3 ways to make data protection more patient-centric

Global
Government & Policy
By Rick Kam , ID Experts | April 9, 2013 | 10:12 AM

HIPAA and HITECH. PHI in the cloud. BYOD policies. Meaningful use.

The industry is rife with buzzwords and acronyms surrounding patient privacy and data security. The most important word, however, is one that we often overlook: patients.

Yet, they’re the reason we do what we do.

Attorney Jim Pyles, who helped draft the HITECH Act, said, “I’ve been to literally hundreds of meetings in Washington when the patient was not mentioned once. Not one time … When [healthcare leaders say] that the patient ought to be at the center of the system, boy do I applaud that.”

I agree with Jim. Focus on the patient, and our security and privacy efforts will align with bottom-line and regulatory agendas. At the recent PHI Protection Network Forum, an executive conference focused on protected health information (PHI) security, we discussed ways to make data protection strategies more patient-centric.

1. Provide ongoing education and training
At the forum, Meredith Phillips, chief privacy and information security officer at Henry Ford Health Systems in Detroit, Mich., shared how her organization transformed its misaligned privacy and security efforts into a “collective mindset” focused on protecting patient privacy and safeguarding information.

One of the initiatives Ford Health System took one was having employees trade in 5,000 personal flash drives for more secure devices. Another initiative was merging its Information Privacy and Information Security offices into one department within IT. Equally important was a rigorous employee training and education program comprised of:

  • A system-wide internal marketing campaign to communicate the new focus on confidentiality.
  • A branded system-wide program — iComply — to safeguard system information by securing flash drives and other mobile devices, and mandating annual training.
  • Targeted communications including daily e-mails, chat sessions with the chief privacy and information officer, quarterly board updates, and social media.

And their efforts have paid off. Phillips noted a 40 percent increase in incident reporting from the previous year, requests for refresher training, and an increased perception that privacy and security resources are an advantage, not a burden. “Our organizational culture shifted to embrace [confidentiality] as a part of patient care,” she said.

2. Create a compelling case for patient privacy and data security
Gaining business acceptance for major privacy and security investments is tricky. James Anderson, a principal at Risk Masters, and James Christiansen, CRO at Risky Data, shared strategies for doing just that.

They said that privacy and security professionals must build a solid business case that calculates the “value at risk” for their organization. In other words, demonstrate the value that privacy and security provides—and what could be lost if appropriate investments are not made. The challenge is proving that this value extends beyond the bottom line.

Some of the demonstrable benefits of privacy:

  • Cost avoidance
  • Competitive advantage
  • Labor savings
  • Productivity improvement
  • Improved trust and confidence
  • Better compliance—and demonstrating that compliance
  • Risk reduction or removal

3. Measure value with patient care
One way to illustrate this value is by measuring how privacy and security improve certain metrics of patient care. For instance, how much do privacy/security investments:

  • Speed up service time?
  • Improve scheduling accuracy?
  • Aid in diagnostic confirmation?
  • Enhance reputation?

Educating bottom-line executives on the value of privacy and security requires demonstrating the costs and benefits in a relatable, impactful way. With that in mind, many members of the PHI Protection Network contributed to the seminal industry report, The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security.

Securing patient data must be a priority
We need to re-focus our privacy and security efforts back on the patient. I believe —and as this forum proved — the desire to protect patients and their data is a first priority.

We must educate our executives and workforce, prove the value that privacy and security bring, and, above all, be persistent. I know it’s possible.

Rick Kam, CIPP, is president and co-founder of ID Experts. Rick is also chairing the “PHI Project,” a seminal research effort to measure financial risk and implications of data breach in healthcare, led by the American National Standards Institute (ANSI), via its Identity Theft Prevention and Identity Management Standards Panel (IDSP), in partnership with the Shared Assessments Program and the Internet Security Alliance (ISA).

Topic:
Government & Policy

More Regional News

Dr. Deepak Nair of OSF HealthCare on AI
How OSF HealthCare gained $2.6M through its clinical AI platform
By Bill Siwicki |
Ascension health system hospital
Ascension launches new Clinical Innovation Institute to vet leading-edge IT
By Mike Miliard |
Doctor and patient wearing masks look at a tablet in an exam room
Netsmart becomes the newest QHIN under TEFCA
By Andrea Fox |