U tightens medical privacy policies

By Carlos Mayorga

Officials in several U health science facilities are working to toughen enforcement of privacy policies and procedures after an audit in October 2007 revealed several key vulnerabilities in employees’ ability to protect patient information.

For two months in late 2007, four auditors in the U Internal Audit Department monitored strengths and weaknesses in protecting private patient information at different locations in the University Hospital, the Huntsman Cancer Hospital, the Huntsman Cancer Institute, the Moran Eye Center and the Orthopaedic Center.

But the U is hesitant to release which departments had the most problems.

“As far as which individual department had the most problems, we are not too specific in these reports because it shows our vulnerabilities,” said Randy Van Dyke, assistant vice president for Auditing and Risk Services. “If it got out, people could exploit that.”

In a report to President Michael Young, the auditors found a number of weaknesses in various departments in their abilities to restrict access to protected health information. These restrictions are required by a federal law for safeguarding access to patient records.

For example, the auditors found that many clinics did not comply with a policy that says employees who call a patient from the waiting room may use the patient’s first name only or the first name and last initial if necessary. The report also noted that some employees who were monitored would commonly speak loud enough for everyone in the waiting room to hear information about the patient.

On several occasions, medical personnel in surgery waiting areas failed to use consultation rooms to speak to patients about surgery, even when rooms appeared to be available.

“We now use the consulting rooms or ask the patient if it’s OK to talk there,” said Chris Kidd, chief compliance officer with University Privacy and Information Security, the office that oversees the enforcement of protecting health records.

“If they’re OK with that, good–but we have to offer another place for conversation,” he said. “The key is to not surprise the patient.”

On a visit to the School of Medicine, three auditors were able to enter without visible ID badges. They found that offices and cabinets were not locked and that they were able to take the files with patient information out and read them. One auditor was able to access a computer in an unlocked office. After 10 hours of attempts to access patient information, a staff member only questioned an auditor once.

Auditors were also able to access and read patient records at the main hospital and the Huntsman Cancer Hospital with no questions asked.

Kidd said that the results of the audit prompted officials to immediately address the vulnerabilities the audit exposed by pushing for departments to strictly enforce heightened employee awareness. Now, everyone must wear a visible ID badge, including students, interns and business associates of the U.

“Everyone has to wear an ID badge,” Kidd said. “The policy has always been in place, but enforcement has been an issue.”

Kidd said that managers in several departments are currently training employees on what to do if they encounter someone without a badge in an area where that person could access patient information.

“In the health care profession, people don’t like confrontation,” Kidd said. “Employees didn’t understand that you have to approach them the right way.”

To encourage more involvement in approaching strangers, management provided scripts to hospital staff on how to politely approach someone without a badge.

“Employees now understand that if they question someone the right way, they will be supported by leadership,” Kidd said.

The audit also suggested that departments do more to make sure computers with patient information are locked and also provide better security for laptop computers.

Despite the problems highlighted in the report, Kidd said solutions to the majority of the issues that were identified have already or are currently being implemented. Within the next six to 12 months, the Privacy and Information Security Office will revisit every department to determine if the vulnerabilities have been resolved.

Kidd said that a big part of the problem is informing all employees to be more aware.

“A culture of compliance does not happen overnight,” he said. “This effort did not happen as a result of the audit, but the audit helped us to identify and look at problems.”

Each department received a report of problem areas and officials in the Privacy and Information Security Office and follow-up meetings are taking place to make sure the problems are being addressed, Kidd said.

“Security and privacy is everyone’s job,” he said. “A lot is being done and every piece of the audit is being addressed.”

Kidd said that the office wants to find money in its budget to get a third party audit team to come in on an annual basis.

[email protected]