Introduction
Healthcare and information systems are two different industries altogether. But with the introduction of new era of information technology, it becomes basic necessity of each and every industry. In last few years, information technology brings radical changes in the hospital management, starting from the maintaining database of medicines, patients to centrally connecting the whole hospital staff and as well as customers.
With a more and more inception of information technology in the hospitals, it also arises a major issue of privacy, security of medical records/health information of patients. Increase in information technology building, the development of health care information systems, and the ease of availability of electronically disclosed health information makes patient privacy complicated. Its not just the information systems are responsible for disclosure of patient private data but sometimes doctors, nursing staff, laboratory staff and third party employees (like sweeping, cleaning, security staff) are readily involved in the leaking of the medical records of the patient.
There is a strong relationship between doctor-patient which should not be broken. Doctors, nursing staff must adhere to strong ethical standards and principles related to privacy and security of health information of patients. The leakage of the patient data brings many troublesome conditions like patient’s medical records can be used for by pharmaceuticals companies for direct marketing the medicines which are recommended by doctors, evaluating the quality of medicines provided or ensuring what are the health plans particular person is using (hampers the financial integrity of the patient).
Sometimes patient’s personal medical information also affects its employers as from what disease is there suffering? So they can also able to lay off him. So the integrity and privacy of the medical information of the patient must be made ensured by any reputed hospital. It will help to build customer confidence, trust and secrecy of medical records. Better information systems and proper management brings in reduced cycle time, better inventory management, and increased productivity, reduced costs, improved accuracy, improved business relationships, increased customer service and minimized the paper work.
Management plan
As the case describes, St John’s Hospital is famous for its better privacy and security policies for the medical records of the patient but is unable to stop the cleaning staff from debarring the strong information system of the hospital. Health insurance portability and accountability act have defined health information as it is verbal or written information developed or owned by a life insurance company, public health authority which relates that mental or physical health of a patient is taken care of. The health care information system is broadly divided into two parts- internal and external.
The internal information system consists of data and information which are developed and maintained by health care organization internally. It mainly concentrates on medical and administrative information. It collects specific information related to patient like medications, problems, history, laboratory test results etc. it also collects the combine data of all the patients and is lastly used for the comparison of data with other patient’s medical care.
While the external health information system is used as expert based information which is usually collected by experts, outside of healthcare organizations. Doctors used these types of information for consulting complex medical cases. Professional health care journal is also source of external information system. some websites also provide information and details about the health and management issues related to the healthcare management. (Sutton)
Basically in a healthcare organization, each doctor keeps an electronic record of the patient on its computer system and they usually share the information with the help of local area networking or in the form of summaries like discharge letters (Bass, 2006). So the main concern of breach activity which comes in the mind is:
Accessibility: The main dispute arises due to permit/non-permit accessibility of the information. The information system is usually not able to trace out that has accessed the information. Since sometimes a single password is allotted to a group of members, or sometimes doctors who read the cases, usually makes changes in that case according to them, is untraceable. So each medical record should be marked with an access control list who named a person or groups of person, accessing the records.
This will help first to register all the persons who are unethically accessing the database and would prevent the person who is not in a access control list to access the data. One more thing could be done by hospital staff is that they should provide the information of the doctor/ nursing staff that is going to treat patient. This will help the patient to prioritize to whom his records are restricted to and it will help to establish a trust and care relationship between doctor and patient.
This role based systems will support to more and more restricted access to the medical records. Similarly the case of the cleaning staff of St John’s hospital, the doctors should be given strict instruction to don’t waste their papers with the medical records of patients and system will store the information about the print outs accessed by which doctor and anything misshapes then he will be charged. (McGraw, 2008)
Medical record opening and power: Sometime problem arises with the patient that it has general record open to all doctors and a highly sensitive record open to one doctor. So rather than opening up of multiple access control list, doctor will open a multiple medical records for that patient. The power of accessing the medical information lies only with the patient or with the doctor who is treating that patient. One of the doctors should be considered as responsible in the access control list. Only he/she can change the access control list and makes new additions to that list.
