The health worker and the individual have a relationship built around trust. The patient provides information that can be very sensitive about themselves for the health worker to make decisions on their management. In turn, the health worker has the duty to keep this information confidential.
However, with the advent of electronic health systems, it is not quite as straightforward. All this information is now stored in computers. It can be in local servers or on the internet. This makes private information not just between the health worker and the individual. Other health workers, non-health staff, even complete strangers can access this information if there are no limitations in place. Thus, there needs to be rules in using these systems in order to protect the patient’s privacy.
The assignment for this week was to choose a hospital and review its policy on patient privacy and security. I based my analysis on the Health Insurance Portability and Accountability Act of 1996 (HIPAA) of the U.S.A.. While our country has its own laws on privacy of personal information in communications systems (R.A. 10173, which will be its own topic), it does not have a specific law on health information privacy and security.
The hospital I chose is relatively new in the realm of computerized systems. Their patient records are still in the process of being digitized. At present, functioning electronic systems are imaging results (x-ray, CT scan, MRI) and nursing orders. Along with switching to electronic records by their IT department, the hospital administration is still in the process of forming a formal written privacy and security policies and procedures. Since there was no written statement to review, I interviewed personnel from the IT department and the radiology department of the hospital for current privacy practices.
Individual identifying information that the currently running systems store includes the patient’s name, date of birth, sex, and patient ID in the system. For nursing orders, it can only be accessed at the specific nurse’s station servicing the room the patient is staying in (other stations have no access to it). When the patient is discharged, all information is moved to the records section and is removed from the order system. Information is stored in a local server.
If ever there is a need for old records, such as research and law enforcement, they still have to request it from the records section. Supporting documents have to be submitted with the request, such as legal authorization (warrant). Requests are a case-by-case basis that have to be approved by the administration. They cannot access the archives themselves, the records section still releases records as paper documents.
Similar to the above, patients who want to access or update their information (changing wrong information like typographical errors) have to go through administrative approval. Supporting documents such as birth certificates also have to be submitted for changes. Patients can request for limited information to be displayed by the system if they desire. This sets them to a “VIP” status, which makes certain identifying information not viewable. It is often used by high-profile individuals when they are admitted to the hospital.
For imaging, the system was made by a third-party developer. Interviewee were unsure about the company’s privacy and security policies. There were no details of this either in their website. It only said that their systems can be made to be compliant to privacy and security laws depending on the client’s request, and that they have made systems that are HIPAA compliant.
According to the interviewees, all results are stored in an online server provided by the company. Physicians have an account and password. When logged in, the physician can access all results stored in the system. This can be done on any electronic device that is connected to the internet. If ever patients want to see their imaging results, they can request their physician to give them an electronic or hard copy.
Monitoring of the use of systems falls under the department or section heads. No standard procedure has been created for this, so audit is incomplete. There are no software or hardware that records access and editing of information in the system. While the IT department is in charge of security of information, there are no specific positions focused on privacy and security.
Since there is no official privacy and security policies document for the hospital, there is no distribution of notices of privacy practices. Staff do not have formal training in privacy and security practices, they only learn from co-workers and experience.
Based on this description, it can be seen that this hospital has a long way to go with their electronic information systems and their ability to protect patient information. This is understandable, as the system itself is not even complete. I think that many hospitals in the country are still in a similar state. However, we should also be thinking ahead. With all the news of anonymous groups and individual hackers illegally accessing databases and spreading all the stored information online, we should be ready that such an attack can happen to our health systems anytime.
Sources:
- Office for Civil Rights. Summary of the HIPAA Privacy Rule. Retrieved from the U.S. Department of Health & Human Services website: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html.
- Office for Civil Rights. Summary of the HIPAA Security Rule. Retrieved from the U.S. Department of Health & Human Services website: http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html.
No comments:
Post a Comment