Security and Protected Health Information
Depending on your organizations policies, and whether or not you have a security staff, you may have an underlying issue of potential risk that is just waiting to be discovered.
Security Officer Access to Personal Health Information (PHI)
In many healthcare settings there is a security presence of dedicated staff that will enforce organizational policies and protect anyone on the property. In some cases that staff is proprietary and in others it may be outsourced to a guard firm. Either way, there may in-fact be a risk that those officers have too much information available to them.
In most cases security staff does not need to know what a patient’s medical history is, or what they are being treated for. However, that does not mean that they cannot, or will not, find out that information.
Sometimes it is just a conversation overheard that allows them to get that information, other times it may be certain protocols that tells them of such. In the later case it might be the isolation cart in the hallway, or other precautions that medical staff is taken that will let the officer know there is an issue. There are always those well intentioned staff members that will tell an officer the patient has MRSA or hepatitis, just as a heads-up. If you do not think this happens, you are living in a vacuum.
Protecting Patient Privacy
No matter how good your policy is for protecting patient privacy, there will be breaches. As we all know, humans think for themselves, and it has been proven that in some cases they will disregard policy/protocol to insure someone else’s safety, or in some cases they just have to tell someone something. With a closely aligned security staff, that information may be moving at lighting speed.
Security Screening After Hours
Security officers also have a role in building access and in many cases staff control desks after normal business hours to control that access. In many medical centers this is done just for after visiting hours. When an organization allows after-hours visitors, security is often times provided with some information on who is a patient, and where they are located at. In many cases the information is sterile, with just the names of patients and room numbers. In the more serious cases they may have access, limited or unlimited, to the patient’s protected health information.
Case in point is a northern California medical center that was recently fined for 33 incidents of security officers accessing protected health information. The security officers had computer access to look up patients for after-hours visitors, and their access was excessive and unwarranted. As a result, it would appear that they found a way around a computer restriction that allowed full access. In some cases they looked up family member information, or that of frequent patients that may have posed a security risk in the past. It was reported in this investigation that the officers often did not log out of their workstation, so they believed that others may have accessed information under their name. Also, at least one officer said that the security supervisor asked the officer to access information because the supervisor was looking into how much access the officers had. Obviously there were some serious issues with that department, but the question is, can that be happening in your organization?
Patient Lists
In most cases a printed list of patients that are allowed visitors is all security really needs. That information should only include names and room numbers, and nothing else. Even with that limited information, that list needs to be handled properly and never be left unattended. In some organizations patients can be registered as “No Info” patients, meaning that they do not want anyone to know they are in the hospital. Those patients should NOT be listed on any list given to security. Of course security will need to know if there is any security issues with that patient, but that can be dealt with in other policies and operating procedures, thus limiting the exposure that the patient’s information is disclosed.
Patient Info Online
In the case of the unlimited information accessed by the department above, this is a classic example of officers having information, and management either not knowing or just looking the other way. There has to be safeguards in place to insure that cases like this do not happen, and it is incumbent on the security management to know what is going on. The manager/director needs to ask the tough questions and fully understand what if any liability that might be just under the surface. Ignorance will not be an acceptable defense. All too often a supervisor might claim that they did not know, but that is only because they did not want to know, or care to know. Professional managers will recognize unjustified exposure and deal with it immediately. However, not always will there be a seasoned professional at the helm.
Security Leadership
If you have a proprietary department, does your security manager have any professional certifications (CPP or CHPA)? Did he/she get promoted from within, and only knows your organizations way of handling security? Do they have an educational background in healthcare security or security in general? Do they participate in all training opportunities to help them grow in their field? Are they active in professional associations that provide advanced training and networking?
If you contract out your service, what are the qualifications of that contract company? What is their training program? Is all the staff assigned to your site fully trained? Including the relief staff? These are just a few of the questions that you need to ask about your operation. Senior management needs to fully understand the complexities of healthcare security, and all associated risks that come with it. The laws are changing all the time, and this service in becoming more and more regulated.
Understand Your Risks
Do you know your internal issues? If not, maybe it is time to conduct an independent audit/review of your operations with regards to security so as to avoid the negative press and regulatory issues that may surface when you least expect it. In past cases issues have not come to light until such time that there is a serious incident, and then an organization is in the spot light. In many cases that is where security negligence will come into play and the lawyers will be hiring consultants to be expert witnesses against your organization. Your operations will be measured against what is described as the industry standards. Are you ready for that? It is best to review your program before any of that happens to eliminate any low hanging fruit, make constructive changes, and work on a long term solution for mitigation of any and all known risks.