When hospital clinicians are accessing patient records thousands of times daily, how do you spot the access that’s questionable or worse?
Trying to comply with privacy rules can tie a hospital’s IT and privacy staff in knots. If privacy compliance is an issue at your hospital, you’ll probably be interested in how a community hospital in Beaufort, South Carolina tackled its patient privacy issues head on, and the dramatic improvements that resulted.
As a 200-bed community hospital, Beaufort Memorial Hospital is large enough to have the same patient privacy issues as larger facilities, yet small enough so that resources can be a challenge. Ed Ricks, VP of Information Systems and CIO at Beaufort, was convinced that even a community hospital with a tight budget for information security could take meaningful steps to improve breach detection and prevention. Through some culture changes and innovative technology, Ed guided the hospital to a proactive approach to privacy monitoring, reducing improper access to patient records by 98%.
The success at Beaufort is drawing media attention. In an article in Health IT Security, Ed explains how his hospital (like many others) formerly took a reactive approach to enforcing patient privacy, and shares insights about what it means to be proactive. He also discusses lessons learned from past privacy breaches, and how Beaufort stepped up efforts to address improper EHR access. One initiative was a focus on staff culture to discourage risky behavior. Another involved deploying automated tools to perform various audits and flag potentially inappropriate activity for further investigation.
Healthcare Info Security explores these issues further in a case study and accompanying podcast interview of Ed Ricks by executive editor Marianne Kolbasuk McGee. During the podcast, Ed explains that while Beaufort lacks the resources of a large urban facility, they have taken effective steps to protect patient privacy and secure data, with technology playing a key role in this effort. Ed speaks to how technology can help distinguish between a possible breach and normal user activity, which can be challenging since what is appropriate access for some roles and scenarios is not for others.
Ed also explains how education played a large role in the hospital’s efforts to proactively detect improper access. This includes getting the word out to employees that the hospital is monitoring all accesses of patient records — and has the tools to back up their messaging. These tools have helped stem potential occurrences of inappropriate access before they escalate to full-fledged privacy breaches.
It’s great to see Ed Ricks and Beaufort Memorial Hospital getting some well-deserved attention for becoming highly proficient at protecting patient privacy and reducing improper access to patient records. I encourage you to check out the articles and podcast — it’s an inspiring story!
One final point: these initiatives are not just about HIPAA compliance, they’re also about quality care. If patients don’t trust you, they will be reluctant to share sensitive information about their health — and once that trust is lost, it’s very hard to get it back. Fortunately, practical breach prevention and detection is within reach, even for community hospitals with limited resources.