RSSAll Entries in the "Security" Category

It’s okay to smile for the camera

I was asked by a grad student last week about hospitals establishing photography policies in light of HIPAA concerns.
There’s a balancing act between maintaining an open care environment (people generally like to take pictures of newborns and other happy events) and the privacy of other patients in the hospital.
That said, fortunately, the types of allowable photo opportunities inside a hospital are pretty limited to those happy moments and so can be isolated to a fair degree. In so doing, it becomes fairly simple to identify those photographic pursuits that would be prohibited.
In the case of photography without permission, it’s more a case of regular privacy and, for all intents and purposes, customer relations as opposed to a HIPAA issue. HIPAA, at its fundamental core focuses on “protected health information,” or PHI.
In the first years of HIPAA, there was a lot of angst about what this meant –for instance, some hospitals went to the extreme of not providing any information about patients over the phone, even to verify the patient was actually a patient!
Lately, things have reached more of an even keel as the definition of PHI becomes clearer. Basically PHI involves any information that specifically identifies the patient and his or her diagnosis. If you don’t have both elements in place, then you don’t have PHI, and if there is no unauthorized release of that combo, there’s no HIPAA violation.
June 25, 2008 | Steve MacArthur | Comments 0
Read More

No specific requirements for security measures for generators

I saw a question on HCPro’s Patient Safety Talk listserv last week asking about whether The Joint Commission requires fencing around exterior generators.
There is no specific requirement in the EC standards regarding the means by which you would secure your generator and any associated equipment, pipes, etc. That said, there are a number of ways that you could be cited if a surveyor believes your security measures for the generator are inadequate, including provisions under:
  • The emergency power Sentinel Event Alert
  • The maintenance and care of the generators as a function of your utility systems management program
  • Safety and/or security risk assessments
My recommendation would be to conduct a security risk assessment, identify any applicable vulnerabilities to things like vandalism, and then carry out strategies for appropriately managing the identified risks.
It may be that your organization decides some strategies make good sense from an operational reliability standpoint and some may not. So long as you document the decision process (with a dash of ongoing monitoring to ensure the chosen strategies are indeed effective), then you should be in good stead during survey.
May 05, 2008 | Steve MacArthur | Comments 0
Read More

Joint Commission queries about lockdowns

I caught wind of some recent Joint Commission survey notes, including what came up during an emergency management tracer.
In discussing the organization’s preparations for the six critical areas, the surveyor asked if the organization had ever conducted a lockdown drill. Then, upon an affirmative response from the hospital, the surveyor asked about the results of the most recent lockdown drill.
(By the way, in this era of ever-increasing demands for escalating drill scenarios, lockdowns are a nifty way to change the dynamic of even the most basic exercises. And if you’re feeling really lucky, try including the lockdown with minimal warning to staff at large–and don’t forget to take pictures!)
Then the surveyor asked a kind of interesting question in follow-up: Where does the organization get the manpower to implement lockdown procedures?
I’m not quite sure what prompted the question specifically, but sometimes the ways of the surveyor are many and varied. This issue actually dribbles over a bit into EC.4.16, which requires you to manage staff roles and responsibilities during responsibilities.
Now, for some organizations, staffing a lockdown might be the most simple of tasks, but I’d wager that, depending on the type of event, you might not want to “waste” your designated security resources to implement the lockdown.
In which case, you need a reliable and well-stocked resource pantry, a.k.a. the manpower pool. And also ideally a plan. A poorly handled lockdown, even during a drill, can be a customer service nightmare. “What do you mean I can’t come in to see my sick mother?”
Something to think about . . .
April 16, 2008 | Steve MacArthur | Comments 0
Read More

Distant early warning

How long will you have to mobilize on the first day of your Joint Commission (formerly JCAHO) survey? Presuming that your organization has someone monitoring your Joint Commission extranet site on a regular basis, then how early are they looking? How long will it take for the word to reach you, whoever you might be?

