NR 512 Discussion HealthIT Topic of the Week and Impact on Practice
NR 512 Discussion HealthIT Topic of the Week and Impact on Practice
I selected the topic of the safety and security of EMR (electronic medical record). Since we are now required to use EMR’s in all healthcare industries and they hold such private and confidential information I consider the security of them to be very important and needed topic of discussion. We live in a technological society where we hear about security breaches from the IRS, major department stores, social media, etc. With all of the security breaches out there the thought of having EMR’s breaches is devastating. EMR’s are the future of the healthcare industry and have truly changed the way in which we operate. EMR’s offer us means of storage and retrieval of legible medical information from anywhere at any time. EMR’s have given us additional safety mechanisms for prescriptions, labs results, medications and vital signs as well as decision support software to offer suggestions. Electronic records allow for instant retrieval of history and physical, lab results, diagnostic results, and progress notes from anyone who has provided care to the patient. These records contain was has been referred to as “a life” (Ozair et al., 2015). What is being done to protect them? Is it enough? Computer hackers may look at breaching an EMR as a golden prize which contains personal, financial, medical, and physical information about any one person. Will we be able to protect this confidential information that we require from our patients from getting into the wrong hands? While EMR’s are now the norm for the future of healthcare the cyber-security mythologies should also be thoroughly understood before moving forward (Kruse et al., 2017). This affects me as a human who has a right to confidentiality as well as my future as a nurse practitioner and my patient’s right to confidentiality. When these breaches happen, they can shut down entire networks and make vitally needed information unobtainable and inaccessible. These breaches can ruin countless lives and create mistrust of the healthcare community, which can lead to people not seeking needed care.
Kruse, C. S., Smith, B., Vanderlinden, H., & Nealand, A. (2017). Security Techniques for the Electronic Health Records. Retrieved March 30, 2018, from https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5522514/
Ozair, F. F., Jamshed, N., Sharma, A., & Aggarwal, P. (2015). Ethical issues in electronic health records: A general overview. Retrieved March 30, 2018, from https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4394583/
In my current practice setting at a rural, 300+ bed hospital, we have a number of measures to protect patient health information. Our IT department employs firewalls and maintains the security of our hospital Wifi. Audits are performed to monitor the accessing of patient charts, ensuring that they are being accessed for the correct reason and by appropriate staff. Whenever we click on a patient chart we have to either put that we are the patient’s nurse, charge nurse, or an auditor, for example. At every nurse’s station there is a shred box where we can safely dispose of excess paperwork that may have patient information on it. We also have mandatory online education to complete periodically that reviews how to keep patient information secure, appropriate actions and inappropriate actions, HIPAA guidelines, and the implications of not adhering to these rules. I think with today’s age of mass transfer of digital information the emphasis on protecting patient information cannot be enforced enough. When HIPAA (Health Insurance Portability and Accountability Act) was first initiated in 1996, the focus was mostly transferring of information from doctor to doctor, office to office, whereas now the focus over 20 years later is almost exclusively dedicated to protecting patient information (Dolan, 2014). While we live in an amazing time of electronic data capability, it comes with its own challenges with regards to safety and privacy.
Dolan, P. (2014). Protecting patient information. Ophthalmology Times, 39(10), 23-24.
Click here to ORDER an A++ paper from our Verified MASTERS and DOCTORATE WRITERS NR 512 Discussion HealthIT Topic of the Week and Impact on Practice:
Protecting patient health information is essential to be compliant with HIPPA guidelines. Although we should log out of charting as soon as we are done, some have to run to an emergency or forget. The computers automatically time out and log out of EPIC after a few minutes. All social media is disabled on our computers. We have a shred bin at each nurses station to put all patient labels and patient papers in after each shift or discharge. There are also signs in the elevators reminding staff that public locations are not for talking about patients. For our babies, each parent or mom and designated person gets a baby bracelet. Only people with bands on (or that know the band number via telephone) can get information about their babies. Most importantly, all traumas that come in get a trauma name and fake age. This is important to promote security as well. No one can find that patient using their real name. This protects that patient but also hopefully prevents others (ex: gunshot/gangs) from finding that person. Lastly, so many strangers want to come see the babies. All of our babies are in their rooms with parents. If people do not know the name of the mother, they are not allowed in. I cannot stress how many times people have come in and said the fathers name or babys name or babys name or “not know who they are visiting.” Unless you can give a valid name, we cannot tell you where they are.
