ObamaCare has elevated the electronic health record (EHRs) to new heights, so as health care providers of all sizes shift to EHRs there will be an education gap as millions of employees take to computers, perhaps for the first time.
My mom is one of those employees who had to learn how to operate the computer system at her hospital. She called me one afternoon to vent about how she had spent six hours in front of the computer trying to figure out how to work the software.
My parents have had a computer in their house for over a decade, but unlike a lot of us, they worked in industries where computers were not typically used.
So it got me thinking: How do companies deal with hundreds, or perhaps thousands, of workers logging into computers and accessing patients’ personal information, especially when some may have never used a computer?
One of the vital things companies need to do when dealing with an issue like this is to train employees to know what information is important and sensitive, and why there is a need for security, said Manmeet Singh, co-founder and CEO of Dataguise, which specializes in sensitive data discovery and masking.
“They are the ones getting access to the data, so they need to know what they are carrying and accessing,” he added.
Singh believes that it is a company’s responsibility to protect its data from the inside out. That means putting in policies on how employees will use the data as well as refreshers on the Health Insurance Portability and Accountability Act. Companies should also keep detailed record on who among the employees will have access to certain data, and what they will be doing it.
Automation is also an important factor on the back end, he said. This is a great of thing for those like my mother, who aren’t as experienced in moving around within a software program.
“They need to make it easy for employees, maybe only having to click three or four buttons to do their job without exposing private medical issues or insurance card numbers,” Singh said. “It should be as easy as using an iPad.
In the past, it was an “all or nothing” approach” with regard to what employees had access to, Patty Nghiem, vice president of marketing and business development for Dataguise, said.
“Once you were inside, you had the keys to the kingdom,” she added. “Just because people like Edward Snowden had access to all of that information, did he really need to see it in order to do his job? Probably not.”
She said the same can be said for healthcare employees, who don’t need access to most of a patient’s file to get their job done.
For managed service providers working with clients, Singh and Nghiem suggest in addition to training, they should act as a user support system. On the other side, individuals need to be more involved in knowing what information their health care provider has, what they are doing with it, and how they are protecting it.
“Most of the information could be place-holder data,” Nghiem said. “When people are looking at the doctor’s comments, they don’t need to see billing records, Social Security numbers or even home phone numbers.”