I have practiced as a physician assistant for more than 37 years, from handwritten medical records to the most modern EHR system available.
When I started in medicine, protecting the confidentiality of the patient was much less complicated. You had to physically secure the record at all times to protect from inadvertently disclosing protected patient information. You had to ensure that conversation with other health care professionals were confidential, and served the purpose of sharing only information that was necessary to the care of the mutual patient.
Fast forward to 2018, and the vast majority of patient information and the documentation of the care of the same patients is largely digital. Vast amounts of information is collected daily and stored digitally on millions of servers world-wide.
Unfortunately, the technology and safeguards that protect that information is lagging behind. As providers of patient care, we have to trust systems that we can see to protect the confidentiality of our patients. I don’t know about you, but I’m not entirely confident that the system protects data at a level at a sufficient level.
I try to balance my fears with the knowledge that I have better informational and safety tools than ever before. I am one of a growing minority of people who actually like the EHR and feel it makes my job easier. Just like we learn everything in medicine by experience and pattern recognition, we all have to invest time in learning the new technology in service to our patients.
Part of that training has to be a renewed perspective on HIPAA, and how the digitization of health care changes our jobs, our patients, and the personal and sensitive patient data we are duty bound to protect. We can compromise patient data faster than the speed of light.
One example that creates angst for me is communication with patients. Isn’t it great that more and more health care organizations are developing and implementing patient portals? I see an internal medicine physician for my own care and love her digital patient portal. I can access a significant amount of my patient data, labs and diagnostics, via a secure website.
I can also deal with certain provider — patient activities without even setting foot in the office. This puts a lot of pressure on my physician and her staff. Not only do they have to deal with the patients on the schedule for the day, they have to monitor the flow of digital communications from patients and deploy resources to deal with the steady stream of messages from the patents.
Her organization uses an industrial strength enterprise-level patient portal, which is secure and encrypted. Yet, I can think of a number of ways that sensitive and confidential patient information can be compromised in their situation, by the vulnerable nature of the internet in general. I had to sign an agreement when I joined the patient portal, which governed expectations and rules on both sides of the equation.
Another vulnerability is social media. We know have hundreds, if not thousands of patients who rate comment on our care and the care of our organizations. What do you do when a patient airs their grievances against you as a health care provider on Twitter, Facebook or Yelp?
The tendency is to defend yourself, but publicly discussing anything about a patient and their care is a clear HIPAA violation. What a world we live in. We need to understand the implications of how we collect and use data, and carefully craft policy and best practices that protect the sensitive and confidential patient information entrusted to us, while still allowing us the freedom to do our jobs as health care providers effectively.