Skip to main content

Currently Skimming:

5 Organizational Approaches to Protecting Electronic Health Information
Pages 127-159

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.


From page 127...
... Policies discussed in this chapter focus on maintaining the privacy of patient information. Health care organizations may have additional policies in place to protect the privacy of health care providers and of other information that the organizations consider confidential.
From page 128...
... As the committee's site visits attest, health care organizations have developed a number of policies and practices for protecting electronic health information. These include formal policies regarding information system security and patient privacy, formalized structures for developing and implementing policies and procedures, employee training practices, and procedures for monitoring and penalizing breaches of privacy and security policies.
From page 129...
... Policies regarding information use and flows tend to be formalized in specific policy documents on security, confidentiality, protection of sensitive health information, research uses of health information, and release of health information. They address both paper and electronic health records to avoid possible inconsistencies in the procedures employees follow for handling them.5 Formally developed policies vary among organizations according to their internally developed risk assessments (Box 5.1)
From page 130...
... Each of these datasets may be considered corporate assets and their disclosure may result in a financial disadvantage or loss to the organization. Although this perspective can provide strong incentives for protecting health information, health data are qualitatively different from proprietary corporate information and entail unique risks and liabilities.
From page 131...
... Policies to Protect Sensitive Information Most health care organizations have policies that establish special protections for sensitive information such as mental health records, HIV status, drug and alcohol treatment, as well as the health records of celebrities and other widely recognized persons. Protection of some information is guided by state or federal legislation (see Chapter 2~; other protection is provided voluntarily by individual organizations.
From page 132...
... Furthermore, some sensitive information must be kept in the main record to ensure adequate care. Medication lists are typically included in electronic medical records because of the need to avoid prescribing drugs that interact with one another to cause an untoward effect.
From page 133...
... An alternative approach that is used successfully by some health care organizations is to avoid segregating sensitive information from the rest of the medical record and to instead improve the security of the entire, integrated medical record through the use of well-designed authentication procedures, access controls, audit procedures, and other mechanisms. The goal of this approach is raise the level of protection for all health information, not just sensitive information.
From page 134...
... , whose members evaluate the potential for patient risk as a result of granting access (Box 5.2~. Sites visited by committee members had experienced no instances of researcher abuse of confidentiality policies, and their IRB mechanisms seemed to function well to reduce such risk.8 Policies with regard to institutional review boards also may include procedures on how to obtain IRB approval, a clearly specified statement of IRB function and protocols, and lists of its regularly scheduled meetings and reviews.
From page 135...
... the circumstances under which additional patient consent is required. Organizations may track releases of patient information by retaining in the permanent health record the signed authorization form (when one is required)
From page 136...
... Patient Bill of Rights Some organizations have developed or adopted a patient bill of rights that outlines clearly the relationship between patient and provider; states the patient's rights to privacy and confidentiality; and outlines state and federal laws, regulations, and standards guaranteeing those rights. For example, it may describe a patient's right to view the audit trail related to a hospital stay or the procedures by which a patient may review the contents of his or her health record and correct information he or she believes is inaccurate.~° The name and telephone number of a contact person within the organization who is responsible for patient complaints with regard to privacy and security (e.g., an information security officer)
From page 137...
... This site had worked with patient representatives to test their ability to understand the forms.l2 Coordinating a patient bill of rights with a disclosure authorization form can further enhance the relationship between provider and patient by helping to establish mutual understanding and trust. Access to Records and Audit Logs Many health care organizations allow patients to review their own health records and to correct or amend records, as necessary, through a formal process.
From page 138...
... They typically include groups charged with developing policy; offices or departments for implementing policy, and structures for granting access privileges to users of the institution's information systems. A fourth structure the institutional review board is discussed above in the section titled "Policies on Research Uses of Health Information." Policy Development Process Health care organizations develop privacy and security policies in many different ways: by a small cadre of senior executives, by a committee process that solicits input from across the organization, or by some combination of the two.
From page 139...
... Some reported directly to upper management; others were part of a larger medical records committee. Regardless, committee composition is generally broad and may include members with knowledge of user needs and behavior (e.g., health information managers, nurses, physicians, admitting managers, human resources managers, and patient relations representatives)
From page 140...
... For example, one information systems committee developed policy that said protecting patient privacy required the use of audit trails. That organization's information security officer then developed procedures that included a description of how often an audit trail should run, what information should be recorded, and what actions a patient should take in order to review audit trail data.
From page 141...
... The disadvantage is that they may not understand requests that stray from standard guidelines. Similarly, human resources personnel are responsible for administering new hires, transfers, and terminations and need to be closely involved in granting access privileges, but they are not close enough to the practical needs of health care providers to appraise unusual, but legitimate, requests for access.
