Ensuring the privacy of our patients is crucial. That’s why Penn Medicine is taking new steps to strengthen protection of patient health data.
“With so much data involved in patient care and research today, even good intentions can result in privacy breaches,” said Lauren Steinfeld, chief privacy officer. “We are employing new and strong technology solutions to ensure that this confidential information remains safe in all domains.”
Accessing patient records for reasons unrelated to your job is a violation of the Health Information Portability and Accountability Act (HIPAA) and Penn Medicine’s privacy policies. In other words, staff should only access patient information necessary to properly do their jobs. To better identify any inappropriate access of patient data, Penn Medicine has added sophisticated new monitoring software and dedicated investigators.
The new software will use patient data, human resources data, and artificial intelligence to detect suspicious activity or unusual patterns in the health system’s electronic health records. For example, if an employee who generally accesses demographic information of elderly patients for his job unexpectedly accesses the medication list of a minor patient, an alert will be sent to the Privacy Office and trigger an investigation. Staff found to inappropriately access a patient record or other data may be disciplined up to and including termination. Indeed, there have been several recent employment terminations based on privacy violations detected by this software.
In addition to the new monitoring software, Penn Medicine has brought onboard a new security tool that will ensure that patient data is always stored – and transmitted – securely. This “data loss prevention” tool will send alerts and soon, block Penn users who share protected health information on portable devices that are not encrypted, or who try to send large and/or sensitive patient data sets by email. “The primary goal of this tool is to help safeguard Penn Medicine’s most sensitive data without disrupting business operations in the process,” said Dan Costantino, chief Information Security officer.
If you need to store or send patient data through non-Penn managed or approved devices or methods, please contact Information Security for secure alternatives, or go to http://uphsxnet.uphs.upenn.edu/is/security/faqs2.html.