Due to the recent increase in use of EHRs, increase in incidents related to patient privacy, and strict governmental privacy regulations in countries across the world, the healthcare industry has been essentially caught unprepared to protect patient privacy on a wide-scale basis. Healthcare organizations are increasingly in need of requirements for patient privacy breach detection, remediation workflow practices, notification, prevention, accounting of disclosures and continuous improvement. Data definitions and requirements for conducting the above activities are not currently available to care providers, vendors and systems integrators. Some measure of clarity will result from governmental interpretations of ARRA HITECH. However, privacy experts speculate that standards for implementing these key privacy activities are ten years away. Yet privacy risks and regulatory responsibilities are immediate.
The purpose of the FairWarning Framework series of documents is to contribute much needed patient privacy knowledge to care providers, EHR and healthcare application vendors and systems integrators. FairWarning believes this will assist in accelerating the privacy market and while it may increase competition, it will create an overall larger market which will better serve the care providers facing wide-scale privacy challenges.
This document, the Patient Privacy Data Definition Guide, identifies and defines patient privacy auditing data used in disparate clinical and non-clinical systems which is required for the detection and prevention of patient privacy breaches such as curiosity-based as well as malicious medical record snooping, traditional identity theft, and medical identity theft. This guide incorporates FairWarning’s privacy auditing experience with well over one hundred EHRs and healthcare applications operating within organizations representing nearly 800 hospitals and 2,400 clinics around the world.
The overarching benefit of the FairWarning Framework is to encourage the uninterrupted promotion and adoption of EHRs by providing a practical working framework for enabling patient privacy on a wider scale. Specific benefits of this guide:
- Increased EHR and healthcare application vendor support for privacy auditing
- Consistent understanding for healthcare information technology professionals and systems integrators of data and processes required to support privacy auditing
- Ability for information security vendors to predictably integrate, normalize, correlate and analyze the data from EHR and application vendors
- Ability to apply effort and resources toward advanced analytics, correlation and workflows which identify privacy breaches and associated remediation, thereby enabling preventive measures
This document is intended for use by:
- Healthcare providers and other organizations handling PHI. Using the guide, organizations handling PHI are able to learn best data practices used in centralizing patient privacy data, or for providing best data practices to their EHR and healthcare application vendors when support is requested.
- Electronic Health Record vendor and application vendors. Leveraging best data practices, EHR and healthcare application vendors are able to produce audit logs that satisfy their customers’ needs as well as vendor and care provider regulatory responsibilities.
- Healthcare systems integrators and service companies. There are few services and systems integrator companies familiar with best privacy auditing practices. This guide provides a practical framework for assisting them in collecting audit data as well as educating their staff in best practices.