Breach Should Be a Four-Letter Word

Most every day it seems a new report emerges about an organization that has been compromised. Big names such as Equifax, Neiman Marcus, Target and Home Depot have all made the dreaded announcement of a data breach and even a local Dunkin Donuts franchise in announced that their patron’s information had been inappropriately accessed. The healthcare community is not immune. In 2015, Anthem announced one of the largest breaches on record, impacting 78.8 million individuals. Through mid-November of this year, 274 breaches impacting 500 or more records are under investigation according to the Health and Human Services (HHS) website.

Making sure the definition is clear, breach is defined by Health and Human services as an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.

Examples of breaches include:

  • leaving inappropriate or excessive information on voicemail without the patient’s permission
  • mailing a financial statement to the wrong address
  • losing a box of medical records or films in route to a storage facility
  • loss of a computer with data that has not been encrypted
  • a hacking incident impacting electronic health information

One of the challenges related to breaches in healthcare is that workers may not be aware of the significance of a data breach. Workers seem to understand that inappropriate sharing of a sensitive diagnosis, such as cancer or HIV, is not allowable and accessing health information for curiosity will lead to discipline. However, a data breach can easily lead to the risk of both medical and financial identity theft. Information included in most health records may be used against the patient if obtained by criminals.

Protection of patient information, especially information stored electronically (ePHI) is imperative. While focusing on protection of health information stored electronically is important, entities must also be diligent in protecting any patient information that is included in any type of hard copy format, such as financial information, copies of hard copy medical records and hard copy radiographs.

When thinking about the protection of patient information don’t forget information shared with business associates. A business associate is a person or entity, other than workforce members of a covered entity, who is provided or allowed access to protected health information (PHI) in order to perform a function or activity for the covered entity. It is critical for covered entities to ensure that PHI is protected in any business associate relationship.  A written agreement, referred to as a Business Associate Agreement, is required. In addition to the form, ask your business associate how they protect any information provided to them. The reality is that if a breach such as the data breach of 2 million patient records reported by a large healthcare organization recently, occurs on the business associate’s watch, the covered entity is ultimately responsible for the communication of the breach.

A key element in a strong HIPAA compliance program is the protection of health information. It must be kept confidential and available, so the integrity of the information is intact.  Consider the following strategies to protect patient information in hard copy and electronic format.

  • Train all workers on the importance of the security of electronic health information.
  • Develop a strong working relationship with a reputable IT individual/business.
  • Establish appropriate safeguards that include antivirus protection and software updates.
  • Allow access to the internet for work purposes only.
  • Only open emails from known sources. Do not click links in email.
  • Personal social media accounts should not be accessed on business computers
  • Use strong passwords and do not share them.
  • Lock or log off computers or electronic devices when they are unattended.
  • Establish physical security for computers, especially mobile devices, and servers.

Are you comfortable that your business is well positioned to prevent a breach of protected health information? About that four-letter word? STOP comes to mind! By implementing the strategies listed above it is possible to STOP many breach events.