Within my practice setting, we have multiple resources and strategies to help secure patient health information. Currently, I am employed as a cardiac diagnostics nurse. Our department is detached from a large waiting area adjacent to the cardiologist’s office. One of the privacy strategies used is with the design of the department. This department only allows for patients who are undergoing cardiac diagnostic testing (e.g., no family or friends are allowed in the procedural waiting area). We have a room where patients are privately greeted, pertinent history is obtained, and their procedure expectations/concerns are discussed. The rest of the procedure process allows for privacy of each individual and they only discuss what they want to discuss with other individuals waiting on their procedures.
Additionally, the resources that we have available for protecting patient’s privacy include: computer privacy screens, safeguards to electronic medical records (EMRs), and a document destruction box for papers identifying patient information. The computer privacy screens make it challenging for onlookers to view patient information that is on the computer. While most computers are at a distance from where potential eyes may linger, this added protection assists with making it more difficult for others to see patient names, addresses, or diagnoses.
We have quite a few safeguards that are in place for our EMRs. In addition to the firewall and encryption systems, we have a secure login with a password that includes uppercase, lowercase, numerical, and special character values. Also, our passwords change every sixty days and a year must go by before you can reuse a password. Patients are listed based on the department/area that an employee works in. So, an employee is not able to view every patient in the physician’s office and/or hospital. Patients are listed by their names, date-of-birth, and medical record number. Employees cannot access patient health information without opening charts. The EMR has an audit tool built in so that each audit notes who accessed the chart, the date and time the chart was accessed, and what area of the chart was accessed and/or documented on. This helps patients feel secure in knowing that their health information should only be accessed by employees who have a “need to know” basis for viewing the information. Also, patients may request additional security and be listed as a private patient. When this happens, any employee must sign-in and “break the glass” to obtain patient information. This requires re-entering the login information and documenting why the chart is being accessed (e.g., chart audit, primary care, etc.).
We have document destruction boxes located in every department. Certain forms—such as consents for treatment, echocardiograms, and identification labels, are on paper until they are scanned into the charts. Once they are scanned into the charts, the papers that contain patient information are placed into the destruction box. Our facility has a contract with a company who securely empties the boxes and destroys the information within them.
There are several strategies and resources at my place of employment to secure patient health information (PHI). The Office of Information Technology (OIT) utilizes firewalls and educates the staff on sending PHI as encrypted emails only to healthcare facilities for continuity of care for some patients. They maintain our security with regular monitoring of our computer systems and prompt us through email when there is a suspicious email circulating that must be deleted from the Inbox then deleted from the Deleted folder. Also, we have Wi-Fi that is protected from outside intrusion because of the superb firewall that OIT has set up. They send constant reminders of how to protect our hardware as well as the software.
Quarterly risk audits of each clinic area to assess risk for retrieving or obtaining PHI. They go through everything such as the drawers, cabinets, and make sure that there are no PHI or passwords attached to the computer or the keyboard or any where a thief can gain access to our system. OIT wears many hats as you can see. Also, they constantly monitor websites that are accessed and how long time was spent on that website that is not work related. A report is then compiled through IP addresses and data is reported to the nurse manager. Now, an outside shred company performs the big shred jobs for my organization and they also gather any shredded material that has been shredded and discard of it properly.
