Abstract
The implementation of health information system in the healthcare settings provides a tremendous improvement in the utilization of data that facilitates a more efficient exchange of knowledge that is crucial in improving the delivery of health services in any medical facility. The decision making process is improved and patient data and medical information are updated and the health information system provides a more promising competence for all health care providers to respond accurately and to comprehensively address every patient’s health care needs. An important aspect of health information system management is keeping every patient record private and safe. Patient information and data is held sacred thus security is an important aspect of the health information management system. This paper aims to provide insights regarding the steps that can be taken in order to safeguard the privacy of patient information, privacy and security including steps that can help in improving the information system administration against security breach.
The health information system is regarded as an important pillar in the attainment of delivering quality health care objectives through the proper patient data management and communication among the health care providers. As defined by the Council of Europe (1996), health information system refers to the coherent set of health information about individuals that is used for treatment, preventive care, medical research, health evaluation and financial management system. One of the common challenges that is involved in the proper management of health information system involves the security of keeping patient data and information private and confidential. The Seismed Consortium (1996) pointed out that medical information system involves sensitive and valuable assets in the healthcare organization and the security issues are often centered on confidentiality, integrity and availability of patient records. There is a growing concern that the adoption of information system in the healthcare system, although highly beneficial, could pose the risk of a breach in security and patient privacy. Some anecdotal evidence was pointed out by Di Lima, Johns, and Liebler (1998) that breach in the confidentiality of patient health records is due to the environmental factors that are primarily due to behavior, lack of training of health personnels, carelessness of employees in discarding patient records, and the lack of protocols implemented in the proper information system administration and management.
Health care organizations are often too concerned about strengthening the information system technology security used in the information system management adopted to protect patient records against security breach that they failed to look beyond the technical aspect of security enforcement needed in order to strengthen the organization’s information system protocols to protect data confidentiality, integrity and availability of patient records. This is relative to the procedure of discarding patient record which, once beyond the security technology protocol, makes the patient record vulnerable to others. This commonly happens when proper discarding of patient record is not observed that makes the patient records accessible to the cleaning staff for instance. Making a patient record accessible to others such as under this circumstance constitutes a breach of patient privacy and confidentiality. Health organizations should be able to balance their technical capabilities to exchange health information and their ability to protect the confidentiality of patient records when discarding them.
Care should be observed when disposing patient records against unintentional breaches of confidentiality and such is the responsibility of the management and all the staff in a health organization. It is imperative that proper storage and disposal of all patient information sources, whether manual records or computer based, should at all cost protect confidentiality. Thus, only limited authorized personnel should be given access to patient health records and in case of disposal thereof it is necessary to destroy every piece of information in a manner that it is no longer accessible to others (Eckstein, 2003). The mere act of throwing a crumpled patient record is not sufficient protection of health record privacy. One protocol used for discarding manual records is shredding them into pieces in such a way that one could no longer intelligently acquire the information available as they are completely destroyed. Alternatively, discarded records may be burned and the task should be carried out by an individual duly designated for this purpose to protect the confidentiality of health records. Thus, the staff authorized to have access and to destroy valuable health information should undergo the proper training in order to learn the proper way of discarding confidential records without the risk of the breach of privacy. Personnel training and staff development programs should be undertaken in order to further strengthen the security protocol in health organizations in terms of securing the availability, confidentiality and integrity of private health records of patients. In the case when the cleaning staff gets access to patient confidential records, this can be avoided by providing proper training to all staff involved in the information system management to observe protocols in the proper disposal of patient records and to include all members of the health organization in trainings to “sell” the importance of keeping all health records private and confidential. A multidisciplinary approach is needed in the health information training that will help discipline all key personnel in the healthcare settings to observe the highest confidentiality of record and to observe health information privacy. The training should include an information drive on the importance and legal implications of privacy in the health information system including the appropriate sanctions in violation thereof.
Proper information system administration involves the proper storage of medical records that should be locked with limited access to authorized personnel only. When the medical records are being exchanged, care should be observed that the same will not be accessible for perusal among the non-medical staff. Thus, health personnel should be properly oriented in trainings with clearer rules established for protecting patient confidentiality. Patient medical records should be appropriately stored in a secured location such as a centralized records room where the records can be maintained and accessible only to authorized medical staff. When using computer technology, the software should be password protected and must ideally be protected by security features against third party access. Overcrowding of medical records is also inevitable thus it is necessary to devise a system for retention and destruction of these medical records without compromising confidentiality and breach to privacy. Barnett and Mayer (1992) provide some recommendations on how to handle the proper disposal of confidential health records that will secure its privacy and confidentiality. Records may be stored in an off-site warehouse where they can be stored, microfilmed or completely destroyed. Whatever method is used, it is crucial to observe security protocol throughout the process. There are also legal provisions that differ according to state laws with regards to the disposal of medical records which must also be taken into account.
