One of the first lessons of process improvement is that preventing errors is much less expensive and time-consuming than remedying the damage after the fact. The same is true for an information breach. The time and cost for installing new software, training staff members, and reinforcing policies and procedures pales in comparison to cleaning up the damage of an information privacy or security breach.
Recent headlines of multi-million-dollar OCR fines and the hundreds, thousands – even millions! – of lives affected suggest the scale of the damage to both businesses and individuals. The news reports rarely explain, however, exactly how the breach could have been averted. This is the first in a new series of articles using publicly reported breaches as teaching opportunities for breach prevention. These are not intended as an “I told you so” for the organizations breached – each incident could happen at almost any healthcare organization today. The goal is for all of us to continuously improve our understanding of the risks to patient information and the options available to us for protecting that information without creating an oppressive atmosphere for our patients, staff, and visitors.
Unauthorized photographs of a surgical patient
This first example was reported in the HIPAAJournal just last week. Basically, surgical staff members photographed a patient’s genital injury using their personal phones and shared the photos with friends. Details of the incident are available in the HIPAAJournal post. What we want to focus on here is whether and how management could have prevented this breach.
This incident is particularly egregious because the information disclosed was so sensitive and because so many health care professionals and staff members – the very people charged with keeping the patient and his information safe – were complicit in the violation. I understand that in the face of such irresponsible behavior, a manager might be tempted to feel helpless – “I can’t watch every person every minute. What can I possibly do to make sure none of my staff ever do something stupid?” Here are some suggestions.
Action 1: Policy disallowing use of personal phones in the OR (or any patient area) for any reason.
As a former frontline nurse, I understand the tendency to scoff at policy – “What good’s a policy? People will do whatever they want to anyway!” There’s some truth to that – practice never perfectly matches policy – but what a policy does do is establish clear guidelines for expected behavior.
If the hospital wants staff to have mobile communications, they need to supply them with Vocera badges or other devices and not rely on staff members’ personal telephones. Personal phones can be used at the desk and in the break room, but not in patient areas – period. Responsibility for enforcing the policy must be shared by charge nurses and circulating nurses, not just the department manager or director. A charge nurse found not to be enforcing the policy could be suspended just as if s/he had been using the phone him or herself.
Action 2: Intensive staff training, retraining, and reinforcement.
The speed and shamelessness with which these staff members brandished their phones suggests gross ignorance of the HIPAA Privacy and Security Requirements and of the potential consequences for violating them – termination, civil charges and fines, and criminal charges that could include probation or jail time. Staff should receive comprehensive HIPAA training during their orientation before being given access to patients or PHI. That training should then be reinforced with shorter refresher courses and/or routine discussions of patient privacy and information security in staff meetings, organizational Town Hall sessions, and online forums on the organization’s intranet.
Action 3: Leadership in the moment.
In the OR, the anesthesiologist, the surgeon, and the circulating nurse all possess significant authority. Any one of these individuals could have called a halt, required everyone to power off their phones, sealed the room, and called hospital security to confiscate the phones until someone from IT could sit with each individual involved to clear the photos.
This action is still more Band-aid than prevention, but it is the actions of leaders in the heat of the moment that either reinforce or undermine policy and training. It did sound like the executives were taking the incident very seriously and had applied appropriate sanctions. It may also have been the case that the circulating nurse or surgeon brought the incident to the executives’ attention – that information wasn’t included in the article. The critical takeaway is that protecting patient privacy, confidentiality, and information security are now as important a leadership responsibility as patient safety and infection control.
The above actions, taken together, are the pillars of creating a Culture of Compliance. Whether the focus of the compliance is HIPAA, CLABSI protocols, or hand washing – all require clear expectations, appropriate training, and unrelenting leadership. Culture is powerful – the trick is to create a culture that makes it easy – automatic – to do the right thing.
Our very best wishes to the patient and everyone at UPMC Bedford Memorial trying to remedy the situation.
If you need assistance establishing a culture of compliance please contact us at compliance@thirdrock.com
Protect Your Patients. Protect Your Practice. Protect Yourself.™