6 Rules for Ethical Data Handling in a Health Organization

The following is a guest post by Danny Lieberman. Danny Lieberman, founder of Pathcare, the private social network for doctors and patients, talks about how to develop clinical care teams that will become world-class at patient data-handling.

Patient data loss is a peculiar problem. 

Unlike malware and attacker intrusions that is caused by “attackers” who are “other people”, data loss happens inside your healthcare provider organization and is perpetrated by your people, your contractors and your business partners who have access to your patients data and your systems.

Patient privacy data loss is best mitigated by management leadership reinforced by real time data loss monitoring that is part of a continous process of improving data governance.

Management needs to lead from the front, providing a personal example for how to handle data and behave ethically in the workplace.

Real-time monitoring of data loss events on a healthcare provider network can be performed using DLP (data loss prevention) technologies from companies like Websense, Fidelis Security Systems (recently acquired by General Dynamics) and Verdasys.

While I do not subscribe to vendor rhetoric regarding data loss prevention,  experience tells me that data loss detection provides information security and privacy officers with firm examples of what data is actually exiting the network.

The combination of management commitment to ethical behavior with a real time monitoring facility can create a powerful feedback loop that improves behavior and drives improved data governance.

The practical question is then  “How do I go from Point A to Point B”:

How do I take an organization where HIPAA compliance is the auditors’ responsibility and make the responsibility of care team leaders and members?

Let’s start with management.

In a follow-on article, we’ll discuss how to best deploy DLP technologies and integrate them with security and privacy leadership.

Just because everyone does it doesn’t make it right

Data leakage is as old as mankind. Think about Jericho and Rahav. People have always bartered or “sold” things of value to one another.  This doesn’t make it acceptable on your watch.

Getting it right is why they pay you the big bucks

Managing a care team is complex, especially since your care team is not you. They have their own economic background, religious beliefs, and cultural upbringing.  Your team will look at you for both formal and informal cues as to your data handling ethics and then they will follow that direction intuitively.

If you close an eye to infringements of data handling procedures (like exchanging plain text files with external users over Gmail since the internal email system won’t let you attach files with PHI, then you are sending a subliminal message to the team that is acceptable to bend rules.

Patient data breaches are bad for business

Aside from this being an inappropriate security policy, it is also bad for business. If your team doesn’t care about the little stuff like HIPAA physical and administrative safeguards then maybe they won’t wash their hands as often as they should.  Patients (who are also customers) may feel that an organization where patient data leaks like a sieve, is an organization that cares less about healthcare and take their business elsewhere.

Since your clinical care team looks at your data handling as a role model for their expected behavior, setting an ethical standard for data handling is as much your job as it is the individual responsibility of nurse, resident or surgeon on your team.

The 2 elements of ethical standards for healthcare privacy are shared by manager and team members:

1)      healthcare provider standards for patient privacy (nominally at least HIPAA compliance since a hospital or HMO are covered entities and must comply) and

2)      individual responsibility.

6 rules for ethical data handling in a health organization

  1. Ethical data handling must be verbalized and demonstrated. You must communicate to your healthcare  team your expectations of what you expect and what you consider unacceptable. Set the standard for all to be measured by. Once a quarter, discuss ethics, privacy and data governance at a team meeting.
  2. Develop a detailed set of data/privacy breach use cases in your practice area, and have your teams to sign off on them.
  3. Management must use a top-down ethical approach and demonstrate the standards they expect their team(s) to follow. This includes not accepting unauthorized gifts from vendors, or allowing nursing and administrative staff to bend the rules of disclosing patient files to non-family members.
  4. When hiring employees, include a clause on ethics in their job description. (Check with your company lawyer on this.)
  5. Communicate to your care team on a monthly basis what is expected of them with regard to maintaining security and enforcing privacy.
  6. Don’t always assume that a a team member is unethical just because a patient complains.

About the author

John Lynn

John Lynn

John Lynn is the Founder of the HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • Whatever you call it, the practice should have a crystal clear set of policies that detail how PHI is to be handled.

    An ethical clause, though perfectly appropriate, does not satisfy any HIPAA requirement.

    Yes, as mentioned above, these policies also apply to you doctor…lead by example.

