Patient healthcare records contain private information that patients often want to keep private from their employer, family, and the public. Examples of common types of sensitive health information that individuals have sought to keep private include HIV test results, drug testing results, and pregnancy test results. Historically, laboratories, individual laboratory departments and testing facilities of hospitals were operated locally. Patient information, if stored in a computerized environment, was stored in separate databases so that information was only available to those laboratory personnel/users with access to that particular database. Recently, hospitals, laboratories and healthcare organizations have begun storing patient information in integrated databases making the information available to a broad user base. The interconnectedness of patient information in these integrated databases increases the risk that sensitive healthcare information may be unnecessarily disclosed unless the information is properly secured with cognizance of the rights of laboratory personnel/users to access such healthcare information. Also, in an environment where multiple laboratories share a single information system, errors are more likely since a user may inadvertently select an order they are not authorized to access and enter test results for the wrong patient.
Recently, the Health Insurance Portability and Accountability Act (HIPAA) Privacy rule was enacted. HIPAA requires that covered entities, such as hospitals and clinics, take reasonable steps to limit the use or disclosure of protected health information. The policies and procedures of a covered entity must identify the persons (or classes of persons) within the covered entity who need access to protected health information to carry out their job duties, and the types of information needed for any given legitimate purpose. For example, laboratory technologists may only need access to certain portions of a patient's protected health information to carry out their job duties, and this access is only needed when the technologist is assigned work to be performed on behalf of the particular patient. Conversely, those persons involved in direct patient treatment, such as doctors or nurses, may need access to all of a patient's protected health information.
Currently, healthcare providers order particular procedures to be performed on a patient or on a sample obtained from a patient. These orders are input into the integrated database and assigned to a service location such as a laboratory or examination room. In many organizations, the same healthcare testing procedures may be performed at multiple service locations. A user typically is not assigned to all services locations where the test could be performed (i.e. all laboratories). As such, the user should not need access all service locations to perform his or her duty. Rather, the user should only be allowed access to those physical service locations relevant to his or her assigned duty, and to the relevant patient health information for those particular service locations.
Accordingly, there is a need for a system and method for restricting access to a patient's healthcare information at healthcare testing locations to prevent any unnecessary disclosure of patient health information.