Who can blame you for being worried about patient privacy violations? They have been all over the news lately:
In addition, HHS promises more enforcement through the Health Information Technology for Clinical and Economic Health (HITECH) Act, so hospitals must get prepared.
How does the healthcare industry quell the curiosity of staff members who are peeking into patient records?
Some industry leaders say give them what they want–full access to medical records–and see if they take it. In other words, bait them, then catch them in the act.
Monitoring staff members and tracking their access to medical records will only get you so far. Some facilities use fictitious medical records that IT monitors to determine whether anyone is accessing them.
"This is frosting on the security cupcake," says Gary Nichols, CISM, chief information security officer (CISO) at Blue Cross Blue Shield of Arizona. "You put something so sweet out there that they can't resist."
Nichols does not use these so-called "honeypots," but he's hearing an awful lot about them across the industry.
"It has spectacular results," he said. "If you have 500 users who have access to a system, and you are aware of patient information system access requirements, you know something is wrong when people start searching for and accessing records for Barack Obama."
Not everyone will use the information, says John R. Christiansen, founder of Christiansen IT Law in Seattle.
"I tend to doubt it's being done in smaller hospitals at all," Christiansen says. "It does require a certain sophistication and commitment of resources, and it isn't clear to me that the costs are necessarily worth the benefits compared to other commitments of compliance resources."
A couple of quick tips to get started:
Ultimately, do we want to operate in a healthcare industry where set-up is the only way to catch inappropriate snooping of patient records? No. But because of recent violations, the message is clear: Some just do not respect HIPAA privacy laws enough.
"We are still trying to change the norms in the industry," Christiansen says. "Paradoxically, maybe once we have shifted the balance so that the norm is a robust respect for the privacy and security of personal information, we can deal more leniently with offenders."