Legislative requirements in keeping medical records secured and confidential mandate all healthcare organizations to implement security protocols to ensure stringent control against breach to privacy, security and confidentiality of health patient records. Apart from the security protocols in record management, health care professionals should also be accorded with the proper training on information management system. The health information system training should be multidisciplinary that should involve all concerned personnel in handling and managing patient confidential records, teaching them the proper measures in protecting confidentiality and securing valuable information against breach of privacy. It is likewise empirical for the management to identify the appropriate target group to whom the health information system training should be provided and the scope of training required that should encompass the proper communication, storage, handling, management and disposal of confidential information of patients.
The following is recommended information system management plans that aim to deliver an efficient administration of security protocols that will protect the confidentiality, integrity and availability of patient data and information:
- Develop a health information system training to all medical health personnel involved in the management, storage and disposal of confidential health records.
- This should involve the proper identification of the appropriate group of key personnel who are involved in record management and access to confidential records including information system managers and staff.
- Appropriate training should include the proper protocol for managing private records as well as the proper disposal thereof.
- Establish a proper standard of exchanging communication involving confidential data.
- Building a record storage facility exclusively for the retention and for the disposal of the medical records and the designation of a personnel exclusively assigned to perform the tasks.
- Implementation of security policies when disposing or discarding medical records (whether archiving on microfilm or completely destroying by burning or shredding files).
- Creating a healthcare culture where every medical personnel are provided with the professional responsibility and code of ethical standards to observe.
- Legal considerations in the implementation of the disposal and retention of patient health records.
- Information drive involving all non-medical personnel to educate them about the importance of patient health record privacy and confidentiality in their work setting.
- Implementation of disclosure of information policy and the imposable sanctions and penalties in breach thereof.
A management plan against the breach of confidentiality of private health records in terms of proper disposal of medical records should be in line with legislative requirements provided by states. Written policies should be implemented according to the defined terms of the manner of discarding records such as burning or shredding and the periodic times when inactive and outdated records may be discarded with a designated personnel to take charge of the process exclusively in order to protect the security and confidentiality of health records (Tan, 2001). The training of staff and health personnel should include the development of a culture that gives every personnel the responsibility to uphold confidentiality of patient records and to observe the code of conduct and ethical standards that should be observed within the organizational setting such as the following:
- Every personnel in a healthcare organization, whether involved in the non-medical or medical health services, shall uphold the right of every individual to privacy and confidentiality of health record information.
- Put the right to privacy of every individual above personal interest.
- Advocate the confidentiality of records within the bounds of disclosure of information policy of the organization.
- Refusal to breach privacy and confidentiality of medical records as against the ethical standards of professional conduct and as contrary to the legal duties of healthcare professionals.
- Develop personal integrity in preserving the right of every individual to privacy and observing the highest standards of healthcare services from healthcare professionals.
- Holding oneself to be professionally, legally and ethically responsible to pursue a quality health care setting that advocates an environment of mutual trust between patients and healthcare professionals.
The information management system should therefore encompass security protocols that will uphold the highest standards of health information system privacy, integrity and confidentiality by providing the appropriate management standards and policies to be implemented in the healthcare setting. This should include the implementation of code of conduct that would build a more ethical and responsible health care setting where employees have adequate training and skills on how to maintain the sacredness of health records with personal advocacy towards the value of information system privacy and security.
References
Barnett, A.E. and Mayer, G.G. (1992). Ambulatory Care Management and Practice. Maryland, USA: Aspen Publisher.
Council of Europe (1996). Training Strategies for the Health Information Systems. London, UK: Council of Europe Publishing.
Di Lima, S.N., Johns, L.T., and Liebler, J.G. (1998). A Practical Introduction to Health Information Management. MaryLand, USA: Aspen Publishers.
Eckstein, S. (2003). Manual for Research Ethics Committee: Centers for Medical Laws and Ethics. Campbridge, UK: University Press.
Seismed Consortium ( 1996). Data Security for Health Care. Management Guidelines. Amsterdam, Netherlands: IOS Press.
Tan, J.K. (2001). Health Management Information System. Methods and Practical Applications. Maryland, USA: Aspen Publisher.