This paper presents a management plan developed in response to a patient confidentiality security breach at a hospital, where discarded printouts containing sensitive patient information were left accessible to cleaning staff. The plan outlines immediate remedies, including a shredding policy for all discarded printouts, followed by a phased staff training program covering medical, administrative, and temporary personnel. Drawing on sources including RSNA guidelines and Kolodner's analysis of health information privacy law, the paper addresses medical ethics, legal requirements, electronic information security, and open communication practices. Codes of conduct for each employment level and a formal policy document process are also detailed.
Patient information, privacy, and security are at the heart of providing a high level of medical services. These issues are vitally important if patient confidence is to be retained, and to ensure that no potential harm comes to the patient. Hence, the information systems at any hospital should be managed in such a way as to retain the confidentiality of patient information, particularly where such information is still disseminated in hard copy form. Although the hospital prides itself on its ability to retain patient confidentiality, potential security breaches should be prevented where possible and dealt with immediately when unforeseen.
The issue of discarded printouts is very serious on a number of levels. There is no confidentiality if cleaning staff can simply take the printouts and read them. On a more serious level, discarded printouts are widely available once they leave the hospital — administrators no longer have any control over them in such a case. This is directly contrary to both hospital policy and general medical ethics. The role of the physician is to protect the patient, which includes protecting the patient's confidentiality.
As a first step, the issue should be reported directly to the night staff supervisor. Staff should not directly confront the cleaners, as that group may not have been aware of the seriousness of breaching confidentiality in this way. When superiors are made aware of the issue, the importance of shredding can also be highlighted.
Before training is arranged or other policies implemented, the high level of confidentiality compromise can be immediately addressed by introducing a shredding policy for discarded printouts. This should be implemented for all hospital wards. Short of prohibiting printing altogether, this is the most immediate remedy for the problem. However, training is also necessary to ensure that all personnel working at the hospital are aware of the vital importance of protecting patients' confidentiality.
The RSNA (2011) notes that a physician is primarily responsible for protecting patient information. Simply discarding printouts of confidential information certainly does not constitute the necessary protection. This is the physician's responsibility, along with the documentation of confidentiality policies throughout the hospital. Before these policies can be fully implemented, thorough training is required.
A specific policy must also be implemented when security breaches are observed. The RSNA (2011) suggests that security breaches should be reported right away. When a report is made, an investigation should be launched to address the security issue and eliminate the problem as soon as possible.
Training will occur for all staff members working within the hospital, at all levels of service. Hospital staff will be trained at three levels: medical personnel; administrative personnel; and temporary non-medical personnel such as cleaning staff. Information disseminated at these training sessions will include the importance of the Hippocratic Oath and how it relates to patient confidentiality. Sessions will also cover ways to handle observed security breaches, such as those that occurred at the hospital during night hours.
Specific policies should also be included in these training sessions, such as the general shredding policy and its rationale, as well as how to communicate security issues to patients. A policy for communicating confidentiality and security issues to patients must be implemented. All staff working directly with patients should engage in such communication and ensure that patients understand their rights regarding these issues. Medical staff should also make patients aware of their right to privacy and what to do when they suspect that their information has been inappropriately accessed or used.
Another important aspect of training is to ensure that all staff are aware of all confidentiality policies and requirements, especially when these change (MHA UAP Toolkit, 2008). For this reason, training sessions will be implemented on an annual basis. New staff members should also be trained as soon as possible after assuming their duties.
In addition, a policy of open communication between staff members and their superiors should be implemented, especially where confidentiality and security are concerned. Any suggestions or reports should be communicated directly to the staff supervisor, so that arrangements can be made for implementation and further training where necessary. To prevent any future breaches from occurring, all persons working within the hospital should be acutely aware of the importance of patient confidentiality at all times.
"Legal frameworks and electronic security domains"
"Phased rollout of policies and policy document"
"Specific conduct rules for medical, administrative, and temporary staff"
The first important element of the breach is to understand that the cleaning staff might not have been aware of the hospital's confidentiality policy. Furthermore, the matter was not dealt with immediately because administrative and medical staff were not certain of the appropriate steps to take. Hence, training is a vital part of ensuring patient confidentiality. Another important element is that, while patient security is indeed the primary responsibility of the physician, it should also be a team effort. This underscores the need for integrated training at all levels of employment. All persons working within the hospital should therefore be made aware of the absolute necessity to maintain the privacy and security of patient records.
You’re 40% through this paper. Sign up to read the remaining 3 sections.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.