Though healthcare privacy can often (and incorrectly) be grouped together with security, patient privacy shouldn’t be understated in a healthcare setting. In fact, privacy training, procedures, auditing and monitoring, compliance, controls, risk mitigation planning and other privacy are complicated in their own right and combining them with security initiatives would do both patient data privacy and security a disservice.
Kevin Haynes is the Chief Privacy Officer of Nemours, a children’s health organization with two hospitals and more than 30 other specialty and primary care locations between four states, New Jersey, Florida, Pennsylvania and Delaware. Haynes told HealthITSecurity.com that his primary role is to implement, enforce and design Nemours’ privacy practices, while advocating for their patients, families, and associates.
Haynes explained that process improvement is critical and Nemours is trying to shift much of the burdens as possible away from the healthcare providers to ensure they can communicate and provide care in the most effective way possible. Haynes said he focuses on the patient and finds the right balance between the care they deserve and protection of their health information. In order to create the balance, he concentrates on a comprehensive approach to delivering effective privacy practices.
The thing about privacy is there are not very many scenarios that are the same. You learn that a privacy request, or incident usually involves a unique set of characteristics. So for each, you have to treat it differently and take a careful, thoughtful approach at the privacy requirement, request, investigation, or evaluation (whatever it may be). And you can’t educate with generic responses, so we’re looking to provide scenarios based on real-life situations and deliver directly to the groups that need it as quickly as possible. You need multiple ways to distribute and deliver the content.
Training is a multi-tier effort, according to Haynes, as he said that every new associate receives comprehensive privacy training. And Nemours also provides different privacy-related education and outreach each month. Haynes said that there are multiple ways of communicating the particular message – digital signage, email, orientation, site visits, newsletters, whatever it takes to deliver the right message in a way that is understood and appropriate for the audience. And in the instance there’s a privacy problem such as a user mailing a wrong patient record, Nemours offers every individual that’s involved with the breach with immediate education and awareness.
I also strongly believe in outreach, so most of my job is not sitting and fielding calls. It’s about getting out there and talking to people and being present. That way, I can answer any questions, provide guidance, and generally be available before getting into a [breach] situation.
Another focus for Haynes that some may look past is user awareness, which should extend beyond just generic messages that just remind users that they must comply with HIPAA. “We’re looking at situations where a family calls in and asks how its child is doing [within your organization] or lab results. The rules can be very confusing at times, especially when state law is sometimes more restrictive than HIPAA,” Haynes said. “So we’re trying come up with best practices, such as how we can honor and respect the patient’s privacy rights and securely provide the information for the family.”
Haynes’s approach to privacy training is a reminder that training should involve proactive outreach and user awareness rather than only signage and “Beware of HIPAA” warnings.