The Security Scrutinizer with Howard Anderson

Clinic Takes Bold Action on Privacy

Zero Tolerance for Records Snooping

Some organizations proudly tout their privacy protection policies. Others, such as The Everett Clinic in Washington state, actually enforce their policies with bold action.

See Also: Live Webinar | Embracing Digital Risk Protection: Take Your Threat Intelligence to the Next Level

The clinic, which has a staff of more than 2,000, recently implemented monitoring software to help it comply with the HIPAA privacy rule, says April Zepeda, director of corporate communications. Using that software, the clinic flagged 43 employees for possible inappropriate access to patient records. So far, 13 of those employees have been fired for snooping at electronic health records "for reasons other than those related to their job duties," Zepeda says.

Patients must come first. It's critical that any violation of their privacy be taken very seriously. 

So why is this clinic taking such an aggressive approach to enforcing patient privacy? "Compliance to mandatory HIPAA requirements is not optional; it's the law," Zepeda told me in an e-mail. "We face serious federal fines and penalties if we are not performing audits. But more importantly, protecting patient privacy is a top priority and the right thing to do. It's both our legal and ethical responsibility."

Clinic executives aren't offering interviews to discuss further details, beyond one they did with the local newspaper. Zepeda told the Everett Daily Herald: "Employees were told of the new monitoring system and reminded of the clinic's privacy policies."

So the crackdown didn't begin until staff members were made aware of the records access auditing efforts and educated about privacy issues.

Importance of Monitoring

In a session at the recent Healthcare Information and Management Systems Society Conference, Eric Liederman, M.D., director of medical informatics for The Permanente Medical Group in Northern California, stressed that monitoring who accesses patients' records is an essential breach prevention strategy. He argued that access monitoring is even more important than using role-based access controls. That's because he believes that access controls, if they're too strict, can potentially affect the quality of care delivered (see: Access Audits as a Breach Deterrent).

The key to effective EHR access audits, Liederman told the audience at HIMSS, is to conduct targeted audits focusing on situations with the highest risks. Everett Clinic apparently took that approach. Its new monitoring application "flagged incidents in which an employee accessed records that belonged to a patient with the same address or last name as their own," Zepeda notes in her e-mail.

Al Fisk M.D., Everett Clinic's chief medical officer, told the local newspaper that there may be times, for example, when patients want to disclose something to their physician that they may not want their spouse to know. "If a patient can't talk to their provider honestly and unworried that someone else might look at that, then you can't give the best possible care to that patient," he said.

Surely, carrying out a privacy policy by firing those who violate it is a powerful deterrent to records snooping. With thousands of clinics across the nation in the early phases of adopting EHRs, it's important that they educate their staffs about appropriate access, implement access controls, monitor access and impose appropriate sanctions for privacy violations.

Those steps will go a long way toward assuring patients that their digitized records are just as secure - if not more secure - than those old file folders stuffed with paper.

Here's how Zepeda sums things up: "We empathize with those who lost their jobs. These were extremely difficult decisions to make. However, patients must come first. It's critical that any violation of their privacy be taken very seriously."

Patients must come first. Well-said.



About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.