Annual HIPAA training is a known course that is mandatory for everyone to attend. This training is done face-to-face most of the time. There are occasions where it has been held via satellite through Virtual Information Center System (VICS). Our computers time out after a period from inactivity, not to mention various websites that we must sign in all over again if there has been any inactivity within 1-2 minutes. Paper charts are behind double locks always. We must unlock the doors to gain access and only certain nurses have the keys for this area. There is information that is scanned into the patient’s record or imported documents under the person being seen and the paper form is shredded very soon afterwards. We have not gone totally paperless. I do not think that we will ever be; although we do use less paper than in prior years. There are many strategies that our facility uses to ensure that patient information as well as our information is not easily accessible to those who should not have access to the patients we serve.
The health Information Technology (HIT) department has implemented successful strategies for healthcare security and privacy as electronic health information records are constantly shared among different providers’ systems (Rezaeibagha, Khin, & Susilo, 2015). In my practice they use multiple strategies to help protect patient health information some of them I am aware of. Among these strategies they have integrated a collective approach that include administration, staff, and technology to maintain that safety of their data. All employees have a mandatory education module to complete about information security awareness. They have eliminated the access of work related software from home. Now in an effort to keep health information technology safe, employees are not able to access their email from home, nor are they able to view their payroll data. Staff at the management and supervisory level are able to use an app called entrust that generates a special password that employees can use to access organizational email, and payroll data. Other strategies used are prompts that make us aware of outside incoming emails to avoid phishing scams. Measures implemented to reduce risks, increase safety of sensitive health information continue to improve with technological advances.
Rezaeibagha, F., Khin Than, W., & Susilo, W. (2015). A systematic literature review on security and privacy of electronic health record systems: Technical perspectives. Health Information Management Journal, 44(3), 23-38. doi:10.12826/18333575.2015.0001.
The idea of incorporating the policy into the admission handbook is a great idea. I will mention it to my clinical manager in our next shared governance meeting. As nurses, we all know that even when patients are given written policies they may not follow them. I try to explain to my patients that want to take pictures of themselves that it is not just about their image being captured, it is about any unintended images that they may capture in the process, such as auxiliary staff, nurses, or other patients, and violate their privacy. Sheperd (2010) explains how nurses have been fired for just taking photographs of a patients X-ray and posting them on the internet because it was HIPAA violation and those images belong to the hospital and not an individual. She also discusses how the HIPAA regulations on cell phone use are broad and have not been updated to include the newer smartphones which make it very difficult to create universal or standard cell phone policies. As nurses, we must strike a delicate balance of protecting patients privacy and acknowledging patient rights.
Shepherd, A. (2010). Negative exposure: cell phone cameras are a new privacy threat facilities must address. Two hospital employees were dismissed for taking pictures of X-ray images with their cell phones and posting them on the Internet. Radiology Today, 11(11), 24-30.
I currently work as an epic consultant; implementing “go live” projects throughout the states when my health permits and we have several strategies in place to secure patient information. Our company many times are assisting facilities to go from paper to computerized charting for the first time and PIH security is one of the major concerns during this implementation. One of the major secure strategies we have put in place is assisting all health care providers to creating a personal and secure login to the epic system. This secure login is personal to the user and should not be shared with anyone. Accessing a patient’s chart should be done on a need to know basis and login activity is frequently monitored to unsure patient safety and security. Nurses, providers, and ancillary staff are required to undergo epic training which includes HIPPA guidelines, safe and secure login/logouts, and policies and procedures related to facility’s guidelines to accessing a chart. We also have “hard stops” that require health care providers to indicate the role and reason for accessing a chart for patients we consider to be VIP: employees, individuals with very sensitive information in their chart, public figures, individuals in police custody, patient’s suspected of being abused, and psych patients. All access into these charts are closely monitored and unauthorized access can lead to immediate termination. Patient security of information is everyone responsibility and during “go lives” it takes a village to remind end users to login, logout, protect screens on WOWS from on lookers, and be mindful of surroundings. PHIs are shared among different systems and health care providers and this openness raises considerable concern about patient privacy owing to the possibility of unauthorized access or misuse owing to improper security implementation (Rezaeibagha, Than, and Susilo, 2015).
