"Britney Spears Medical Record Breach Nothing New, Says Privacy Expert"
"This is the first I've heard of it," Clooney, 46, said in a statement."I would hope that this could be settled without suspending medical workers."
You've seen the headlines and think, "It won't happen here," the highly publicized breaches in patient privacy that have occurred when celebrities need medical treatment and inquisitive employees peek at their electronic records to find out more. Or perhaps your organization doesn't treat celebrities and you tend to agree that disciplining a dozen or more employees for breaches of celebrity patient privacy is too harsh. Maybe your organization hasn't dealt with privacy complaints as explicit as these, so you tend to think they happen only in Hollywood.
But what impact could such breaches-and the seemingly lackadaisical responses that these breaches are "nothing new" or that "medical workers shouldn't be suspended"-have on your future efforts to improve privacy and security and to move into the new world of health information exchange?
More Than a Matter of Celebrity
Almost everyone in health care has seen the statistics: Some 15 percent to 20 percent of Americans withhold information from their physicians due to privacy concerns, and as many as 85 percent of physicians may have kept information out of their patients' records due to privacy concerns (Association of American Physicians and Surgeons, 2007). The Markle Foundation (2007) also found that 8 out of 10 Americans are very concerned about identity theft or fraud and the possibility of their data being used by marketers without their permission.
But what do these concerns mean to a CFO?
- Incomplete data could jeopardize patient safety (such as by increasing the potential for errors in ordering medications)-increasing the risk for lawsuits.
- Thirty-four states now have data breach notification laws that make it mandatory to report security breaches-media exposure no hospital wants.
- Not reporting communicable disease could result in underestimating prevalence-potentially reducing the amount of funding that might be made available for preventative services.
- Inaccurate data could be submitted to new pay-for-performance programs-clearly reducing the potential for incentives or the ability to avoid sanctions.
- More patients may ask that their records not be kept in electronic form. Although these are your business records and you have the right to keep them in the medium you believe best protects them, such requests are a hassle factor and can reduce trust between your organization and your patients.
And it's not just trust between patients and providers that is at stake (although that alone should be sufficient to spur action). A lack of trust between business partners will surely jeopardize health information exchange efforts. A recent survey of health IT executives indicated that "74 percent do not completely trust external partners to maintain the security and privacy of health data" (Health Information Trust Alliance, March 3, 2008).
Steps Toward Building Patient Trust
What practical actions can you take today to start to turn around the diminishing level of trust in your community? Consider these steps.
Determine the level of trust in your organization's ability to protect patient privacy. Formal and informal surveys of people in your community regarding this issue accomplish two things: They give you baseline data with which to estimate whether these national numbers ring true for you, and the mere effort of conducting the surveys lets people know you care and provides a visible means to let them know you take these issues seriously.
Follow through with efforts to secure the trust of your patients and the community you serve. "Transparency" may seem like nothing more than the latest buzzword, but when consumers are already exercising their rights to privacy online through opt-in or opt-out options, declining to use grocery store discount cards, and signing up for "do not call" lists in huge numbers, it's time to be more forthright and accommodating.
Take explicit steps to provide patients with information about your new electronic health record (EHR) system. Be proactive in obtaining consent directives by which a patient authorizes certain uses of his or her personal health information alongside advance directives for end-of-life care.
Provide short, easy-to-remember scripts for being proactive in heading off questions and responding to concerns about privacy. Many organizations remind staff about password protection and other security measures at the time staff are trained on new applications. But explanations about how these systems ensure privacy and security often don't roll off the tongues of non-IT users. Encourage clinicians to mention to patients that they are logging in or out of EHRs when applicable; remind them to tell patients that the bar coding process ensures the right medicine is being provided.
Distribute an easy-to-read brochure to patients and staff about the privacy and security measures you're taking. Few people are inclined to read a detailed, legalistic document such as what the notice of privacy practices has become, but many more will be attracted to a colorful brochure that clearly depicts how your computer efforts help them. (These are lessons learned from the financial services sector, which has now adopted a financial notice of privacy practices that is much easier to understand.)
Prepare for the Unexpected
The statistics described here may seem dire, but the news actually isn't all bad. The latest Harris Interactive poll conducted in 2006 reveals that by a 63 percent to 25 percent majority, Americans agree (and 23 percent strongly agree) that increased use of computers to record and share patient medical records can be accomplished without jeopardizing proper patient privacy rights. It has been reported that 75 percent of Americans' jobs require use of a computer (and interestingly, Consumer Health Daily [May 26, 2006] reports that such use has generated a new eye condition called computer vision syndrome, another ergonomics issue to check into). As a result, the vast majority of Americans are somewhat computer savvy, which helps them appreciate why you are adopting an EHR, but also makes them more knowledgeable about what could go wrong.
If you want to receive the ROI you expect from your health IT, you surely don't want use of systems to be derailed by privacy and security concerns. Take the time to address your community's concerns through proactive steps such as these. Doing so will build trust between your organization and the community it serves-and will better prepare your staff if the likes of Brad Pitt and Angelina Jolie ever make an unexpected visit to your emergency department.
Margret Amatayakul, MBA, RHIA, FHIMSS, is president, Margret\A Consulting, LLC, Schaumburg, Ill. (firstname.lastname@example.org).
Publication Date: Thursday, May 01, 2008