  • In my work, I coach Physicians to achieve Meaningful Use of their Certified EHR technology. In my personal life my interaction with Physicians is as a patient. In my work, when Physicians complain that the “new” EMR technology comes between them and their patients, as expressed in the article “A Child’s View of EMR” I bite my tongue. That’s because, I have yet to experience a relationship in which a Physician engages me in my own care.
    I’m releasing my tongue from the grip of my teeth. I do not believe that the medical record (paper-based or electronic) disrupts the relationship between Physician and Patient. It is the Physician’s social skills (i.e. bedside manner) and attitude toward patients in general and patients from subgroups specifically that disrupts those relationships. While I try to keep an open mind, I have observed that Physicians present bias against patients by certain conditions, gender and race within minutes of the patient’s first visit.
    When patients describe their complaints, Physicians cut off their comments mid-discussion. While there may be some eye-contact between patients and Physicians using paper-base medical records, Physicians don’t listen to their patients. Instead, Physicians believe they know what’s going on just by looking at a patient. To a point that may be true, but Physicians rarely acknowledge the non-medical judgments they make, which often become the basis of a patient’s paper-based medical record. For example, an overweight or obese patient merely needs to eat less and exercise more, there is no reason to consider the endocrine system… even if the patient clearly describes (or tried to describe) symptoms of Cushing’s syndrome, hypothyroidism or PCOS. A female patient is a hypochondriac, even if she describes (or tried to) a family history of cancer, heart disease or diabetes, which test would show she has inherited. African-American patients aren’t in pain; they are drug seekers, despite having undiagnosed fibromyalgia, lupus or ankylosing spondylitis.
    My first adult-care Physician infamously cut me off to state “you are too young to be having all these aches and pains.” He ordered no tests or referred me to any specialist. One year later, dramatic weight gain was among three new symptoms. Again, the doctor was not concerned and told me these new symptoms were unrelated and a part of a cycle that was totally up to me to continue or resolve. I always wondered if that Physician took me seriously and engaged me in my own care, rather than dismissing my complaints or blaming me for my poor health; could I have prevented an array of new symptoms, resolved the core condition afflicting me and lived a higher quality of life these past 25 years?
    I believe that paper-based medical records, NOT EMRs, are the dream of lawyers. Let’s consider my first adult-care Physician, again. If my condition, untreated, was fatal and I died, my surviving family would have wondered, why I didn’t know about my condition and followed the lifesaving treatment plan. They would have gotten a lawyer, who in turn would have gotten a court order for my entire medical record, from all Physicians whose care I sought. And what would have been noted in the paper-based medical record? Would those paper-based medical records serve well as evidence for a wrongful death lawsuit?

    When I speak with Physicians who claim that EMRs stand between them and their patients, I tell them my story and ask them to examine their attitudes about patients and they may be unconsciously expressing them during office visits. Perhaps they didn’t perceive paper-based medical records as standing in the way, because the medically relevant notes were few and far between requiring less attention. If Physicians have always engaged patients in their care, even when using paper-based medical records, they will continue to engage patients in their care when using EMRs.
    Now that the CMS is pushing Physicians to use EMRs in a “Meaningful” way, I suggest developing EMR workflows that 1) support patient engagement. It’s the patient’s medical record, so why turn your back on the patient when updating their progress note on paper or electronically? Laptops and tablets make it easier to maintain face-to-face contact with a patient while having the electronic progress note readily available to you both. 2) Meet CMS Meaningful Use. The CMS Meaningful Use rules were established so that the focus is NOT on the technology. If your focus is on the Technology, then have a candid conversation with your vendor about developing the EMR so that you can maintain your patient-centered approach to care. Additionally, until Physicians have had a chance to fully consider the most Meaningful Use of Certified EHR Technology for them and their patients, the CMS criteria serve as a good (not perfect) blueprint. Which brings me to 3) drive EMR use that is Meaningful to you and your unique patients, going beyond the stereotypes of conditions, gender and race.

  • G Foster,
    Thanks for sharing your views. Quite interesting to consider the question of whether physicians are really engaged in care (EMR or not). That’s a hard question to answered and likely is all over the board depending on the doctor.

    Although, I think we have to be careful in a number of ways. For example, if we assume physicians haven’t been as engaged as they should be, that doesn’t mean that EHR can’t still make it worse (or better depending on your view).

    The biggest challenge I see is that the reimbursement model incentives many of these behaviors. That’s tough challenge to solve.

Click here to post a comment