Two reports of how Kaiser Permanente approaches security left this blogger scratching her head last week as the reports might seem to contradict each other. And because the VA Watchdog had the same questions I have, I decided to follow-up.
On February 28, and as reported by Health Data Management, Eric Liederman, M.D, director of medical informatics at Kaiser Permanente’s Northern California division, described the security approach this way during the Physicians Symposium at the HIMSS 2010 Conference & Exhibition in Atlanta:
…. The common approach is to restrict access to patient data by assigning roles to users and allowing role-based access. But this can hamper appropriate exchange of health information and raises the risk of patient harm, particularly in the case of sick patients quickly getting sicker, Liederman said.
Kaiser took another route by making all accountable by giving everyone access to everything. But … record all views, investigate all complaints, use surveillance to find “silent offenders,” sanction the guilty and publicize the sanctions. “You don’t have to publicize the names but put out the word that coworkers–real people–no longer work here because they violated privacy,” Liederman explained.
The accountability approach deters temptation-driven mistakes and keeps good employees on the job, removes barriers to people doing their jobs, and avoids proliferation of security profiles and roles, he added. This reduces confusion while increasing consistency, and protects key privacy targets–physicians, co-workers, neighbors and celebrities/VIPs.
And the way to maintain law and order in an open environment is to police, police, and police with information technology surveillance tools.
Yet as Alice Lipowicz of Federal Computer Weekly reported on March 5, Dr. John Mattison, chief medical information officer for Kaiser Permanente Southern California, told her that Kaiser uses role-based access privileges like most other health systems, and Kaiser has been performing algorithmic surveillance of the systems to detect anomalies that could indicate unauthorized access, he said.
“We do not allow everyone to see everything,” Mattison said today. “We allow access based on roles — which include receptionist, medical assistant, quality assurance officer, coding or billing officers. We have security profiles, and you can only see what is allowed for that role.”
Typically, health systems have about 40 to 2,000 different user profiles and corresponding levels of access in their systems, Mattison said. Kaiser’s number of roles “is in the middle of that range.”
“We are using the same restrictions as the rest of the industry, and we are pretty much in the middle of the industry for integrated organizations,” Mattison said. Also, Kaiser is forging ahead in deploying its surveillance software to better detect anomalies, he added.
As for suggestions that Kaiser’s security is more “daring” than other health plans, Mattison disagreed with that assessment. “There are some false assumptions underlying that premise,” Mattison said.
I asked Kaiser to comment on what seemed to be a contradiction in the way the approach to security was described. John Nelson, spokesperson for Kaiser, responded:
The comments made by Drs. Mattison and Liederman are both accurate, depending on the area of patient health information being accessed. Given the comprehensiveness of our electronic medical record, we employ role-based access controls in all areas where it makes sense to do so. For caregivers involved in direct patient care, we ensure that they have sufficient access to information relevant to their work, enabling them to provide the highest quality of care. For others who are not involved in direct patient care, their access is much more restricted according to what information they need to perform their jobs. This combined approach enables us to protect patient privacy and deliver the best care possible through electronic health records.
According to Nelson, when Dr. Liederman said that Kaiser gave “everyone access to everything,” he was not really talking about everyone — only those involved in direct patient care.