PRIVACY & PATIENT SAFETY

Disclosure slide

• Nothing to disclose

mnoordzij@spaarneziekenhuis.nl

https://www.linkedin.com/pub/dr-arjen-noordzij/17/486/791

dokter_no

Spaarne Hospital

11/6/2014 © 2012–2014 Healthcare Information and Management Systems Society (HIMSS) 3

EMR in Spaarne Hospital

• Since 2008: Epic

– Introduction in 2 phases

– Enterprise

– Integration: 1 patient, 1 record• Medical

• Financial

– Complete order management

– Closed medication loop

Dutch data protection act

• Access to (electronic) patientdatais strictly restricted to the employees directly involved in the execution of the treatmentcontract of a patient.

• Influence on patient safety?

Dutch data protection act

• Risks

– Type of data

– Processing

• Appropriate security level

• Technical & organizational

– Technical possibilities

– Costs

• Prevention

All users

SamePassword_1

Secretary logs in fora physician Epic demo / training in

production environment

Examples

Facebook incident

• Patient dies during admission

• Nurse marks wrong patient as deceased

– Epic sends message to GP

• Nurse rectifies <1 minute

– Epic sends update to GP

• GP Assistant reads 1st message … not the update

• Posts it on facebook

Organizational measures

• Information

– Code of conduct

– 10 golden rules

– Cases on intranet

– Broad privacy meetings

• Privacy functionary

• Privacy as distinct category in secure reporting of incidents registry

• Immediate dismissal of 2 nurses

Technical measures

• Password policy

• Single sign-on

• Epic

– Audit trail

– (smart logging)

– Breaking-the-glass

Privacy Protection Commission

According to those signals access to electronicpatientdata is not strictly restricted to the employees directly involved in the execution of the treatment contract of a patient.

Balance between behavioural and technical measures

Process

• outpatient & inpatient

• Scoring system

– Satifies PPC requirements

– Impairs patient safety

– Impairs daily practice (efficiency)

– Additional personnel necessary

– Technically feasible

Proposal (1)

• Access defined on speciality level

• Outpatient personnel: access to known patients

• Inpatient personnel

– Access around admission

– Patients admitted for own speciality (or consultation)

– ICU personnel: access to all clinical patients

• ‘unlimited’ access: ICU, OR & ED patients

Proposal (2)

• Breaking-the-glass

– Very effective

– Fear to ‘break the glass’

• Smart queries on breaking-the-glass files

• Manual check

Does privacy impair safety?

• Potentially: yes

• With proposed measures: most probably not

• It does impair efficiency (breaking-the-glass)

• Balance between desirability and feasibility

• Opinion PPC versus legislation