One of the overarching themes of this year's annual health information data security conference, "Safeguarding Health Information: Building Assurance through HIPAA Security"--jointly hosted this week by the National Institutes of Standards and Technology and the U.S. Department of Health & Human Services Office for Civil Rights--was the issue of patient trust.
In fact, the conference, which I attended in Washington, D.C., kicked off with trust right in the welcoming remarks, with NIST deputy chief for computer security Matthew Scholl stating that patients need an "inherent trust" in their providers and a "trust expectation" that providers need to maintain as they move to advanced technology.
Subsequent sessions reiterated the theme.
Keynote speaker Eric Dishman from Intel pointed to the need to "build trust" between providers and patients as the industry advances. Deven McGraw, co-chair of the Office of the National Coordinator for Health IT's tiger team, questioned if patient trust could be expected to hold across institutions as providers sought to verify patient identities when they accessed their electronic health records.
Ted LeSueur, director of product safety at McKesson, told attendees that providers need to verify that their cloud EHR vendors are protecting patient data. He also noted that if a vendor isn't living up to the provider's needs, then the provider can't meet patient needs, meaning the provider will take a financial and reputational hit. "That level of trust has to be there," he said.
Patients, however, have good reason to be skeptical about their information remaining secure. There have been thousands of breaches affecting millions of records, and it's easier to suffer a large data breach when the records are electronic.
Many of the speakers offered ways to better secure data, such as strengthening contracts with EHR vendors, training staff about proper social media and mobile device use, and the like.
But no one seemed to address the issue of how those things will translate into increased patient trust. Should providers tell patients of their efforts? Or let the absence of a security breach speak for itself?
Both options have drawbacks. Some who fear communication may be worried that patients won't understand the steps being taken to protect data, or that openness about a provider's efforts may backfire if the provider still suffers a breach. But if patients aren't more aware of the efforts a provider is taking to improve data security, the mistrust only lingers--especially when it continues to occur in the industry.
It's important to improve and restore patient trust. But how will you know if you've earned it? - Marla (@MarlaHirsch)