Facilities turn to best practices to keep patient data secure in high-risk cases

When it comes to highly sensitive health situations, patients' privacy and security is a top concern. The recent spread of Ebola shows why healthcare organizations need to have plans in place.

Healthcare chief information officers and chief information security officers turn to best practices implemented in other high-profile and dangerous situations to ensure patient privacy and security is a priority no matter the situation.

Although it did not treat the Ebola patients, the University of Pittsburgh Medical Center (UPMC) has procedures in place for similar circumstances, John Houston, UPMC's vice president of privacy and information security, says in an article at Healthcare Information Security.

For example, Houston says, the hospital quarantines high-risk patients in rooms that require passcodes and special badges to gain entry. He says the best way to safeguard patient privacy and ensure data security is to have strong programs in place from the start--programs that the organization can adjust to meet the needs of different cases.  

It's essential that hospitals also review access logs, says Jennings Aske in the article. Aske was chief privacy and security officer at Partners Health when its Boston-area hospitals treated patients injured by the Boston Marathon bombing.

"Staff who may not be involved in the care of the patient may be 'curious' and will access the health records of the patients," Aske tells Healthcare Information Security. "Organizations should remind staff via email and other communication … about the importance of role-based access and patient privacy."

In fact, after the Boston Marathon bombing, an attempt to collect information on the patients by the city's Public Health Commission faced scrutiny because it may have violated HIPAA.

The IT team also plays a role in such cases, says Phil Curran, chief information assurance and privacy officer at Cooper University Health Care in Camden, New Jersey.

It's important to have the IT team closely involved because "they will also be integral in creating quick access to the EHR for outside entities," such as local and state public health departments and the Centers for Disease Control and Prevention, Curran says in the article.

De-identifying data is another way to help keep information private, a practice that has standards set by HIPAA.

To learn more:
- read the Healthcare Information Security article