Inmany parts of the world, healthcare institutions hold theresponsibility of ensuring that private information that belongs tothe patients or employees is kept confidential. Healthcareorganizations through the privacy officer have an ethical duty,moral, and legal obligation to protect all research information andclinical data, by ensuring that privacy policies, procedures, andprograms are put in place. This paper discusses how the privacyofficer in a healthcare institution would act in differentcircumstances concerning the privacy and confidentiality of medicalinformation. For prevention of unauthorized access to sensitiveinformation, control of high degree should practiced by healthcareinstitutions.
Today,privacy officers have more projects and responsibilities designatedto them than they were a few years back due to increased visibility.Privacy officers are now individuals who can understand the processesand privacy issues for moving data of health institutions externallyand internally. Moreover, their role has changed from onlydocumentation and implementation of privacy procedures and policiesto more refinement and analysis of various procedures with the aim ofpreventing use or disclose of data in an inappropriate manner(Erickson & Millar, 2005). Leaders from healthcare facilitieshave come to realize the essentiality of security and privacyprocesses in healthcare institutions. These processes touch variousareas in this institution. A study that was conducted some years backshows that breaches of the patients’ information has made manyhospitals to lose billions of money. Furthermore, the study reportedthat many hospitals do not take protection of their patients’ dataas a priority (Cohen, Restuccia & Shwartz, 2008). Inadequatestaffing and preparation is among factors that lead to data breaches.
Asa designated privacy officer in a healthcare institution, thefollowing monitoring procedures would help in addressing varioussituations in the institution. The conformance with the HITECH ACTthat expands and strengthens the health information accountabilityand portability act would help me as a privacy officer to developeffective monitoring procedures. According to Millar et al., (2005),monitoring procedures that focus on privacy protections that arestrict, steeper penalties for those who do not comply, andinformation access tracking of good quality, would be the priorityfor me as a privacy officer in a health institution.
Sanctionsfor violation of policy
WhatI would include in my sanctions for violations of policy would rangefrom suspension, financial penalties, oral warnings to imprisonmentand fines, as well as termination, and loss of license to work as amedical practitioner. I would formulate a compliance program thathave elements like distribution and development of written code ofconducts, procedures, protocols, and policies that enhance thecommitment of nursing facility to compliance. Secondly, thecompliance program should allow designation of appropriate bodies anda compliance officer. For example, a committee of corporatecompliance charged with the mandate for developing, monitoring, andoperating the program (Institute of medicine, 2001). Third, thecompliance program should have effective and regular training andeducational programs for all healthcare workers. In addition, thedevelopment and maintenance of effective communication between thesubordinates and the compliance officer should be part of theprogram. Another element is the use of risk techniques or audits tomonitor compliance.
Incase of a breach in the organization, it is the responsibility of theprivacy officer to do a thorough investigation and do a notificationupon the health information that is insecure. This is done throughcompletion of risk assessment and documentation of privacy cases.Also, establishment of protocols and measures for documenting andassessing for potential harm is a responsibility too (Erickson etal., 2005). According to Shwartz et al., (2008), adoption of EHRsystem would help the privacy officer to work with variousdepartments with the aim of defining appropriate permissions for dataaccess, to determine the level of access that is correct, and to sortout different staffs who had accessed the patient’s information. Iwould make sure that a data warehouse that allows documentation ofthe patient’s health information in a more secured manner isdeveloped. I would make sure that procedures and policies thatprotect the information of the client when it is delivered throughonline portal or copied on a CD are put on place. As a privacyofficer, I should also develop procedures that monitor informationshared with the media. Understanding and being able to do aninvestigation about the privacy concerns in the social media shouldbe my greatest concern.
Wheninformation is exchanged from one health institution to another, itwould be my responsibility to develop a policy that offers protectionto the patient’s records on transit. Different Electronic methodsand HIE policies should be used to protect this information.Restuccia (2008) suggest that content permissions and encryption aresome of these methods. Before exchange of the information, consentfrom the client is required and it is the responsibility of theprivacy officer to develop effective practices and policies forobtaining the consent of the patient. First, to ensure the privacy ofthe patient’s, it would be better for me to understand that his orher health is personal and develop a procedure or a policy thatallows protection of medical information of the client. This would bedone by use of confidential health assessment questionnaires. Arecord of the services and care offered to the client should be keptconfidential until the consent of the patient in regard todisclosure. The records are taken to ensure compliance with the legalrequirements and to provide health care of high quality. The policydeveloped will have information that describes how the medicalinformation of the client will be disclosed or used. Furthermore,obligations and rights of the client in regard to disclosure of hisor her information will be included in the policy. The law requireshealth practitioners to make sure that health information thatidentifies with the client is kept confidential, to follow variousterms represented by the notice, and also to give the client thenotice of privacy practices and legal duties as dictated by thehealth institution (Institute of medicine, 2001).