Rezaeibagha, F., Khin Than, W., & Susilo, W. (2015). A systematic literature review on security
and privacy of electronic health record systems: technological perspectives: Health
Information Management Journal, 44(3), 23-38. Doi:10.12826/18333575.2015.0001.
We have quite a few strategies and resources to secure patient health information that come to mind. I will start with being an authorized user who must have a log-on and password in order to enter our system. The password will change every 90 days or less and after 3 failed attempts to log-on into the system the users account will be locked until the IT department corrects the issue with a verified user.
All computers in my facility have an automatic log-off feature when not in use for more than 3 minutes. This is an extra layer of security incase an employee forgot to log-off or had to run-off for an emergency. We are also not allowed to leave even a single sheet of paper with patient information unattended. Even if turned over, the fact that someone can turn it back over makes it a risk for privacy.
Any family member or friend who calls to inquire about a patient’s condition must be able to give a 4-digit code that is only given to the patient. So, if the patient has given the family member or friend the code then you may give information about their status, however I still attempt to sway away from that if the patient is A&O x’s4. If the patient needs more education on their condition I would rather do that so they can relay the info themselves. If the patient is simply having a hard time explaining a situation I’m always more than happy to help.
We also have annual required and updated education for HIPAA which covers many topics and now even includes violations for social-media and personal electronic devices. Other topics include use of email, fax machines and talking is public areas to name a few. We go to great lengths at my facility to protect patient privacy with even our IT department sending us notifications of new and potentially dangerous email threats. It takes a whole department to constantly be surveilling for potential dangers and sometimes that still isn’t enough.
In my current practice setting we use quite a few methods to to secure patient information. Just as in most practice settings we utilize a computer system with login and password requirements. Additionally, the computer systems will time out after a period of inactivity as a back up layer to security. E-mails may be encrypted when patient information or confidentiality needs to be maintained. Additionally, all electronic devices which are mobile operate on a secure network which require the added security of VPN tokens. There are the presence of ample locked boxes for documents that need to be shredded. Finally, there are levels of access to patient information based on a need to know basis. For example, customer service representatives who access patient files for appointments and registration do not have access to patient medical files, as it is not necessary to perform their job functions.
An additional resource for implemented to protect patient data includes our corporate compliance. Our corporate compliance department handle both anonymous and other reports of misuse of access to patient files. This department has received reports from patients, family members, spouses, and other relationships regarding the misuse of patient data. Their response is swift and violation of patient privacy is not tolerated, often resulting in immediate termination.
An article by Fry, (2017) provided measures health care entities can utilize to protect patient data. These measures included recommendations for setting access control, device management, HIPPA compliant message storage, and security training as methods (Fry, 2017). I was not surprised to find that my employer is inline with cybersecurity recommendations which help to protect patient date.
Fry, G. (2017). The danger within: Insider data security can threaten your practice. Chiropractic Economics, 63(9), 43-46.
There are a few different strategies that my health care setting uses to practice keeping patient health information secure. The first thing that we do is ask the patient during their admission documentation if they are wanting to be kept confidential. Once the patient agrees that he or she wants to be kept confidential, our staff has to contact patient placement and supervisor to make sure that everyone is made aware. Once the patient has been officially made confidential, they are to come up with a password that only the patient, staffing, and any other family members are to know if patient allows it. This password is the key to seeing the patient. If at any chance the password needs to be changed or the patient is no longer confidential, the process starts all over again with moving the patient to a new location. As far as actually looking at the patient’s charts? Only physicians or nurses can access the patients charts and by doing so, we are to enter in our username, password, and mark the reason for looking at the patient’s chart. Of course, if this were my patient, I would be checking the box that specially states, “direct patient care.”
At our hospital, I have been told from my staff, as well as upper management that even if you have taken care of a patient and that patient as transferred to a new floor, you are not able to open the chart to keep track of patient plan of care. You are no longer directly taking care of that patient, so you have no rights to look into their charts. There is an auditing system that checks to see if people are looking into charts that they should not be looking into.
