Electronic access raises privacy concerns: 4/12

Return to Main Menu

Electronic access raises privacy concerns
by Dick Peterson
Public Relations
She goes where angels fear to tread. In fact, some in the medical center are sure Sharon Knowles can turn up most anywhere.
In an elevator, on the commuter bus from Hagood, at a nearby table in the cafeteria—if you talk about patients in a public area you just might get a tap on the shoulder and a gentle reminder about a patient’s right to privacy.
But Knowles and her partner in privacy, Helen Caton-Peters, also venture into the no-man’s-land of electronic patient records. There they audit for violations of patient privacy—instances where for some reason somebody accessed information not open to them.
It’s serious business, and becoming more serious as April 14, 2003, bears down on health care institutions across the country. That’s the date they are to be in compliance with standards set by Congress under the Health Information Portability and Accountability Act (HIPAA). And it’s the date after which patients can report privacy violations.
While HIPAA standards also cover electronic transactions (Catalyst, March 8), security and legal considerations, it’s patient privacy that concerns Knowles, Caton-Peters and the HIPAA subcommittee on privacy they co-chair. They work to ensure both greater access for the patient to his or her own medical information, and tighter controls on what groups and individuals can access those records in the patient’s best interest.
Knowles is information security officer for the Medical University Hospital Authority and as the hospital’s privacy officer, she is involved with HIPAA compliance and privacy and with other privacy concerns of the hospital.
Caton-Peters, a registered nurse who works in CCIT, is an information security analyst and HIPAA project manager.
The beauty of the HIPAA subcommittee on privacy, said Knowles, is its multidisciplinary approach. The presence of clinicians, administrative personnel and human resources personnel offers the committee a unique perspective on how privacy will affect each of them. “It has also enabled some of the committee members to gain an appreciation for what the other side does,” she said.
In the brave new world of electronic record keeping, the issue of access takes on a whole new dimension from the previous system where a patient’s chart or X-ray film was physically filed away in a hospital or a doctor’s office. There, physical location, difficulty of access and delay created a wall that electronic access has easily breached.
“The HIPAA privacy regulation is all about rights to medical information and being accountable how that information is being used and disclosed,” Caton-Peters said. “Part of our challenge is determining how to manage access to medical information by our clinicians and employees.”
“But our question is, how do we comply with HIPAA in the academic medical center environment?” Knowles said. “It’s obvious to us that the HIPAA regulations were written with the community hospital in mind.”
So that leaves the two with new ground to plow. And it leaves clinicians at MUSC with unanswered questions and fear of a regulation gridlock that threatens their ability to serve patients. But Knowles takes heart in the gaping disparity between the regulations and reality of life at MUSC and like institutions across the country.
“I think the whole privacy issue will have a moot impact on clinicians here, because a lot of the privacy practices are already in place,” Knowles said, explaining that most of the guidelines they are putting in place already exist in practice. “They just need to be tweaked,” she said. “But there will be a change in the behind-the-scenes electronic tracking to determine how well MUSC is complying.”
“What our clinicians don’t understand is that there is room for interpretation, that the thinking on The Hill (U.S. Congress) was not the academic medical center where roles are interwoven, where physicians are faculty and students are clinicians, and most, if not all of them, are doing research.”
Caton-Peters is knee-deep in an assessment of how patient information is used, stored and protected in the hospital. “I’m looking at how we stand today as compared with where the regulations say we should be regarding protecting information. It’s a huge system that requires a wide assessment of what we do with identifiable information both internally and externally.
“Anyone with whom we share information to perform functions on our behalf will also have to maintain similar privacy standards. It’s a continual process that ensures the best practice standards are maintained,” Caton-Peters said. “HIPAA sets the floor for privacy rights; it’s up to us to continue to look for ways to raise the bar.”
Neither Knowles nor Caton-Peters expect the transition to compliance with HIPAA privacy regulations to be particularly painful for clinicians. Their approach is to listen to what clinicians have to say and with that in mind create a system that complies with what they consider “a reasonable and scalable law that does not have to disrupt the work flow of clinicians with their patients.”
They envision a system that will review each request for access on the basis of the role of the person asking. This “role-based access” will restrict each person with access to only the information needed to fulfill that role. Caton-Peters said that as those with access to patient information become more aware of their responsibility to protect patient privacy, they will be more inclined to hold themselves accountable.
That, with targeted electronic surveillance of who accesses what and when, “...will make this happen, and it’s going to make things better.”
Seeking to erase an old perception, Knowles leaned forward across her desk and said, “And another thing, I want everyone here to know that if you are an employee at MUSC and you become a patient here, you have all the privacy rights of any patient.”