Laura Ng
Associate Editor
Loyola University Chicago School of Law, JD 2021
The rapid evolution of electronic health records has dramatically changed the healthcare system in the past two decades. Healthcare organizations, both large and small, have transitioned from paper records to hybrid records, and then finally, for many organizations, to completely electronic data. In 2009, the American Reinvestment & Recovery Act (ARRA) created the federal “Meaningful Use” program. This program essentially amounted to a significant government subsidy for practices transitioning to electronic health records and provided funding for organizations to purchase electronic health records subscriptions from health information technology companies in exchange for complete adoption, implementation, and the regular development of quality reporting measures using the new software.
Encountering patient data
In most healthcare capacities, it is inevitable to encounter patient data. Access is necessary and frequent. Providers and clinical support staff must view patient data while examining a patient’s record; patient service representatives work with demographics information when checking-in patients or scheduling appointments; those who work in the financial arm of the organization would no doubt encounter the financial and/or insurance information of patients. Furthermore, those who work in health quality and outcomes reporting are likely to access patient data as well from time to time.
Inappropriate usage
While it is necessary for those who work at healthcare organizations to view patient data, inappropriate usage or viewing of patient data has been known to cropup from time to time. To make things more complicated, it can be difficult to discern the difference between looking up a patient’s information for “legitimate” reasons vs. just plain “snooping.” Most electronic health records have an audit function that shows who has viewed a patient’s information, but whether that viewing is “legitimate” can be difficult to prove (or disprove). After all, one could argue that he was attempting to access another patient’s information but made a typo in the search engine, or claim that he was on the record to do something else for the organization. In addition, most staff members go through so many records per day that it can be extremely difficult for compliance staff to keep track of who has viewed each patient record each day, and whether that reason was necessary.
Training staff to respect privacy
As with just about everything else in life, it is often easier to prevent behavior than to correct it. Thus, training staff at the employee on-boarding point is critical. New employees ought to be taught HIPAA rules, specifically the policy of utilizing the least amount of patient information necessary to perform the job. Consequences for violating such rules ought to be reviewed to further drive home the point that the organization takes such violations seriously. After the training, an attestation (signed form) from the employee ought to be collected. It may also be effective to recount stories of “snooping” healthcare employees in the news and to remind the new employees of what would happen in such a situation. Finally, it is wise to remind the employee that the organization does audit for such behavior, and that the electronic health records system is capable of tracking every person who views the record.
Building a culture of privacy
Perhaps the most important part of compliance is the building of organizational culture: it is important to build a culture of protecting patient privacy. Thus, audit rules ought to be set up with the electronic health records system, alerting the systems administrator and compliance officer of potential violations. For example, it is possible to set the system to sound an alert every time an employee looks up the record of a co-worker, or set the system to trigger an alert if an employee looks up patients who live within a mile-radius of his/her home. A regular manual audit of patient privacy ought to be performed at least once a year. It is also important to make the audit public to the organization – to let employees know that the audit is happening, and that the results will be publicized and taken seriously. In addition, continued, annual training regarding HIPAA and patient privacy is advisable. Finally, senior management ought to be trained to be on the lookout for violations of patient privacy, and to build the culture within their own teams. Hopefully, with a culture of privacy and adequate, continued training at an organization, the risk of patient privacy being violated will be reduced as we advance into a more technological age.