Thispolicy will ensure that the client is informed of the possiblesituations when his or her information may be disclosed. Medicalinformation may be disclosed to nurses, doctors, healthcare students,and people caring for the client, and health technicians forprovision of treatment. To allow for coordination of treatment,different health workers may share the client’s medicalinformation. Information is also disclosed to institutions likenursing homes, rehabilitation centers, and medical practitioners whoare involved in after medical care. Information of a client may bedisclosed to insurance companies or third party for them to cater fortreatment. Moreover, information may be disclosed for the use in thehospitals’ operations, for research programs that have beenapproved, treatment alternatives, for hospital directory, inprevention of serious threat to the public or the client, and as thelaw requires (Cohen et al., 2008). The policy should also contain therights of the client in regard to his or her medical information. Theclient has the right to receive and inspect a copy of his or herhealth information used in decision making of the appropriate careoffered. A request in writing by the client must be submitted to thehealth management, if he or she wants to receive and inspect theinformation. When clients have a feeling of doubt about the medicalinformation, they have a right to ask the management to amend thatinformation. As a privacy officer, I would ensure that the policyallows the client to put restrictions on how much medical informationis disclosed about him or her.
Patients’database and nurses access code
Trackingeach point of access of the patient database including who enteredthe data would require user traceability software with more securefeatures. Computer screens should also be utilized with high qualityinformation filters to prevent easy peeping of confidentialinformation. The electronic system should be upgraded to a level thatit allows vital security features that support role based audittrails, access, and passwords. Individuals who are undergoing specialtests and procedures should have the opportunity to be assigned toalternative numbers. The electronic health system must have thecapability to connect the client’s legal name with the alternativeaccount number, and back to the patient’s account number and legalname in a more professional and secure manner (Millar, 2005). Notonly will this process help the patient to have a complete healthrecord, but also will help in accurate billing and at the same timeprotect the patient’s privacy. The best electronic system offerssecurity features and functions that are consistent with the need ofa health institution. Moreover, it should limit access to theclient’s medical information and allow for screening to only thenurses and medical practitioners working in direct contact with thepatient. Audit trails should also be encouraged and the EHR should bein a position to facilitate functionality that will help the healthinstitution meet the operational and regulatory requirements.
Visitoraccidentally comes to a patient’s ward
Whena visitor accidentally comes to the wrong unit looking for a patientand asks the nurse to find out what unit the patient is on, the nurseis supposed to keep that information confidential. She should onlydisclose the information only under defined protocols, policies, andmandates. According to institute of medicine (2001), the writtenprotocols and procedures must ensure that the rights, safety, andwellbeing of the patient are effectively protected. The onlyinformation that can be disclosed is only that which is directlyrelevant to specific responsibility. It is also the responsibility ofthe nurse to ensure that the patient have given consent to be visitedby certain individuals.
Nurses’report on privacy and security breaches
Toencourage nurses to report privacy and security breaches, I wouldselect a security response team from the data integrity stakeholdersof the organization. Nurses will be part of key individuals selected.Selection of different individual from different departments wouldensure a process of security response that is sustainable. A teamthat is cross-functional has the capability to encourage resourcecollaboration and coordination. This is due to workflow proceduresand policies. This in turn helps eliminate gaps created ininformation management that offers a good environment for data to bestolen. The best course of action is to ensure that every individualassociated with the institution has a monitoring role. As a publicofficer I would encourage and train nurses and other stakeholders howto respond when faced by a suspected breach. The reporting mechanismshould be made easy to negotiate and widely known.
Anurse can be designated to serve as a coordinator of communicationsand this action allows other members of the security team to focus oninvestigation and mitigation of the incident. The designated nurseacts as the single point between the media and the healthinstitution. Other team members should be encouraged to share thesecurity findings with the communication’s coordinator. The teamshould also develop an effective mechanism that would trigger aresponse from a breach notification. Identifying, tracking, andnotifying people whose unsecured medical information has beentempered with is of importance (Erickson et al., 2005). For a breachnotification process to be successful, it must be part of a plan ofaction of comprehensive information security. Nurses should betrained on procedures and practices responsible for effective breachnotification process.
Inconclusion, the healthcare environment has become increasinglychallenging when it comes to the issues of confidentiality andprivacy. The increased use of technology, development of the world,and new demands in healthcare make it more difficult to keep theinformation of a patient confidential. All in all, it is theresponsibility of privacy officers to ensure the need forconfidentiality. New programs, policies, and procedures have beendeveloped to respond to this issue. Secure electronic systems havealso been put into place to address the privacy and confidentialityaspect of medical information.
CohenA., Restuccia J., & Shwartz M. (2008). A Survey of HospitalQuality Improvement Activities. MedCare Res Rev,65(5), 571-95.
Erickson,J., & Millar, S. (2005). Caring for Patients While RespectingTheir Privacy: Renewing
OurCommitment. OJIN:The Online Journal of Issues in Nursing. 10 (1), 1-90.
Instituteof Medicine. (2001). Crossingthe quality Chasm: A new Health System for the 21st Century.Washington, DC: National Academy Press.