Although most patients have given the hospital permission to share their personal information with the nursing home, it is unclear whether there are patients whose personal information has been sent without their consent. Staggers and Nelson (2016) state that holding patients’ health data in strict confidence is one of the primary responsibilities of healthcare providers. Therefore, the Health Informatics Specialist needs to examine all permission forms signed by patients who are currently in treatment and match those forms with the actual cases of any data transfer that has happened recently. In case there are some patients whose permission forms are not signed or are absent, it is necessary to determine whether those patients’ health data has ever been transferred to another healthcare institution. If the Health Informatics Specialist identifies unauthorized data sharing, they have to inform their supervisor immediately and act towards gaining that specific patient’s permission.
The next step to identify existing problems would be exploring the transferred data itself because there are certain restrictions. As dictated by HIPAA Security Rule, safeguards should “be in place to ensure the confidentiality, integrity, and availability of PHI” (as cited in Staggers & Nelson, 2016, p. 444). The Health Informatics Specialist should determine which hospital, medical center, and nursing home employees are allowed to access patients’ health data. If any unauthorized persons have ever accessed patients’ personal information, it is a violation of confidentiality (Staggers & Nelson, 2016). If there has been a case of altering or destroying health data in an unauthorized manner, it is a violation of integrity (Staggers & Nelson, 2016). Finally, if an authorized person cannot access required data, it is a violation of availability (Staggers & Nelson, 2016). This triad is a significant element of information security, and the Health Informatics Specialist is responsible for ensuring that none of these principles are violated in the hospital or other case-related institutions.
Furthermore, it is unclear what procedures and policies the hospital follows while transferring acute care patients to the medical center and sharing their data. It would seem reasonable that saving a patient’s life in an emergency is a top priority for healthcare providers, meaning that some personal information can be shared without their consent to stabilize their critical condition. According to Health Insurance Portability and Accountability Act (HIPAA), healthcare providers are permitted to decide whether a specific act of sharing a patient’s personal information is in their best interests (McDonald et al., 2020). However, such disclosures during an emergency “must be limited to information directly relevant to the individual’s care” (McDonald et al., 2020, p. 671). People involved in personal data sharing should stay focused in critical situations and realize what information is required to save a patient’s life or stabilize their condition and what can remain unrevealed and secure. The Health Informatics Specialist can examine information security policies used in the hospital in emergencies to check if they contradict professional ethics. If such policies are not applied, they should be introduced immediately.
There is a strong possibility that the EHR system in the hospital and the correlated institutions can be used more efficiently and securely with the help of specific procedures that can be introduced. First of all, there are numerous reports in current research that many medical care professionals, including physicians and nurses, admit the general effectiveness of EHR and support it, but they also struggle with its implementation in the work process (De Pietro & Francetic, 2018). The particular problem seems to be “the burden of legal and technical requirements, the lack of detailed procedures for day-to-day operations, and the unclear financial consequences linked to the implementation of such new systems in private practices” (De Pietro & Francetic, 2018, p. 71). These issues may decrease the effectiveness of EHR, and the consequences may be harmful to the hospital’s security system and patients’ personal health information. The Health Informatics Specialist can initialize a survey among medical care professionals working in the hospital to see whether they experience some of the issues described above or similar ones.
Then, if those problems are detected, the hospital and other institutions may consider helping their employees to adjust to the EHR system using various methods. It is essential to determine whether particular issues are caused by the lack of knowledge and experience among the hospital’s workers or specific imperfections of EHR itself. Once the reason for the system’s inefficiency is identified, the hospital can take corresponding measures to address the issues. For instance, medical care professionals working there can attend different courses or lectures aimed to explain how to use EHR efficiently. The hospital can also check whether the system is implemented correctly in the working process to see if there are any technical problems or mistakes. According to De Pietro and Francetic (2018), healthcare providers’ attitude towards e-health principles is generally positive, meaning that medical care professionals are motivated enough to adjust to EHR, provided they receive the necessary guidance. Addressing the points described above can increase the electronic system’s effectiveness and positively influence the performance of the people working in the hospital.
Finally, it is crucial to determine whether the EHR system is implemented entirely in the hospital or whether some particular data sets are still stored in written form. According to De Pietro and Francetic (2018), separating personal information into electronic and paper records can be one reason for the EHR’s inefficiency. Medical care professionals working in the hospital and the correlated institutions may find it challenging to rely on different forms of patients’ health records as it can create confusion in specific cases. Moreover, physicians and nurses may struggle with adapting to the EHR system if they still have to use paper records in their work. The Health Informatics Specialist should identify if written storage of patients’ data is in place and find a way to transfer all paper records to the electronic system if it is possible.
The first step in determining other potential security issues in the hospital would be a risk assessment. Diwan et al. (2018) accentuate the importance of this procedure for the personnel involved in the IT section as it can be used to evaluate various risk aspects and identify potential harm and loss to the medical care organization. In addition, risk assessment is used to analyze the upcoming threats and develop a countermeasure program while also seeking different ways to improve and develop the current IT infrastructure within the hospital (Diwan et al., 2018). The risk assessment procedure can be divided into three steps: threat statement, vulnerability identification, and associated risk determination (Diwan et al., 2018). After going through those steps, the Health Informatics Specialist can create a risk mitigation plan and present it to the supervisor with possible solutions to avoid potential problems with patients’ health data security.
Furthermore, there are potential security issues related to EHR that can put patients’ personal information in danger because using an electronic data-sharing system is associated with several risks that can lead to a breach. Staggers and Nelson (2016) report that security threats are increasing nowadays due to the expansion of healthcare information being stored, the attractiveness of that information to hackers, and other reasons. The Health Informatics Specialist must ensure that all the patient’s data is appropriately protected from internal and external dangers. For example, if the hospital’s technical equipment is damaged or outdated and the servers cannot appropriately manage the EHR system, there is a risk of a security breach. The Health Informatics Specialist should constantly examine the hospital’s technical condition and inform their supervisor in case of potential threats.
Finally, it is vital to ensure that the data-sharing process within the hospital and the correlated institutions are implemented following all federal and local laws and regulations related to health information exchange and personal privacy. Many significant legal acts regulate the data-sharing process within medical care, such as the Health Insurance Portability and Accountability Act (HIPAA), the Substance Abuse and Mental Health Treatment Act (SAMHTA), the Federal Trade Commission Act, and others (McDonald et al., 2020). The Health Informatics Specialist should analyze the process of transferring patients’ personal information between medical institutions and inform their supervisor if any discrepancy with federal or local laws is detected.
References
De Pietro, C., & Francetic, I. (2018). E-health in Switzerland: The laborious adoption of the federal law on electronic health records (EHR) and health information exchange (HIE) networks.Health Policy, 122(2), 69-74. Web.
Diwan, S. A., Ghaleb, M. H., & Abd, M. H. (2018). Risk management framework and evaluation: Detail site study and governance of information security risk management in medical information technology infrastructure in hospitals.Indian Journal of Science and Technology, 11(14), 1-15. Web.
McDonald, A., Francis, L., Crouch, B. I., & Cummins, M. (2020). Legal aspects of information sharing and communication by poison centers in the United States. Clinical toxicology, 58(7), 669-675. Web.
Staggers, N., & Nelson, R. (2016). Health informatics: An interprofessional approach (2nd ed.). Elsevier Health Sciences.