If you look behind most breaches of protected health information, you'll see people: Individuals who inadvertently exposed patient/protected health information (PHI) publicly or individuals who deliberately stole PHI for personal gain. Health care organizations that want to secure the privacy of patient data should focus on PHI's human side.
Organizational culture is the most powerful weapon that payers and providers can wield to keep the personal medical information of their enrollees and patients secure. Technology can be an effective tool in safeguarding PHI, but its effectiveness is determined solely by the people --and culture --guiding its use.
There are four key attributes to a health care culture that's successful in protecting patient health information and avoiding a data breach.
- View medical information as an extension of the patient
A provider's or payer's responsibility to the patient doesn't start and stop with an episode of care or claim for payment. It starts from the moment the patient enters the organization's data system and continues indefinitely. An individual's medical information should receive the same high level of care, attention and service that he or she receives as a patient. The patient and data should be considered as one.
- Responsibility for protecting patient health information belongs to everyone, not just the IT department
Unfortunately, in many health care organizations, it's typical for people to think, “We do our clinical thing, and IT does its data thing.” Everyone at a health care organization who touches patient data during its lifecycle is responsible, from initial data entry though episode of care and into data storage. Health care organizations must have data security policies and protocols that extend anywhere that patient information is, from beginning to end.
- Embrace the opportunity to learn from another organization's mistakes
A health care organization that suffers a data breach will perform a root cause analysis and identify lapses in policies or practices in hopes of preventing another problem. That's good, but even better is seizing the opportunity when someone else has a problem. Advanced facilities will hold special educational sessions following a breach at another organization and ask themselves how their policies and practices compare with ours? What do we need to change? What do we need to update?” That strategy allows an organization to stay ahead of the game without the added pressure of dealing with its own breach.
- Expect the same data security mindset from business partners
It's one thing for a health care organization to have its own house in order. It's another to expect that of any business partner, but that's how it should be. Health care organizations must insist that their business associates have effective policies, procedures, protocols and practices in place to secure patient health data. A culture that expects that of itself should expect that of others it does business with.
Culture starts at the top, and health care organizations are no exception. Like data security not being the sole responsibility of the IT department, neither is it the sole responsibility of the CIO or even the CEO. The cultural attributes that can help organizations protect patient health information start at the board, move down into each c-suite position and then to their individual teams, departments and staff.
Data security must be thought of as a lifestyle change required of an entire health care organization that wants to protect patient health information.
To learn more about data security and protected health information, read Jonathan Carr's “3 Ways to Tighten Healthcare Data Security” on McKesson's Medical Imaging Talk Blog.