Note: This is part 2 of “Guarding Gabrielle,” Campus Safety magazine’s three-part exclusive coverage of how Memorial Hermann Healthcare System and the University of Arizona Medical Center effectively managed the care, security, privacy and press coverage of Arizona Congresswoman Gabrielle Giffords while she was being treated at their facilities.
With such a high-profile patient as Arizona Congresswoman Gabrielle Giffords being admitted for treatment, it could have been extremely tempting for some employees to try to circumvent Memorial Hermann’s logical access control technology. Fortunately for Giffords, as well as other Memorial Hermann patients, the healthcare organization has extensive audit capabilities of all of its electronic systems, which help keep it in compliance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
Because of this precaution, as well as the hospital’s policies and employee education efforts, Giffords’ medical records were not breached while she was treated at Memorial Hermann.
“Our employees know that if you touch an electronic record, you will leave a finger print, and we will know you were in there,” says Memorial Hermann Privacy Officer Carol Paret. “If you get into an electronic record, you better be in there for a legitimate business purpose. [Employees] know we conduct random audits, and they certainly know we conduct audits on VIP patients.”
These are some of the technologies, policies and procedures the organization has adopted to protect Giffords’ privacy:
- She was registered under an alias (there were some attempts to find her record under her real name)
- All employees were notified that Giffords’ records were being monitored constantly. “Everybody who accessed her alias records or attempted to access her under her name, we knew about and were watching every day,” says Paret. “With those steps, you can catch things very early.”
- All employees receive annual training on HIPAA. If they don’t take the course within the appropriate time frame, they lose access to the systems, which means they can’t do their jobs.
- Memorial Hermann only uses role-based security, meaning it only allows individuals access who need access to the system or a portion of the system to do their jobs