This is a point where one of those nasty little cliches comes into its own: You only have one chance to make a good first impression, and the sooner you can “get to it,” the better.

Try to take advantage of some pro-activity as well because setting the stage is key. For example, make sure that there’s a process for neatening up those high-profile public restrooms early in the day. Even surveyors have to take a break, and you don’t want them to walk into the proverbial pigsty.

Also, ask your security staff on the overnight shifts to keep an eye out for law enforcement officers with a patient in tow. Make sure that the officers at least receive some sort of briefing as to the ways and means of your organization. A number of folks have had success with cobbling together a little brochure to hand out to forensic staff (and contractors, too) to provide them with a broad-stroke overview of your processes.

For some reason, surveyors seem to be attracted to forensic/law enforcement officers, so ensure the experience is a positive one for all involved. You and your HR department (that Joint Commission EP lives in HR standards) will be glad you did.

March 12, 2008 | Steve MacArthur | Comments 0
Read More

Pharmacy locking: Stand-alone system or part of the bigger picture?

There was a question on our Safety Talk discussion group today about whether there is a regulation that mandates a pharmacy must have a stand-alone locking system, or whether it can be part of a bigger system.

I’ve seen some different configurations of systems, and the question also brought to mind a condition I found recently during a consulting engagement. And it also brings to mind that most favorite of subjects, the risk assessment.

In the hospital where I grew up, the folks in the pharmacy were always very insular when it came to their security systems. Every aspect was managed by them, through them, etc., with absolutely no interface whatsoever with the organization at large.

I admit that at first I was a little tweaked by that, but over time I came to realize that pharmacy is an enormous undertaking and the fewer fingers in that pie, the better the likely outcome. During today’s discussion on Safety Talk, some folks cited state-level requirements, which should definitely be the starting point for this stuff. But what about those instances in which the state-level guidance is non-existent or just plain not helpful?

Why then you’d do a risk assessment, which kind of leads me back to the initial question of whether the pharmacy’s access system should be stand-alone.

Ultimately, I think the decision point is a determination of how impregnable your general access system would be and if there is a chance that someone could violate the pharmacy through the general system. You need to determine your comfort level with how “remote” that chance might be. If that chance exists to a degree, then you need to make sure that there is sufficient “separation” to ensure appropriate security levels.

To take the example in a slightly different direction, recently I visited a hospital in which the “brains” of their infant security system were in a cabinet (albeit a locked one) in a soiled utility room. There were no other defenses other than the locked cabinet–the utility room was unlocked, there were no cameras or other monitoring devices, etc.

Now, we can absolutely stipulate that there is no specific Joint Commission requirement for this one. But the question sort of becomes: Is this really the way we want to set this up?

I know that sometimes you need to go with what your infrastructure can support, but at other times you just have to say, “We’ve got to find a better way of doing this.”

So the question you have to ask yourself–besides, “Do you feel lucky, punk?”–amounts to whether this is the best we can do (whatever “this” might happen to be). And, you know the answer you’d be looking for…

March 06, 2008 | Steve MacArthur | Comments 0
Read More

Thumbs tacks, bulletin boards, and risk

I was corresponding with a plant operations manager recently about using thumb tacks on bulletin boards in patient care corridors.

Because there are no standards-based requirements for bulletin boards, you can pretty much do whatever you feel is a safe practice–which, of course, invokes the mighty risk assessment.

There are one or two concerns you might want to consider along the way:

  • The likelihood that a person could use thumb tacks as weapons
  • The possibility that someone could ingest the thumb tacks

Don’t just think of this in terms of suicidal patients–you might want to extend consideration beyond that patient population and include visitors. And how about pediatric patients? They might be an “at risk” population for mischief.

The other possible issue relates more to the amount of postings on the bulletin boards. Some surveyors have been known to pick on generously configured bulletin boards for increasing the combustible load. In fact, I’ve witnessed George Mills of The Joint Commission (formerly JCAHO) push the issue a little bit during a survey.

