must also take disciplinary action if it becomes necessary, and be consistent. “You can’t make an exception for the absolute best nurse on staff,” she says.
Trinity Health uses a tool called the incident severity scale to help determine appropriate disciplinary action. “It takes into account the intention of the individual responsible for the privacy breach and the level of harm to the patient and the organization,” Orso says. (See “Sample incident severity scale” on p. 9.)
Adapted from Briefings on HIPAA, September 2008, HCPro, Inc.