About two weeks ago all users of the CGH computer system got a “privacy and security” e-mail reminder from Joe Huber (HIPAA[1] Security Officer) of the Information Systems Department. “Is it okay to write down your (computer) password,” he asked, “if you keep it somewhere out of sight, such as under your keyboard?”
The answer is “no,” of course. When you scrolled down to read Joe’s answer, he explained that “your password…must be kept in a secure location such as a wallet or a purse or locked cabinet.”
In his e-mail Joe reminded us that Information Systems had sent the same “privacy and security” message two times before. He said he mailed it a third time because someone found an employee’s username and password posted on a computer monitor last month. In other words, the contents of CGH’s information system that were available to a specific employee were potentially available to anyone who happened to stop by and write down that individual’s username and password. Anyone.
Consider what you would think if an employee of the credit union were as careless with her username and password. Any unauthorized person would be able to look up your financial information simply by copying that employee’s secret access codes.
It’s just as easy to imagine how patients or family members would feel if they knew their information at CGH was potentially available to a snoop – or worse. Actually, we don’t have to imagine. We have only to read the news.
For the past several weeks the nation’s news reporters and editorial writers have been full of outrage and ridicule involving the Veteran’s Administration because a VA employee took home a computer disk that continued identifying information on 26 million military veterans. While in was in the employee’s home, the VA disk was stolen. Where is it now? What could someone do with so much information about individual Americans, including those serving in the active military? “How could such a thing have happened?” complained the news outlets. “What kind of security does the VA have?”
I read those stories – and I read Joe’s e-mail – and I thought, “What if that happened to a hospital instead of the VA?” Is everyone at CGH safety conscious about their computer passwords and about the files they have access to? Obviously not. A username and password were posted in plain sight in violation of CGH policy.
In today’s information age we have to treat computer information as if it were cash. Like cash, if access to computer information is left lying around, someone will steal it. If you saw cash on someone’s desk, you’d understand the risk right away.
It may be harder to recognize the value of computer data or passwords that give access to data, but we should consider computer data access as valuable as cash.
Using computers gives us great power to see and use and move around large amounts of information. This is much more responsibility than we had in past years when we worked only with paper records.
Being careless with a single file is a serious matter. Being careless with computer data can be a thousand – or a hundred thousand or a million – times worse.
[1] The Health Insurance Portability and Accountability Act of 1996 (HIPAA) addresses national standards for electronic health care transactions involving the security and privacy of health data.
Showing posts with label HIPAA. Show all posts
Showing posts with label HIPAA. Show all posts
Saturday, June 10, 2006
Saturday, January 7, 2006
"A classic example”
Earlier this week an employee raised a concern about patient privacy after she saw a provider interviewing a patient about her health history in a way that could be overheard by others.
Yesterday John Conner, our HIPAA[1] Privacy Officer, sent an all-department e-mail to remind us how important it is to use only the minimum necessary information when communicating about patients.
He wrote about a situation involving a department that produces a list of patients to be treated each day. The list is used to check-off names as patients arrive for their appointments. Last week a patient reported being able to see information on the list, such as the diagnoses or treatments associated with other names.
John called the situation “a classic example” of not following the minimum necessary standard.[2] In other words, more information was included on the patient list than was necessary. A second problem was that the list was visible to others. Patient information must be protected from unauthorized access, including casual access by others.
“The event provides a valuable learning opportunity for us,” John wrote, and he asked employees to bring similar situations to the attention of their supervisors right away.
I responded to John with an e-mail, saying that his message reminded me of another situation that dates from pre-HIPAA days. The mother of a patient called me to complain about a lack of information privacy. Her son, who had been a patient the prior week, had left his blue jeans in the room when he was discharged. She called Security, which promptly contacted the nursing unit, and the lost jeans were found.
When the mother stopped at Security to pick up the clothing, she saw that they were stored in a clear plastic bag, marked “patient belongings.” The bag also contained the printed half-sheet with the patient’s name, address, age – and diagnosis.
“Why, Mr. Quinn,” the mother asked me, “did the security officer have to know that my son is HIV positive?” It was a good question, and as a result, CGH changed its then-policy of including the half-sheet to identify patient belongings.
I’d like to thank the employees who showed their interest in (and sensitivity to) patient privacy this week. Confidentiality is a subject we take very seriously, and – as is apparent – one we need to remind ourselves about constantly.[3]
__________________
[1] HIPAA refers to the Health Insurance Portability and Accountability Act of 1996, a federal law that limits how hospitals and other health care providers may use health information that identifies an individual patient. The rule does not restrict the ability of doctors, nurses and other providers to share the information necessary to treat patients.
[2] HIPAA requires providers to use or share only the minimum amount of protected information necessary for a particular purpose. Information on HIPAA is available on this federal website: http://www.hhs.gov/news/facts/privacy.html
[3] For CGH policies on patient confidentiality, go to “Public Folders” on the CGH intranet, find “Manuals” and select “Hospital Policies.” “Hospital Policies” will take you to a number of headings. Select “09 Management of Information” and go to the subsection on “Confidentiality & Security.”
Yesterday John Conner, our HIPAA[1] Privacy Officer, sent an all-department e-mail to remind us how important it is to use only the minimum necessary information when communicating about patients.
He wrote about a situation involving a department that produces a list of patients to be treated each day. The list is used to check-off names as patients arrive for their appointments. Last week a patient reported being able to see information on the list, such as the diagnoses or treatments associated with other names.
John called the situation “a classic example” of not following the minimum necessary standard.[2] In other words, more information was included on the patient list than was necessary. A second problem was that the list was visible to others. Patient information must be protected from unauthorized access, including casual access by others.
“The event provides a valuable learning opportunity for us,” John wrote, and he asked employees to bring similar situations to the attention of their supervisors right away.
I responded to John with an e-mail, saying that his message reminded me of another situation that dates from pre-HIPAA days. The mother of a patient called me to complain about a lack of information privacy. Her son, who had been a patient the prior week, had left his blue jeans in the room when he was discharged. She called Security, which promptly contacted the nursing unit, and the lost jeans were found.
When the mother stopped at Security to pick up the clothing, she saw that they were stored in a clear plastic bag, marked “patient belongings.” The bag also contained the printed half-sheet with the patient’s name, address, age – and diagnosis.
“Why, Mr. Quinn,” the mother asked me, “did the security officer have to know that my son is HIV positive?” It was a good question, and as a result, CGH changed its then-policy of including the half-sheet to identify patient belongings.
I’d like to thank the employees who showed their interest in (and sensitivity to) patient privacy this week. Confidentiality is a subject we take very seriously, and – as is apparent – one we need to remind ourselves about constantly.[3]
__________________
[1] HIPAA refers to the Health Insurance Portability and Accountability Act of 1996, a federal law that limits how hospitals and other health care providers may use health information that identifies an individual patient. The rule does not restrict the ability of doctors, nurses and other providers to share the information necessary to treat patients.
[2] HIPAA requires providers to use or share only the minimum amount of protected information necessary for a particular purpose. Information on HIPAA is available on this federal website: http://www.hhs.gov/news/facts/privacy.html
[3] For CGH policies on patient confidentiality, go to “Public Folders” on the CGH intranet, find “Manuals” and select “Hospital Policies.” “Hospital Policies” will take you to a number of headings. Select “09 Management of Information” and go to the subsection on “Confidentiality & Security.”
Subscribe to:
Comments (Atom)
