Healthcare Executive - September/October 2013 - 28

Protecting Patient Medical Data
of security that protects patients and
helps to ensure compliance with federal and state requirements, Diegel
notes. St. Charles Health System had
been using various forms of encryption for many years, but the theft of a
home health laptop from an employee’s vehicle two years ago highlighted
the value of full disc encryption.
Though no one ever gained access to
the information, continuing with the
full disc encryption of laptops and
desktops became an immediate priority. “We’re obligated to protect our
patients and their information, regardless of regulations or requirements,”
Diegel says. “Yes, it added cost. You
have to invest in the technology.”
The system has implemented sophisticated privacy protection software that
audits users and identifies potential
instances of inappropriate access, use
and disclosure of protected health
information. The message, says
Diegel: “Be on notice that if you inappropriately access records with protected health information or move
records in an unauthorized fashion, it
will be picked up.”
An internal auditor also conducts
regular random spot checks. “We’re

detailed, open and transparent,
and we take it seriously,” Diegel
says. And if a security breach does
occur, “our operating practice is to
make credit monitoring services
available to patients if, for example,
inappropriate use or disclosure of a
patient’s demographic information
has been released. We don’t even
talk about cost.”

or visitors to report ethical and legal
concerns regarding potential security
breaches. “We encourage our employees and the public to disclose if they
see something fishy,” says Diegel.
“Many times we find that the concern
isn’t really valid, but sometimes it
leads to other investigations that have
helped us identify a problem or
improve a process.”

It’s also standard operating practice to
go back and identify what went awry
and then address it using rigorous process improvement methods. When
Diegel’s health information was discovered as part of a security breach
investigation, “my question was,
‘What in the process broke down?
Instead of getting mad, we said, ‘Let’s
make sure this doesn’t happen again.’”

Diegel advises providers to “Be diligent about identifying gaps with your
HIPAA risk assessments. If you do
find gaps, you need a plan of correction to bring you back into compliance as soon as possible. Small leaks
always have the potential to become
large. Always assume the worst.

Though privacy and security issues
tend to be process-related, when people are the cause, St. Charles Health
System draws a hard line. Employees
know that inappropriate access, use
and disclosure of patient information
are not tolerated—and may result in
immediate termination.

“We have a moral obligation as well
as a fiduciary and legal responsibility
to act in our patients’ best interest,”
he says. “I don’t see this as burdensome. I see it as standard operating
practice. If the board of directors and
the CEO aren’t advocating for privacy and security, then who is? For
us, it’s just another way of looking at
patient safety.”

The system also uses a national service, Ethics Point, to allow employees

Susan Birk is a freelance writer based in
Wheaton, Ill.

“ ehaveamoralobligationaswellasafiduciaryandlegalresponsibilitytoactinour
W
patients’bestinterest.…IftheboardofdirectorsandtheCEOaren’tadvocatingforprivacy
andsecurity,thenwhois?Forus,it’sjustanotherwayoflookingatpatientsafety.”
James A. Diegel, FACHE
St.CharlesHealthSystem

Healthcare Executive
SEPT/OCT 2013

Healthcare Executive - September/October 2013

Table of Contents for the Digital Edition of Healthcare Executive - September/October 2013