Healthcare is not without its issues. Seemingly, for each source asked what the biggest problem the sector faces, there is a differing opinion on what’s most important. I’m often perplexed by the lack of cohesiveness shown toward the industry’s leading issues, too, and sometimes wonder how many of us could name the most pressing threats to the industry, as agreed upon by the community. There are clear problems – interoperability, lack of transparency, disparate systems working against each other — to name a few. So, in the following series, I’ve asked some insiders for their opinions on health IT’s greatest problems, and as you’ll see, they responses received vary greatly.
Scott Friedman, executive vice president, Sherpa Software
Healthcare IT struggles mightily with patient information that is not in the medical record system, but has leaked into other locations in the healthcare organization (cell phone emails, USB drives, employee desks, etc.). Healthcare organizations have moved Protected Health Information (PHI) into HIPAA compliant electronic health records (EHRs) systems, patients maintain electronic copies of their health information, which they give to their different providers as they move between appointments. This “patient distributed information” becomes PHI, with all its associated compliance and legal burdens for the health care organization.
There is liability associated with this, and information governance strategies available that reduce the associated risks. Patient distributed information is present on smartphones, tablets, laptops, and the like are not sanctioned EHR (such as email, file directories, etc.). These devices are not part of the organization’s HIPAA compliant system, and never can be. Most healthcare providers ignore the problem, which eventually leads to catastrophic security failures resulting in patient privacy breaches, and career damaging incidents for the healthcare IT department.
To eliminate the problem, IT needs to look to integrate an information governance framework that can:
- Interview employees to understand how they deal with and understand this issue.
- Audit, usually done with software systems, to provide objective evidence and quantification of the presence of PHI on your digital systems.
- Set specific policies and procedures employees can follow in each and every situation when they come into contact with “patient distributed information.”
- Provide raining and review of policies and procedures work.
- Automate the policies and procedures with software systems to ensure compliance.
- Surveil your digital systems is the best way to monitor and review your program, as well as seek to improve it.
Acknowledge the increasing presence of patient distributed information on your digital systems, and have a plan for how to address it. Look to information governance to establish a strategy and program to address patient distributed information. With the proper policies, procedures, training, and systems in place your organization will be able to effectively handle and mitigate the risks.