Based on an Interview with Dan Rossi
Director of Health Information, Privacy and Compliance Officer, Harrington Memorial Hospital
When Privacy and Compliance Officer Dan Rossi talks about protecting patient privacy, he preaches vigilance in this age of technological convenience.
As Director of Health Information, Privacy and Compliance Officer at Harrington Memorial Hospital in Central Massachusetts, Dan is tasked with protecting the data at the 125-bed acute care facility plus its multi-specialty Physician Services Group.
“Technology is our best friend and our worst enemy in privacy. Phishing attacks, spear phishing, and ransomware are way up there on the alerts, threats, and concern levels, but we also have to be on guard for more mundane things like unsecured text messaging,” Dan said. “As an industry, we each have to fight the urge to go for the easy route, like unsecure text messaging, because it’s an extra step or two signing into a secure system. Sure, secure platforms may cost a little more and take a little more time to use, but just relying on regular text messaging or whatever the unsecured platform might be because it’s easier, that’s a recipe for disaster.”
With all the technology available, well-placed education and peer pressure can also help the fight for patient privacy.
“We have to convince people, even our colleagues if need be, that if you’re not on the patient’s care team, it’s not OK to look at their record just because you treated them a year or two ago,” Dan said. “And I think as an industry, there are too many people who roll their eyes when they hear ‘HIPAA’ because they don’t see any harm with accessing patient data on patients that they are not currently treating. These are all cultural changes the healthcare industry must continue to address.”
At Harrington, Dan works closely with departments and leadership to educate staff about privacy.
“Patient privacy is in the forefront of my thoughts because it's directly related to my daily activities. But to a staff member who works in a non-clinical setting, such as dietary or facilities management, patient privacy might not be at the forefront of their thinking. We need to tailor education to real work scenarios specific to different roles in the organization,” Dan said.
“As an industry, healthcare leaders need to take a step back and weigh user convenience against the risk to privacy. The convenience of not having to remember multiple passwords, have systems 'time out' for inactivity, not having to send data through a secure platform might all seem easier to the end user, but the risks associated with sending unsecured patient data are significant. It’s just wrong to sacrifice security for the sake of convenience of the user.”
In the end, Dan says complying with patient privacy regulations comes down to common sense, and remembering that when it comes to patient privacy, as in other aspects of healthcare, the easy way is seldom the best way, nor the safest.