Compliance is an ongoing necessity for healthcare organizations across the board – but it’s not enough to tick items off a checklist to ensure that patient data remains protected. For an organization to truly protect valuable PHI from threats, you need to establish a culture of patient data privacy.
What is a culture of privacy? According to the International Association of Privacy Professionals, culture can be defined as “an integrated pattern of human knowledge, belief, and behavior… that characterizes an organization.”
In a culture of privacy, people do the right thing even when they’re not being watched. Nowhere is this more important than in healthcare: According to the 2018 Verizon Data Breach Investigations Report, healthcare organizations make up 24% of all data breach victims. A culture of privacy can help organizations overcome such statistics by preventing breaches – and contribute to maintaining the integrity and trust of healthcare institutions as a whole.
The alternative is risky – and costly. Consider the impact of a lack of privacy culture – regulatory fines, reputational damage, loss of patients, and competitive failure. According to a Forrester Report which surveyed more than 200 IT security leaders, the number one response to what concerned them the most about a data privacy failure is damage to trust. When a patient loses trust in an organization, they’re more likely to seek other facilities for care. Not only is patient engagement and retention essential, it’s also economical – it costs 90% less for organizations to have returning patients than to attract new ones.
So how do you nurture a culture of privacy at your facilities? Here are five steps to building a workplace that puts patient privacy first.
“If your organization does not have an overall culture of doing the right thing, you are going up the stream without a paddle” – Margaret Scavotto, JD, CHC, Management Performance Associates
1. Developing Policies and personnel
The first step in creating a culture of privacy is to make sure your policies are up to date. The overall climate and technology of healthcare are constantly evolving, so policies must keep up at the speed of change.
The next step is to ensure that you know exactly who has access to your network and to establish roles specifically dedicated to privacy and security, including:
- Identifying all users, vendors, and contractors who access your network
- Addressing accountability by designating individuals responsible for monitoring, investigations, and privacy workflow (and making sure everybody understands who those individuals are)
- Taking an inventory of applications that contain protected data
Memorial Healthcare is an excellent example of the success you can achieve by updating policies and hiring dedicated personnel. After a 2012 breach that led to a record-breaking $5.5 million settlement to the U.S. Department of Health and Human Services, Memorial Healthcare bounced back by developing a world-class privacy program.
After the 2012 breach, Memorial Healthcare assessed the top 10 areas where they could significantly improve their privacy and security posture, and took immediate action to do so. By appointing a specialized patient privacy monitoring team — among others, including a privacy director and IT security personnel — the healthcare system is now recognized as a patient privacy leader, with some of the highest patient, employee, and physician satisfaction rates in the industry.
2. Adopting patient privacy monitoring
Developing a patient privacy monitoring program is essential to building a culture of privacy. Among the personnel identified earlier, specific types of professionals can help make your monitoring program successful:
- Staff certified in HIPAA Privacy and Security
- Experts in clinical application audit data
- Technology professionals
- Personnel responsible for day-to-day accountability and audit readiness
If you’re running into limitations with resources or in-house expertise, you can also create partnerships with solution providers that specialize in patient privacy protection.
ThedaCare was able to revitalize its facility into one of patient privacy excellence in this way, by transforming a reactionary privacy program into a proactive one. As the community-owned health system grew, they knew they needed to remain alert to continue to comply with state and federal regulations. But they recognized that “check the box” compliance alone wouldn’t do the trick. So they aimed to not only remain HIPAA-compliant, but also to meet community expectations by adopting patient privacy monitoring services and establishing safeguards for all ePHI.
“We are starting to see a shift in the culture here… our team members have a better idea about what behavior is acceptable and what behavior is unacceptable.” – Paul Triezenberg, Privacy Manager at ThedaCare
3. Onboarding and training processes
Ensuring that clinicians and staff are all trained to maintain a culture of privacy and security can safeguard a facility while preventing dire consequences. Say, for example, you have a VIP patient enter a hospital. If the staff isn’t trained on their patient privacy program or disciplinary measures for security incidents, curiosity might compel them to snoop, not realizing the scope of the consequences for their actions. Once the high-profile patient’s records are accessed inappropriately, their privacy has been breached, which affects the hospital’s reputation while leading to potential termination for involved employees.
Contrast that with an organization that prioritizes training and retraining: If they had been appropriately trained on the facility’s privacy program with an outline of potential remediation for violations, that knowledge might have stopped the employees from pursuing records they had no business accessing.
“You can have the best policies in the world, but if people don’t think the compliance department will do anything, you might as well put that binder of policies in the shredder.” – Margaret Scavotto, JD, CHC
If the people in your organization don’t know the rules, and if you don’t train them on what they can and can’t do, technology won’t be able to do much. Software can catch incidents, but your team must be on board.
“Workforce members are not only crucial allies to productive investigations and privacy/compliance program[s], but they appreciate that we see how important they are to patient privacy and outcomes by including them in the process.” – Blaine Kerr, Chief Privacy Officer at Jackson Health System
4. Strengthening security measures
Expanding on the VIP patient example above, medical facilities can prevent similar incidents from happening in the future by fortifying security measures such as installing door locks, screen locks and savers, and limiting access to medical records to users who are on a “need to know” basis only. Security barriers like these are excellent ways to stop a noncompliant employee in their tracks.
“OCR says when breach occurs, they look at whether it happened despite compliance, or because ‘[the] door was wide open.’” – Adam Greene, Attorney for health information privacy, security, and breach notifications at Davis Wright Tremaine in Washington D.C.
5. Leveraging artificial intelligence
Artificial intelligence (AI) is emerging as one of the most innovative technological advancements to come to healthcare. AI and machine learning – the type of AI that performs specific tasks by interpreting behavior patterns and “learning” from them over time – can leverage massive quantities of data in a fraction of the amount of time it would take a human to read and react to the same information. This can be used to rapidly dismiss false positives and expose more extreme situations, including anomalous behavior and criminal activity.
Because AI operates by reading patterns, it can also detect unusual behavior. For instance, if a user remotely accesses patient records at 3 a.m., when they typically only access them on-premise between 9 a.m. and 5 p.m., that difference in normal workflow could indicate identity theft, compromised credentials, or a disgruntled employee about to leak sensitive patient data. With machine learning, a privacy monitoring platform could detect and flag that behavior accordingly.
Identifying anomalous behaviors can alert privacy and security personnel to potentially dangerous situations such as:
- Identity theft
- Sale of medical information
- Workflow anomalies
- Mass snooping
- Drug diversion
- Compromised credentials
From keeping up to date on compliance to preventing breaches and detecting criminal activity, developing a culture of compliance comes with a variety of benefits. Not only does it provide a roadmap for OCR audits, it protects the integrity of organizations while building patient trust by ensuring that everybody within your organization is on board. When sensitive patient data remains protected, everybody wins.
“Culture is what keeps your compliance afloat when nobody is watching.” – Margaret Scavotto, JD, CHC