You may end up deciding that the best way to manage the whole thing is to have enclosed bulletin boards with some sort of security hardware. That way the tacks are out of harm’s way and the combustible load aspect becomes a non-issue.

December 26, 2007 | Steve MacArthur | Comments 0
Read More

Elevator problems cause a scare at a Seattle hospital

Hi everyone -

It’s Scott Wallask checking in here at the Hospital Safety Center.

Those of you who use ISIS model elevators manufactured by ThyssenKrupp should read this story about a hospital that had an elevator failure in Seattle. Luckily, the elevator’s safety brakes worked and no one was injured.

ISIS models use Kevlar ropes that don’t require a machine room. In a letter available at the link above, ThyssenKrupp has outlined a series of actions it will take across the country in response to the hospital mishap.

October 25, 2007 | Scott Wallask | Comments 0
Read More

ID badge content is mostly up to you

I was asked about whether there are any national standards that specify the contents of employee ID badges, and there are none that I know of.

Certainly The Joint Commission requires each organization to identify (as appropriate) “patients, staff, and other people entering the hospital’s facilities” (EC.2.10, EP #5), which, of course, leaves each organization the determination of “as appropriate.”

That said, you probably want to check your state public health regulations–frequently there are specific pieces of information that they require you to have available to patients via the ID badge (various name components, licensure, etc.). Also, as an added incentive, since the state folks are the ones usually tasked with CMS validation activities, it’s probably a good idea to make sure that you’re on their page.

September 28, 2007 | Steve MacArthur | Comments 0
Read More

Security video concerns and Spam

As an aside, I saw a documentary not that long ago about security advances in facial and body recognition technology. John Cleese of Monty Python fame was prominently featured.

Regular video footage, though useful, can be defeated via disguise, which is my point with this Cleesian digression. Just remember this little cautionary tale if your security department uses video to monitor suspicious people.

Even though you can’t depend on pictures as an absolute identifier (more on identification technology in the future, with a special guest), it is worth checking the video images during your drills to make sure that you’re getting the quality (angles, clarity, etc.) that will keep you out of hot water when your boss wants to “go to the videotape.”

September 17, 2007 | Steve MacArthur | Comments 0
Read More

Looking at security’s rules of engagement

There’s been a fair amount of media coverage relative to workplace violence in general and healthcare in particular. As safety professionals, we clearly have an obligation to enact whatever prudent measures are necessary to appropriately manage the risks associated with potential for violence in our workplaces.

Since we’ve already talked a bit about risk assessments in general (and by the way, there’s a pretty good assessment form regarding violence and aggression available here), I want to talk a little bit about one of the interventions that seems to be gaining a bit of popularity-the use of armed security officers.

Somehow in the midst of all my work-related activities, I managed to miss the event in Houston in April in which a father was Tasered by a hospital security officer while holding a newborn (use this link to check out the latest on the story, including video footage of the discharge of the Taser).

Even before I saw the footage, I have to admit that I was rather horrified at the description of the event. From a risk management and general liability standpoint, I’m just not keen on aggressively pursuing someone holding an infant (though it appears there was some indication that the father in this case was attempting to leave with the infant in some sort of custody dispute).

I’m seeing the use of armed security officers in hospitals much more frequently, and I am always curious about how well-defined the rules of engagement might be, whether they include the use of lethal force, what education has been provided, how are competencies assessed, etc.

Now you might want to call me a yellow-bellied, Massachusetts liberal type, but I’m really curious about how folks feel about this particular event. Clearly, there are opinions to be had by a great many people, some of whom will probably be involved in the pending lawsuit, but purely as a function of process, what’s up here?

If you were to use this case as a training example, how would you characterize this officer’s actions as a learning experience? Are their improvement opportunities to be had and, if so, what are they? I can’t help but think that The Joint Commission might have similar questions to ask the folks at the Houston hospital in question. If you were in a surveyor’s shoes, what would you say?

September 05, 2007 | Steve MacArthur | Comments 0
Read More
Page 4 of 4«1234