Clinic Takes Bold Action on PrivacyZero Tolerance for Records Snooping
Some organizations proudly tout their privacy protection policies. Others, such as The Everett Clinic in Washington state, actually enforce their policies with bold action.
The clinic, which has a staff of more than 2,000, recently implemented monitoring software to help it comply with the HIPAA privacy rule, says April Zepeda, director of corporate communications. Using that software, the clinic flagged 43 employees for possible inappropriate access to patient records. So far, 13 of those employees have been fired for snooping at electronic health records "for reasons other than those related to their job duties," Zepeda says.
Patients must come first. It's critical that any violation of their privacy be taken very seriously.
So why is this clinic taking such an aggressive approach to enforcing patient privacy? "Compliance to mandatory HIPAA requirements is not optional; it's the law," Zepeda told me in an e-mail. "We face serious federal fines and penalties if we are not performing audits. But more importantly, protecting patient privacy is a top priority and the right thing to do. It's both our legal and ethical responsibility."
Clinic executives aren't offering interviews to discuss further details, beyond one they did with the local newspaper. Zepeda told the Everett Daily Herald: "Employees were told of the new monitoring system and reminded of the clinic's privacy policies."
So the crackdown didn't begin until staff members were made aware of the records access auditing efforts and educated about privacy issues.
Importance of Monitoring
In a session at the recent Healthcare Information and Management Systems Society Conference, Eric Liederman, M.D., director of medical informatics for The Permanente Medical Group in Northern California, stressed that monitoring who accesses patients' records is an essential breach prevention strategy. He argued that access monitoring is even more important than using role-based access controls. That's because he believes that access controls, if they're too strict, can potentially affect the quality of care delivered (see: Access Audits as a Breach Deterrent).
The key to effective EHR access audits, Liederman told the audience at HIMSS, is to conduct targeted audits focusing on situations with the highest risks. Everett Clinic apparently took that approach. Its new monitoring application "flagged incidents in which an employee accessed records that belonged to a patient with the same address or last name as their own," Zepeda notes in her e-mail.
Al Fisk M.D., Everett Clinic's chief medical officer, told the local newspaper that there may be times, for example, when patients want to disclose something to their physician that they may not want their spouse to know. "If a patient can't talk to their provider honestly and unworried that someone else might look at that, then you can't give the best possible care to that patient," he said.
Those steps will go a long way toward assuring patients that their digitized records are just as secure - if not more secure - than those old file folders stuffed with paper.
Here's how Zepeda sums things up: "We empathize with those who lost their jobs. These were extremely difficult decisions to make. However, patients must come first. It's critical that any violation of their privacy be taken very seriously."
Patients must come first. Well-said.