A nurse wouldn't have a patient undress for an exam in full view of others. A culture of patient privacy prompts the nurse to draw the drapes and take other modesty measures without a second thought.
But advocates for secure patient records say healthcare has far to go before a similar culture of privacy takes hold in the handling of sensitive information that could figuratively leave a patient publicly undressed.
They say access codes and electronic security aren't enough to prevent breaches such as:
Leaving printouts in full view or a computer unattended with sensitive information on the screen.
Playing a physician's answering machine on speaker mode while staff conducts other duties around the office. That leaves open the possibility of everyone in the waiting room hearing specifics about patient tests, reports and disease diagnoses phoned in from labs and consulting physicians.
Leaving behind a blackboard full of disclosures about a person's illness and treatment after a session with hospital residents.
Kathleen Frawley, who directs the Washington office of the American Health Information Management Association, argues that 75% of data-security problems in healthcare institutions result from failure to properly train employees or emphasize a culture of awareness that leads to "respect for patients and their medical information."
Computer security won't work unless that culture can be instilled, said Dale Miller, a San Rafael, Calif.-based information security specialist. "It can't just be the system. Part of the whole computer security system has to be the awareness training," Miller said.
Data-security specialists trying to operate a tight ship in the computer age are finding they also have to tackle a lower-tech problem of what's done with the protected information once it's in patient-care areas.
A recent survey of employees at Austin (Texas) Diagnostic Medical Center asked what they perceived to be the main causes of data-security breaches. The survey found a clear majority of breaches appeared to result from a verbal slip, said Kathleen Haak, health information systems coordinator for the hospital and its adjacent physician clinic.
"It's almost like the computerized patient record is a lot more secure than people's mouths," Haak said.
Much disclosure by healthcare workers is inadvertent and a result of their doing their jobs. Unfortunately, that can lead to inappropriate discussions of patient care in elevators, dining rooms and other public areas.
The Austin medical center is trying to sharpen workers' awareness of their role in information security through initial training, follow-up seminars and confidentiality agreements that all employees must read and sign, Haak said.
The agreements spell out three levels of violation and their consequences.
The first level constitutes violations that are inadvertent and probably caused by lack of education and awareness. The next level is more severe, involving unjustifiable access to off-limits data. And the most serious level involves not only looking at off-limits information but disclosing it to others.
Penalties are decided by the supervisor based on the incident and other personnel factors, Haak said. But the combination of unauthorized perusal and disclosure is grounds for immediate and automatic termination, she said.
Another set of issues is raised by the need for consultants, contracted service providers and other outside forces to see and work with patient data, Haak said. Those agents have to be briefed and trained on security measures just as internal employees are, and the medical center is planning formal confidentiality agreements for vendors and auditors, she said.
Within the provider organization, education efforts especially need to focus on department-specific seminars in addition to the general awareness training, or else the point about inadvertent disclosure won't get across, Haak said. "All of them understand the usual speech on privacy and confidentiality. But when it comes to applying it on the job, they forget," she added.
Discussion of specific examples may help an employee in the business department, for instance, to realize the information she's giving out over the phone to get to the bottom of a billing matter could inadvertently be broadcast to an audience, Haak said.
Miller said all healthcare organizations should have an annual refresher on such issues as handling phone calls, managing passwords, placement of computers so they aren't viewed by passersby, and even where to position fax machines that might receive sensitive test results.
But some measures can be very simple, said Frawley, who saw duty protecting patient records at Jamaica Hospital Medical Center in New York before joining AHIMA.
"In my office, we had a little button that said, `Button up.' It was a cute little thing, but it's just those little things that can help heighten awareness," Frawley said.
Mary Siero, director of information technology at North Kansas City (Mo.) Hospital, said the facility's data-security initiative included a slogan for posting in non-patient-care areas.
Intended to make workers think about when-or whether-information access is justified, it goes like this: Need to know. Right to know. Want to know. Know the difference.