Developing an Information Security Policy

Every health care organization -- regardless of its level of computerization -- needs to have a comprehensive information security policy. A policy defines an organization's commitment to confidentiality for its patients, members of the community and its employees. It provides a blueprint for defining standards and procedures. And it establishes a standard of care with respect to the handling of its confidential informational resources. In this second of three articles dealing with computers and confidentiality, I will discuss some issues to consider when developing an information security policy in a physician office practice.

To begin this process, an organization's executive leadership should appoint a confidentiality committee and charge this committee with the task of developing a comprehensive information security policy. While practices differ in their organizational structures, I would suggest that the following areas be represented on such a committee: physicians, nurses, a practice manager and office personnel.

As the drafters begin their task, they should first define what information is confidential and who will have access to these informational resources. This includes patients' medical records, as well as information pertaining to employees, finance and physicians. Besides covering the topic of access to and disclosure of general health care information, how will you restrict access to the records of abused and neglected children? Moreover, under what conditions will restricted records be released to others?

Second, a policy should address access administration. Who will define directories or menus? Who will create and delete unique Logon Ids? And, who will provide assistance to users when they forget their passwords or require assistance in signing on and accessing applications? The key issue in an access administration is to ensure that each user has access on a need--to--know basis, i.e., access which is necessary to perform his or her responsibilities.

Third, a comprehensive policy should address educational awareness. Specifically, will you orient new employees to the importance of confidentiality? Will you have annual in--service programs on the importance of confidentiality? And, who will conduct these programs? No policy should gather dust. To be effective, it must be communicated and understood by physicians and staff.

Fourth, a policy should cover sanctions. Staff need to know that there is a price to pay for breaching patient confidentiality. While sanctions should correspond to your personnel policies, employees need to understand that their employment may be terminated for breaching confidentiality.

Fifth, every policy should have specific policy protocols on the following:

• E-mail and the user of the Internet
• Facsimile Transmissions
• Electronic Signatures
• Cellular Telephones
• PC Software
• Virus Protection
• Internet Home Page

Each of these areas present organizations with risks and potential liabilities. Therefore, it is advisable to define and communicate to staff your organization's protocols when using these technologies.

Sixth, a policy should cover safeguarding confidential documents. How will you safeguard confidential documents? Specifically, how will you safeguard documents from cleaning crews who provide housekeeping services in the evening? Additionally, how will you store documents? And how will you dispose of confidential documents? Regarding the latter, if you contract with a recycling company, will you require a confidentiality clause in your contract?

Finally, who will administer the policy and program? In physician office practices, the Office or Practice Manager may be the ideal person to assume these responsibilities. Basically, this person would be responsible for enforcing the policy, orienting new staff and conducting annual awareness programs.

When the Confidentiality Committee is satisfied that they have written a good first draft, they should circulate the draft and solicit revision suggestions from other members of the practice. Once these suggestions are incorporated into a revised policy, the policy should be reviewed again. Providing there are no further revisions, it should be submitted to the President or Chief Executive Office of the practice for his or her signature. When it is signed, it should be communicated to employees and guest users. At this time it might be appropriate to have all employees sign new confidentiality agreements.

Having a strong information security policy and program accomplishes two important goals: 1) it protects the confidentiality rights of patients; and 2) it serves to reduce your organizational risks and potential liabilities. Moreover, it enables a practice to maintain the public trust at a time when the public has serious concerns about the privacy of their medical information.