Note From Iatric Systems: Thank you very much to Carl Smith, CIO of King's Daughters Medical Center, for sharing his thoughts with us, and our blog readers, about protecting patient privacy.
Brookhaven, Miss., a town with a population of about 12,000 residents, is where I call home. Living in a small town in southwest Mississippi has its advantages. We are a close-knit community where relationships are built and last a lifetime. This culture of community spreads into most facets of life including local business. We look out for one another and want our community to strong, safe, and secure. In the healthcare arena, this has become an ever-evolving challenge with information privacy and security.
Today there are more threats than ever in the digital world. Working for one of the top industries in our area, I feel a personal responsibility to educate our community to the dangers and safeguards regarding threats and vulnerabilities. Whether it’s the Rotary Club, Kiwanis Club, or a local retirement center, I’m spreading the word about patient privacy and overall cybersecurity.
One of my favorites is a retirement group that meets at a local community college. They asked me to come do an hour presentation on information security. It was probably the best group I've talked to because I think they appreciated it more than anybody else. While, in my talks, we start talking about cybersecurity and how we protect patient privacy at the hospital, these chats ultimately turn more into discussions about social media and cell phone safety/security, which ties back directly to the hospital and patient privacy, as I’ll mention in a bit.
This kind of training and education started inside the hospital years ago when HIPAA made the scene. I’ve always taught our staff about HIPAA policy, and now I’ve taken that message out to the community, where digital privacy is relatively new for many people. It’s a cultural change, and we’ve seen that cultural change occur and be very successful throughout our hospital.
We have training around HIPAA policies, and give examples within the healthcare setting of things that staff members may run into. In a location like ours, most clinical staff will run into patient records from family members, neighbors, and friends. They must be educated to policies and laws concerning privacy and confidentiality.
To help protect patient privacy at our facility, we have invested in tools to help us see if there are any violations or any potential violations. And so, it's not just waiting for something to happen when it comes to patient privacy. We have to be proactive across the facility. While our technology tools aren’t solutions by themselves, we have tools in place that automate much of this work for us. That’s ideal, because it allows us to spend more time on education, which often is a one-on-one coaching process.
We’ll ask someone, “Would you want everybody in the room to have access to your health records, to your test results, to your x-rays, etc.?” If they're taking care of you, then absolutely. You want them to have access to as much information as they need to take care of you. But, if it's not part of their job, then they should not be looking into your records for any reason.
Another challenge we wanted to continue educating our employees about is cell phones — everyone has a cell phone now, and it's added a whole new dynamic to patient privacy. We have really had to be strict about use of cell phones, use of texting, taking photos, posting information on Twitter or Facebook. We’ve added that to policy, and we’re watching to make sure those policies are being adhered to.
Unlike with our EMR where we can audit the appropriateness of accesses to patient data, I can’t just go grab an employee’s cell phone and audit it. But again, that's another case where we've tried to create a culture. For example, if somebody sees another employee taking a picture in the hospital, they will be the ones to step up and say “No, wait. You can't do that!”
This, again, is an education thing. When I educate our new employees, I ask them, “What would be the problem of taking a selfie in the hallway or at the nursing station?” Usually, I've got about half the room saying, “Oh, a patient could be in the picture or there may be a chart on the desk.”
Getting those kinds of answers tells me we’re on the right track when it comes to protecting patient privacy.