Insider snooping into patient records is nothing to take lightly. It often ends in a compliance nightmare – costly and time-consuming – not to mention the patient trust levels that take a serious hit. By making patient privacy an utmost priority, executives at the West Virginia United Health System have tackled this issue head on through a variety of different avenues and have already seen marked success. 

There's no one magic bullet to ensuring patient record snooping doesn't happen, said Mark Combs, assistant chief information officer for the West Virginia United Health System. But by implementing a host of initiatives, comprehensive training and tapping into information technology for audits, Combs and his team have shown it can be done.

Combs, who will be presenting WVU Healthcare's privacy case study at HIMSS15 this April in the session "Stop Insider Snooping and Protect Your Patient Trust," says the six-hospital healthcare system goes far beyond the traditional computer modules that have a privacy component, as "there's no real learning that occurs in that; it's more of just a sign off," he said. Rather, they get to all employees as soon as they come on board with the organization. They have a privacy officer present to all new employees about the importance of patient privacy and what their responsibilities and expectations are.

What's more, the health system sends out monthly security reminders that come from the individual hospital's privacy and security officer. They also have digital media boards with privacy and security reminders; they present to enterprise management and leadership groups within the organization. And even more significant? They're not afraid to audit their employees.

There's an old saying Combs loves to use that describes his philosophy: "What's measured is what matters," he said. "So people know we're measuring and watching their access; it gives them pause when they start to consider to do something like this," he added. And it certainly doesn't hurt that the health system's HR department has been supportive of this all along.

Audits are done at the organization "almost daily," he said, amounting to several millions of accesses audited each year. The access audits from multiple applications enterprise-wide are consolidated, and then, as Combs described, WVU has an application that consolidates those and runs reports, which are analyzed by a special team.

And though their efforts have been successful, this holistic approach to curbing unauthorized access into patient medical records did not happen overnight, Combs explained. 

“It's been many years in the making. We keep striving to improve, and we keep looking at our risk assessments, and we keep looking at our surveys, and we keep looking at our incidences and situations that do occur in the organization that drive us to change,” he said. “And I think that's one of the most important things: it's an iterative process. You can't just set up a program and walk away and expect it to run. It takes people that are dedicated, people that are focused and people who really care about the privacy and security of the patient's information.”

Please visit the HITN@HIMSS15 page for Healthcare IT News ongoing conference coverage.