Patient information, privacy and security are at the heart of providing a high level of medical services. These issues are vitally important if patient confidence is to be retained, in addition to ensuring that no potential harm comes to the patient. Hence, the information systems at any hospital should be managed in such a way as to retain the confidentiality of patient information, particularly where such information is still disseminated in hard copy form. Although St. John's Hospital prides itself on its ability to retain patient confidentiality, potential security breaches should be prevented where possible and dealt with immediately where they are unforeseen.
The issue of discarded printouts is very serious on a number of levels. There is no confidentiality if cleaning staff can simply take the printouts and read them. On a more serious level, the discarded printouts are widely available once they leave the hospital. In other words, the administrators no longer have any control over them in such a case. This is directly against both the hospital policy and general medical ethics. The role of the physician is to protect the patient, which includes protecting the patient's confidentiality.
As a first step, I believe that the issue should be reported directly to the night staff superior. The staff should not directly confront the cleaners, as the latter group may not have been aware of the seriousness of breaching confidentiality in this way. When the superiors are aware of the issue, the importance of shredding can also be highlighted.
Also, before training is even arranged or other policies implemented, the high level of confidentiality compromise can be immediately handled by introducing a shredding policy for discarded printouts. This should be implemented for all hospital wards. Short of prohibiting printing altogether, this is the most immediate remedy for the problem. However, I believe that training is also necessary to ensure that all personnel working at the hospital are aware of the vital nature of protecting patients' confidentiality. Indeed, the RSNA (2011) notes that a physician is primarily responsible for protecting patient information. Simply discarding printouts of confidential information certainly does not constitute the necessary protection. This is the physician's responsibility, along with the documentation of confidentiality policies throughout the hospital. Before these policies can be implemented, thorough training is required.
Training will occur for all staff members working within the hospital, at all levels of service. Hospital staff will be trained at three levels: medical personnel; administrative personnel; and temporary non-medical personnel such as cleaning staff. Information disseminated at these training sessions will include the importance of the Hippocratic Oath, as well as how this relates to patient confidentiality. The session will also include ways in which to handle observed security breaches, such as those occurring at St. John's at night.
Specific policies should also be included in these training sessions, such as the general shredding policies, the rationale for it, and communicating security issues to patients. A specific policy must also be implemented when security breaches are observed. The RSNA (2011), for example, suggests that security breaches should be reported right away. When the report is made, an investigation should be launched to address the security issue and eliminate the problem as soon as possible.
Finally, a policy for communicating confidentiality and security issues to patients must be implemented. All staff working directly with patients should engage in such communication, and ensure that patients understand their rights regarding these issues. Finally, medical staff should also make patients aware of their right to privacy, as well as what to do when they suspect that their information has been inappropriately accessed or used.
Another important policy regarding training is to ensure that all staff are aware of all confidentiality policies and requirements, especially when these changes (MHA UAP Toolkit, 2008). For this reason, training sessions will be implemented on an annual basis. New staff members should also be trained as soon as possible after assuming their duties.
In addition, I would implement a policy of open communication between staff members and their superiors, especially where confidentiality and security are concerned. Any suggestions are reports should be directly communicated to the staff superior, so that arrangements can be made for implementation and training where necessary. To prevent any future breaches from occurring, all persons working within the hospital should be acutely aware of the importance of patient confidentiality at all times.
A separate training session will be included to make all personnel members aware of the legal requirements for patient confidentiality. Kolodner (2007), for example, suggests that patient privacy and security are by no means a simple issue, especially if all information is to be converted to electronic format. Although this would eliminate the threat of discarded paper documents as a threat to confidentiality, it also means that the information can be inappropriately accessed by electronic means. For this reason, physicians must be trained to work with a variety of professionals, including pharmacists, consumers, health IT vendors, laboratories, attorneys, insurers, and other stakeholders. According to Kolodner (2007), issues such as treatment, payment, research, and even bioterrorism could come into play when a patient's confidentiality is breached. In the electronic environment, there are a number of domains that should be taken into account when ensuring confidentiality. These include user and entity authentication, access control, patient and provider identification, transmission security, information protection, information audits, administrative and physical safeguards, state law, and use and disclosure policy (Kolodner, 2007). These issues will be briefly touched upon at all sessions, but enjoy more in-depth considerations for administrative staff, who work directly with patient information.
According to Kolodner (2007), 34 states and territories are part of the Health Information Security and Privacy Collaboration under the Privacy and Security Solutions contract. In addition, reports were published to describe business policies and state laws that concern privacy and confidentiality issues. This is also an important aspect of administrative staff training.
The importance of security and confidentiality in hospitals cannot be overemphasized, as indicated by Maerian (2010). Patient confidentiality is a vital element in ensuring that patients receive a high quality of care. This can only occur when patients are assured of the confidentiality of their information.
To handle the security breach occurring at St. John's, I will therefore implement a specific management plan. The first step, as mentioned above, is to implement a shredding policy for all patient information printouts. Shredding should occur as soon as the information has been used and is ready to be discarded. The second step is to communicate the policy that at least one administrative staff member should be present at the computer and printer stations at all times to ensure that no unnecessary breaches of confidentiality takes place. These policies will be implemented immediately, before training takes place.
The second phase of the plan is training. All personnel will be made aware of the training, which will take place in phases for all three levels of employment. To manage the number of personnel and work load, training will take place over a number of weeks, with a proportion of each employment level engaged in training. Training will include information regarding the necessity of patient confidentiality, medical ethics, the law, and other issues appropriate for the particular employment level in question.
When training is complete, administrators will create a preliminary policy document that includes all policies regarding patient confidentiality at the hospital. This will include policies such as shredding upon discard, manning information stations, communicating with patients, reporting confidentiality breaches, and open communication with superiors. The document will be circulated among all staff members, allowing them to communicate suggestions to their immediate superiors. Personnel members will have a week to finish making suggestions. These will then be discussed during a meeting among staff managers before being finalized in a final policy document. This document will be displayed throughout the hospital, while each staff member will also receive an electronic version.
As a general policy, patients will be made aware of this document and the high importance attached to the confidentiality of their records as soon as they are first seen by nursing or physician staff.
As for cleaning and temporary staff, the document will be provided to them in hard copy format, as they do not have an electronic mail account at the hospital. In this way, it can be ensured that all workers within the hospital receives the document.
Finally, a code of conduct will also be included in the document. This will include codes for all levels of employment: medical; administrative; and temporary staff.
For medical staff (nurses and physicians), the code of conduct will include the following elements:
2. Ensure that patients understand the contents of the document.
3. Communicate with patients their right to report any suspected breach of security.
4. When such reports are made, report immediately to the ward supervisor.
5. Report any observed or suspected breach of security.