April 17, 1998

Patient confidentiality measures safeguard sensitive information

Patient confidentiality measures safeguard sensitive information

Using the medical center¹s computer system to stroll through someone¹s medical records out of curiosity; loose talk in hospital hallways and elevators; or viewing the chart of an unassigned patient are all examples of breaches of patient confidentiality.

"Vanderbilt has a long history of protecting patients¹ rights to confidentiality and privacy," said Ann J. Olsen, director of Information Management Planning. "In the near future the medical center will be implementing improved policies that address information security and confidentiality more broadly."

"In addition to patient information, we will be implementing increased protection for other types of sensitive information, such as student and employee records, proprietary software code, terms and conditions of contracts, and business plans," she said.

According to Marilyn K. Yager, VUMC's director of Health Policy Development, new federal legislation regarding increased confidentiality of medical information is in the works. The Medical Information Protection Act of 1998, was introduced last year in the U.S. Senate and is making its way through revision in Committee.

The legislation is being revised to better address protecting patients¹ confidentiality, and addressing all the complications of how our health care system works.

"The legislation needs to address how quickly new information moves through the system, and how many people are appropriately involved in having access to that information," Yager said. "There are also other issues the legislation needs to touch on." Yager uses a physician taking a patient¹s family medical history and what is then done with that information as an example.

If Congress fails to enact federal privacy legislation by August of 1999, the Secretary of Health and Human Services is required to issue rules establishing electronic privacy standards in the year 2000.

"Confidentiality is to a physician what sterility is to a surgeon. It is an important ingredient to the relationship between the patient and the physician," said Dr. Frank H. Boehm, director of Maternal Fetal Medicine, and chairman of the Ethics Committee. "It is important for the patient to feel secure in telling his or her doctor everything that he or she believes helpful in bringing good health. The patient needs to know that information is sacred to us."

Boehm says that without that "sense of trust" the health care provider-patient team is weakened.

"We must do everything within our power to prevent that erosion," he said.

The Informatics Center and the Medical Information Services, through the use of computer audit trails, can observe access to patients¹ electronic records.

"Our computer system keeps track of usage. Every time a patient¹s record is accessed in MARS we can tell who accessed it by their user ID; we can tell the location of the terminal used; we know the date and time the record was accessed; we know the patient record number; and we can tell what part of the patient¹s record was examined," Olsen said.

"All of that information is stored literally forever. This provides the basis for monitoring violations of confidentiality by users of our computer systems," she said.

Policies are being developed by the Information Policy Support Team (IPST), a task force that reports to VUMC¹s Information Policy Advisory Committee. The IPST, comprised of members from major organizational units in the medical center, has policies in the final stages of a comprehensive review and approval process.

According to Martha K. Miers, executive director of Diagnostic Labs for the Department of Pathology and a member of IPST, the policies will be coupled with a new organizational framework to support their implementation.

"VUMC will have a new information security officer based in the Informatics Center. This individual will provide additional training and support to those who serve as information security managers within their own organizational units," Miers said.

The information security officer will also chair a committee charged to oversee future medical center information security and confidentiality issues.

"Our faculty and staff need to understand their responsibilities relative to our patient records. The records are not there to be looked at out of curiosity or out of concern. If there is not a patient-care reason, or a business reason, then they shouldn¹t look," Olsen said.