October 21, 2005
MGH's
commitment to keeping patient information secure
Patient confidentiality is one of the most important tenets in the health
care system today. And since the U.S. Department of Health and Human Services
finalized regulations in 2003 protecting patient privacy under the Health
Insurance Portability and Accountability Act (HIPAA), protecting patient
information has become even more important — and more complicated.
Many health care professionals face constant challenges to keep this longstanding
obligation to their patients intact. And when they fail to meet this obligation
and a patient's privacy is breached, it is the responsibility of the health
care organization to address it.
Protecting patient privacy is a challenge faced by even the most prestigious
medical institutions in the country. For example, New York-Presbyterian
Hospital encountered a high-profile breach of confidentiality with one
of its more well-known patients — former President Bill Clinton.
When Clinton was a patient there in 2004 for heart bypass surgery, some
14 staff members inappropriately accessed his medical record. The hospital
took immediate responsibility by performing disciplinary action with those
involved, including termination. Similarly, the MGH requires immediate
disciplinary action — up to and including termination — for
staff members at any level who breach confidentiality — whether or
not the patient is high profile.
Every year MGH employees must undergo privacy and confidentiality training.
This year's education included the security of patient information as
required by the finalized security regulations in 2005. The MGH has policies
and procedures in place to help support staff and employees in protecting
patient information and will take action in the event that confidentiality
is breached — even if it is done so accidentally.
Below are some examples of confidentiality breaches and how they can be
avoided.
- Using an incorrect medical record number has resulted in a patient receiving bills and copies of records belonging to another patient. In addition to potential breaches, using incorrect medical record numbers compromises patient safety and care. Always verify that the correct medical record number is being used.
- Protected health information (PHI) has been left unsecured in conference rooms, cafeterias, waiting areas and in vacated offices. Those without a need to know this information have accessed the PHI inappropriately. Never leave patient information unattended.
- PHI has been sent to an unknown recipient because the number dialed was not checked before sending a fax. Verify that the correct fax number has been entered before sending a fax and always use a cover sheet.
- Copies of PHI were released to individuals not authorized to receive the information because the patient's authorizations were not reviewed, and the recipients were not required to show identification. Never release PHI without the proper authorization and required identification.
- Most privacy officers agree that the biggest privacy risk is when employees access medical information out of curiosity — whether it happens to be a co-worker, relative or a high-profile celebrity. The MGH has audit capabilities that identify employees who have accessed information and are not part of the care team for a particular patient. When such employees are identified, an investigation is conducted immediately. Employees also can run self-audits on their own health records, which has been a large deterrent to curious co-workers. Employees should only access patient records if they need to know the information to do their jobs. For more information about patient privacy, call (617) 724-7176.