When patient data can’t be kept under lock and key

In the nearly three years I’ve known him, Providence Health CSO Eric Cowperthwaite has been my go-to guy when it comes to questions about HIPAA compliance.

He’s in a unique position to discuss HIPAA-related pain. Providence Health & Services has the uncomfortable distinction of being the first organization penalized for violating the privacy section of the federal Health Insurance Portability and Accountability Act (HIPAA). The Seattle-based organization, which operates a health plan and several hospitals, hired Cowperthwaite to help it clean up the mess in 2006.

Providence agreed to fork over $100,000 and make good on a systems improvement plan as part of a deal with the U.S. Department of Health & Human Services (HHS) to settle allegations it lost laptops and electronic backup programs with individually identifiable health information in 2005 and 2006.

I caught Cowperthwaite’s attention last week when I wrote about how I was glad three employees at Tucson’s University Medical Center got fired for allegedly peeking at medical records in the shooting rampage that killed six people and left Congresswoman Gabrielle Giffords fighting for life.

He agreed with my larger point that the hospital did the right thing. But a side comment I made gave him pause.

I wrote:

There’s plenty of identity and access management technology available to minimize these incidents.But in the end, if a reasonably smart person is burning with curiosity, they will find a way to break through the wall of privacy.

It’s not that I was flat-out wrong. But that statement left out a very important dimension, Cowperthwaite said. So I got on the phone with him Friday to learn more.

I’m going to write a broader story on that talk at a later date, but for now I want to share this:

For one thing, he said, systems access is tighter in some industries than in others, and in a hospital setting you only need access to records dealing with your patients. But when a life-and-death situation materializes, something changes.

If a patient is on death’s doorstep and you happen to be the doctor on the scene, you have to do what you must to keep the patient alive. If you’re not that patient’s doctor, you technically aren’t allowed access to their records. But in a crisis, the rules aren’t the same as usual. If you’re the doctor on the scene, you have to see that patient’s records. Period.

To handle that, Providence has an “in an emergency, break glass” approach where a warning comes on screen asking, “Do you really need access to this information?” If the doctor says yes he-she gets it, no hoops involved.

“Patient care is number one, so we have to construct the right systems to allow for that to happen,” he said.

Another factor that makes identity and access management tricky in medical institutions is that some of the medical record technology is antiquated, he said.

“Quite a few of these systems have been around for 20 years without really being changed and when other technology changes, the version of windows you’re using, for example, the older tech isn’t necessarily brought up to par,” Cowperthwaite said. “Access tables are essentially all over the place.”

At the end of the day, he said, you would be outraged if a family member died because a doctor couldn’t get access to records. The HIPAA privacy rule can’t get in the way.

Like many organizations, Providence took the clinical work flow from paper to electronic, but kept the rules of engagement the same. So far, the right balance between strong security, patient privacy and quality care is being achieved.

“This is a people problem, not a technology problem,” he said.

It goes to show that no security program can survive on written rules and technology alone. Sometimes the rules must be broken. And sometimes the technology doesn’t work.

–Bill Brenner