Consent and Notification and longevity: Sometimes due to uneven conditions of the patient, the medical cases have been referred to the other doctor. So in such agreement, the consent of the patient must be taken. If he is not such in situation to give consent, a notice should be given to him. There are some records which need to keep for a long time or some records are need to erase in a particular time of frame. Mostly primarily records are ideally kept for eight years, but some serious diseases medical records should be kept for a long time. No doctor can be able to delete the medical records until the right period has expired. (Kolodner, 2007)
Centralized and secure information system: There should be a centralized information (computer) system which gathers all the data and like centralized summary having all the medical records in information system, with the proper access. The security of the information system also is made ensured. It is safe, user friendly and suitable to hospital’s requirement.
Training of the staff
Training of health care staff is a very important aspect of the information system as it will decide the successful implementation and integration of the information system. The trainer involved in the training process, must be the members of the team who has implemented and evaluated the technology. He should also be comfortable with if and buts of healthcare information system. The first and foremost important training should be provided to the nurses because they are the primary source of the information. They should be provided with proper educational support for the better development and evaluation of the information system.
Nursing staff are always associated by the quality and by the recognition of the patient. The educational support to nursing staff should be comprised of computer knowledge, information systems knowledge and then finally accommodating with the nursing knowledge. New nursing staff with computer educated shall be recruited to the hospital. Proper usual manuals shall be made for the nursing staff. Doctor should be properly trained on the information system.
Proper manuals and user guides for them shall be provided. Apart from doctors, nurses, various laboratory staff, radiology staff shall be properly guided to information systems. The third party employees (like sweeping, cleaning, security staff) shall be given proper access control to areas where they work. For highly confidential and restricted area, special access card shall be given to the third party employees. (Tsirintani M., RN)
Implementation
The implementation of the better information system plan requires a leadership role which should be played by the information systems manager. Proper leader guidance and his/her initiative will make a lot of difference. Measured plans are to be taken to implement or enhance procedures that are learned from past experiences. This can be improved by giving proper training to staff people. Proper financial planning for the new expenses occurred due to implementation of new improved technology. Patient shall be made aware about the new improved technology which helps to build long term relationship and trust with them.
Top management has to be taken into confidence about the implementation of new improved technology. Implementation of improved technology shall be made in a phased manner with organizing various training sessions for healthcare staff.
Code of Conduct
Code of conduct is always designed in keeping view of vision and mission of the organization. This code of conduct is designed in keep view of the futuristic goal of the information system. The main aim of the system is to provide safe, high quality services. The staff members have to follow certain code of conduct:-
- They should be adherence to rules and regulations of IT Act, US, under which there would be no infringement of information, medical records through that is considered to be offensive against law. ( www.mckesson.com)
- The hospital staff shall follow the strict guidelines made for the implementation of the new improved technology.
- Proper use of security entrance cards are to be used and no tailgating is allowed.
- Proper coordination of the staff members with information system administrative people. They shall also be able to identify the technical problems and provide proper feedback to the technical staff.
Current Issues and Solutions
The current system is a role model for other hospitals but lacks in the area of data security on one front that the printed records are not disposed off well. Instances of cleaning personnel reading up these records and printouts are not rare and this poses a potent security threat. The IS department at the hospital needs to take a serious note of the issue and take corrective measures to rectify the situation before any sensitive data is leaked out.
Measures to be taken by the IS Department personnel:
- Bar the cleaning staff to read through the papers and ensure quick disposal of the reports to minimize the exposure of the staff with the reports.
- Impress upon the administration that data security may be compromised through such exposures and implement some process to eliminate this scope of data leakage.
- Ensure that minimum data is printed and don’t print reports until needed.
Measures to be taken by the IS Administration:
- The administration has to realize this potential security threat and ensure proper disposal of the records.
- All records must be shredded or disposed off in a way that ensures data integrity and security to the topmost level.
- The administration should also think of ways to minimize access of personnel to client sensitive data.
- Proper planning and execution to minimize printing of sensitive data and minimize exposure to unauthorized personnel.
References
Bass, Jossey. 2006, Managing Healthcare information systems: A practical approach for healthcare executives, Pg 3-7.
Kolodner, Robert. 2007, Protecting Patient Privacy in Healthcare Information Systems. Web.
McGraw, Deven. 2008, Comprehensive Privacy and Security: Critical for Health Information Technology, Pg no 2-3.
Paragon Healthcare Information System. Web.
Sutton, Jon H. Patient privacy and health information confidentiality, Volume 86, Number 7, Pg no 1-2.
Tsirintani M., RN, Integration of a Hospital Information System in a Greek Cardiac Surgery Hospital Through specific Education Programs for Health Care Personnel, Development of Nursing Documentation, Pg no 3-4.