NOV 21, 2011 2:25pm ET

Privacy is Easy


Insuring patient privacy is easy.  Well, easier than information security. 

Information security is about preventing unauthorized access to information.  Information privacy is partially about security, but there is more to it. Privacy is not just about insuring all access is technically authorized.  Information privacy is also protecting against technically authorized, but inappropriate access.  Information privacy is also about giving the subject of the information some say over how the information is used and shared.  And it is also about notifying them when something is amiss.

The best example of a privacy violation would be a noisy nurse or administrator checking out the health records of a patient in the system because they were "curious" for a myriad of reasons.  Most large city hospitals have "VIP" watch lists to try to trap for these types of access for celebrities, but there is no system-wide approach to privacy that we have seen in any EHR or HIE.

The interesting thing is that it is quite easy to implement significant deterrents against these sorts of inappropriate accesses using the principle of notification.

Most EHRs provide an electronic logging mechanism that records each authorized access of health information.  The EHR usage log contains records of the person accessing the records, the information accessed, and the patient's ID. All that would be required to greatly reduce the incidence of casual or criminal snooping would be to pass these log records against a patient notification profile. 

The patient notification profile could be easily captured and stored, allowing the patient to specify if, when, and how they wish to be notified whenever their information is accessed.

This little procedure would go a long way to assist in insuring patent privacy and would also be an early warning of attempts to break-in to the system.  One has to wonder why it hasn't.

Rob Tholemeier is a research analyst for Crosstree Capital Management in Tampa, Fla., covering the heath I.T. industry. He has over 25 years experience as an information technology investor, research analyst, investment banker and consultant, after beginning his career as a hardware engineer and designer.


Comments (4)
Hi there! This post could not be written any better! Reading through this post reminds me of my good old room mate! He always kept chatting about this. I will forward this post to him. Fairly certain he will have a good read. Thank you for sharing! san francisco limo
Posted by Lavonna K | Monday, December 02 2013 at 3:23AM ET
Nice post. I used to be checking continuously this blog and I am inspired! Very useful information specially the last phase :) I care for such info a lot. I used to be seeking this particular info for a long time. Thank you and good luck. seo packages
Posted by Lavonna K | Tuesday, November 26 2013 at 3:12AM ET

Its rare that I just outright disagree with a post, but this one shows a complete lack of appreciation for how difficult it is to manage privacy and security in healthcare. Even with the required functionality that is now incorporated in every certified EHR its not just as simple as turning it on. There are literally thousands of accesses daily to patient records, by care givers in multiple roles, and others involved in the case or encounter. VIP rules only address a fraction of these events. Without a third party solution to take the log data, index it and create the appropriate alerts and/or reports this task is not inconsequential.
Posted by mac.mcmillan | Tuesday, November 22 2011 at 2:15PM ET
Actually, I don't wonder at all why people aren't implementing this "easy" solution.

Here's an analogy of the hidden problem with this idea.

Say people in your neighborhood are nervous about security, as several burglaries have been reported in recent times. So the homeowners association gets together, and everyone decides to buy a security cameras, which they aim at the street. The cameras all feed into an app that serves the pictures up to a website. And anytime a homeowner sees a vehicle driving in the neighborhood that he/she does not recognize as having legitimate reason for being in the neighborhood, the police are called to come investigate.

Problem solved ? I don't think so.
Posted by Douglas D | Tuesday, November 22 2011 at 1:47PM ET
Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.

Blog Archive for Rob Tholemeier

An X Prize for Health Care
EHR Beyond Meaningful Use: Productivity -- Part 3
EHR Beyond Meaningful Use: Productivity--Part 2
EHR Beyond Meaningful Use: Productivity -- Part 1
Get a Job

More from Rob Tholemeier »

Blog Index »

Stay Connected

Already a subscriber? Log in here
Please note you must now log in with your email address and password.