Although my unit receives all our patients from the Emergency Room, I am not, and neither of my co-workers are able to snoop into the ER charts to check what kind of patients we may be potentially receiving. We are only allowed to check the patients chart once the patient is assigned a room on our unit.
Another strategy my unit utilizes is not sharing patient information over the phone. It does not matter how kin you are to patient, we kindly inform family members and friends that we are not to share information through the phone.
One last strategy we use is to make sure you log off the computers inside of that patient’s rooms and while you are the desk charting. The great thing about our computers is that if you are not using it, it takes about two minutes to lock the screen. All devices should be secured with password-protected screensavers and automated logging off after a period of time (Blanke and McGrady, 2016). We also make sure that any patients’ paper charts are in a cabinet where only health care providers have access.
Reference: Blanke, S., J., & McGrady, E. (2016). When it comes to securing patient health information from breaches, your best medicine is a dose of prevention: A cybersecurity risk assessment checklist. Journal of Healthcare Risk Management: The Journal Of The American Society For Healthcare Risk Management, 36(1), 14-24. doi:10.1002/jhrm.21230
Patient safety and security as it relates to EMR is so important. In today’s world of technology and information; hacking or a breach of information leave consumers and patients vulnerable and reluctant to endorsing the electronic medical records. As you mentioned, we hear so much about security breaches from major industries such as the IRS, department stores, social media, and even in the political arena that the though of having our own healthcare record public for millions to view is unsettling. However, just saying no to the implementation of the EMR knowing it’s many benefits to healthcare and positive patient outcomes cannot be ignored. The EMR allows information to be documented timely, retrieved, reviewed, process for clinical decision making, and establishing an evidence-based plan of care to be implemented; and an achievable goal established. How can we as healthcare leaders and change agents not support the process of the EMR with all it’s known positive benefits to patient safety, access, and desire outcomes to the delivery of patient care. In, 1996, the Health Insurance Portability and Accountability Act (HIPAA), provided the ground work for enforcing the protection of private medical information (). These guidelines stated that patients had the right to view and obtain copies of their records, and request amendments to confirm they have the right of accessing their medical records to understand and monitor their health status and the process of their diagnosis and therapy (). HIPPA today plays a major role in how we protect and secure patient information. Consumers and patients know now if they enter a healthcare facility HIPPA guidelines will be address and enforce but unfortunately, they are individuals in the world that will find needs to breaching private information for their own personal agenda.
Huang, L., Chu, H., Lien, C., Hsiaso, C., & Kao, T. (2009). Privacy preservation and information security
protection for patients’ portable electronic health records. Computers in Biology and Medicine,
The privacy of patients and the security of their health information is the most imperative barrier to overcome when providers consider implementing electronic health records systems (Kruse, Smith, Vanderlinden, & Nealand, 2017). The most commonly mentioned security actions and methods are structured into three themes: administrative, physical, and technical safeguards systems (Kruse et al., 2017). EHR and EMR records contain sensitive information that hackers can use and sell, thus the need for contained electronic health records and advanced EHR/EMR system security techniques. Considering current legal regulations, patient confidentiality is more important than saving money on adding firewalls and other electronic security measures. Nurses should not make the mistake of thinking because records are digital now the risk of a confidentiality breach is lessened. Actually, it increases. Nurses can ensure patient privacy and the security of health information by safeguarding sign in pass codes and creating pass codes that are not common. Nurses should also be on the lookout for common signs the system is being hacked or compromised (this is definitely an informatics skill). Properly securing EHR and EMR records builds patient trust and advances the NI leader’s goal to promote electronic health information exchange.
Kruse, C. S., Smith, B., Vanderlinden, H., & Nealand, A. (2017). Security Techniques for the Electronic Health Records. Journal of Medical Systems, 41(8), 127. http://doi.org/10.1007/s10916-017-0778-4