From page 142...
... Mechanisms are also needed to allow data stewards to share information on good practices. EDUCATION AND TRAINING Education and training programs are critical to an organization's attempt to protect patient privacy and information security.
From page 143...
... A variety of education tools and policy instruments, such as confidentiality agreements, can serve this role. Training Programs Most health care organizations have formal classes or programs to educate employees about patient privacy and system security.
From page 144...
... Another possible technique used effectively by drug companies detailingmight be customized to present one-on-one training to individual physicians or small groups of physicians. No matter which training techniques are developed for physicians, it is imperative that the leadership of the medical staff, both chairs of clinical departments and the chief of staff, be involved in their development and act as champions of and models for patient privacy.
From page 145...
... One site visited by committee members denied the probability of breaches of patient privacy on the grounds that "nobody here would do that." By failing to acknowledge that individuals can (either through accident or malice) fail to protect patient privacy, the organizational culture ensured that changes in policy and practice were unlikely to occur.
From page 146...
... An organization's information system may be designed to educate users as to possible breaches of confidentiality. Described earlier was a screen used at one site that appeared whenever users accessed sensitive information.
From page 147...
... These could be offered across departmental desktop machines or at a central location such as the human resources department. At least one of the sites visited by committee members developed a special pamphlet to present the organization's confidentiality and secu
From page 148...
... Actor-employees in the video re-created instances where patient privacy had been breached; many of them seemed initially innocent, reinforcing the message that even good intentions can lead to unintended consequences. In one example, an employee was disciplined for accessing another employee's electronic health record to obtain a mailing address for a get-well card.
From page 149...
... Of the sites visited by committee members, several required any individual accessing the information system to sign a form verifying that he or she had read, had understood, and was committed to the organization's confidentiality policies.l9 In keeping with other ongoing efforts, employees were required to sign this agreement during the initial orientation session and annually thereafter at the time of their performance review. Confidentiality agreements may also be used for nonemployees who have access to health information; these can include contract workers, vendors, physician's office staff, students, temporary workers, and volunteers.
From page 151...
... If a policy is violated and no response follows, the validity of the structure to protect patient privacy is nullified. If appropriate sanctions are applied, but only irregularly, after a long delay, or with little impact on perpetrators, the structure is severely undermined, and its legitimacy is suspect.
From page 152...
... Unevenly applied penalties can cause friction among staff and undermine confidentiality and security policies. For sanctions to act as an effective deterrent, employees must know 20Information Week, VoL 3 dune ^1996)
From page 153...
... IMPROVING ORGANIZATIONAL MANAGEMENT: CLOSING THE GAP BETWEEN THEORY AND PRACTICE Each of the sites visited by committee members indicated a strong interest in and concern for patient privacy but often failed to have adequate written policies or to demonstrate behavioral compliance with existing policies. Typical of inadequate or incomplete policies was the lack of clear definition of what was meant by a lapse in security or a breach of patient privacy or of what these meant in the context of the health information systems maintained by the organization.
From page 154...
... As organizations expand their boundaries they need to develop a comprehensive program to ensure that the message of commitment to patient privacy is pervasive and implemented in policies, procedures, and everyday behavior. Such a model includes an overall vision and goal statement, specific policy development, training, and provisions for disciplinary action.
From page 155...
... In many cases, events have focused on a celebrity or public official, reinforcing the belief that the broad population of patients is unlikely to be harmed. At least one of the sites visited by committee members believed little would happen if its entire database of patient information were made public.22 As the committee conducted its study, it has become apparent that although most health care organizations express a commitment to patient privacy, their actual practice is somewhat different.
From page 156...
... As in other industries, health care organizations do not act until a gross breach of patient privacy has occurred. According to one expert, sales of security products in the financial industry rise sharply after a breach is reported in the media, but drop off just as sharply after about 10 days.
From page 157...
... Lack of Focus on Information Technology Information management has become an essential component of the financial and managerial aspects of health care organizations, as well as of the provision of clinical care. Health care organizations are no different demic journals on health care system mergers and strategic alliances, it is clear that the development and the process of alliance or merger are still poorly understood.
From page 158...
... Some health care organizations have never really accepted the idea of patients as organizational participants; hence, when matters of privacy and security are raised, discussion centers on the proprietary value of such information, not on the threats to individual patient's rights to privacy. Health care organizations are focused on providing care, not on providing security.26 Accordingly, technology is valued inasmuch as it supports that goal and does so in a way that is convenient to caregivers.
From page 159...
... The more that global cultural influences are felt in contemporary organizations of all types, the less likely is it that any individual organization will be dominated by the influence of one or a few leaders who exert their personal stamp on everyday business dealings. Organizations whose leaders and participants generally deny the possibility of violations of patient privacy (e.g., "It can't happen here," or "We've never had a serious incident before")


This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.