Five Best Practices For Medical Organizations To Protect Against PHI Breaches
March 22, 2012
Health information technology continues to be acquired and implemented by medical organizations all throughout the United States at historic levels. This significant trend in health IT adoption can be attributed to the myriad of government initiatives and polices currently in place to promote the use of health IT. As accessibility to patient information continues to increase, so does the risk of protected health information breaches.
Protected health information (PHI) , also referred to as personal health information, can include demographic information, test and laboratory results, medical history, insurance information and any other data collected by clinicians to identify an individual or determine appropriate care.
As a result, The HIPAA Security Rule was established to create national standards to protect a patient’s electronic PHI. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. The Office for Civil Rights (OCR), a department within the U.S. Department of Health and Human Services (HHS), is responsible for enforcing the HIPAA Privacy and Security Rules.
Further, under the HITECH Breach Notification Rule, notification to OCR of breaches involving five hundred or more individuals must occur contemporaneously with notice to affected individuals. According to a HHS report to the U.S. Congress of PHI data breaches since 2009, two hundred and fifty-two incidents occurred that went on to affect more than ten million patients. The breach reports submitted to OCR for the reporting period described the five common causes of incidents in rank order: 1) theft; 2) loss of electronic media or paper records containing PHI; 3) unauthorized access to, use, or disclosure of PHI; 4) human error; and 5) improper disposal.
The largest PHI breach reported to date involved a covered entity that had fifty-seven unencrypted computer hard drives stolen from a leased facility. The hard drives contained PHI of more than one million individuals, including member names, social security numbers, diagnosis codes, dates of birth and health plan identification numbers. The OCR investigation found the entity failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls. Both of these safeguards are required by the HIPAA Security Rule. The lack of compliance resulted in the entity agreeing to pay HHS $1.5 million dollars for violations of HIPAA privacy and security provisions. This was the first enforcement action resulting from the HITECH Breach Notification Rule. Interestingly, the second largest breach occurred not because of a hacked password, but when computer back-up tapes were stolen from the back of a truck.
Security within the healthcare industry is changing and PHI data breaches are a significant issue. At risk are not just a patient’s privacy and personal information, but also the reputation and financial well being of the medical organization. Healthcare Administrators have a clear choice – Either maintain internal staffing levels to effectively mitigate the risk of PHI data breaches or hire an outside health IT vendor that can help develop and manage their security policies and procedures
To help medical organizations and providers effectively plan for, mitigate and protect against PHI data breaches, consider the following five best practices:
1. Perform an enterprise-wide PHI risk assessment. Performing a risk assessment is the most effective way to understand where the threats and vulnerabilities are within the organization with regards to patients and their PHI. In many instances, risk assessments and mitigation plans are being discussed only at the executive level within an organization. The discussions are typically about risk transfer and mitigation, but should also include processes for securing patients PHI in the wake of new emerging threats. Deploying the latest security technology alone will not reduce the risk of PHI breaches, as that’s not where a lot of the vulnerabilities lie. Understanding when, who and how patient information is accessed are critical components that should be included in a comprehensive risk assessment.
2. Develop a PHI security strategy. A sound PHI security strategy involves not only understanding where PHI information resides, but also developing a strategy to protect it. Once this understanding is achieved, it’s essential to communicate it to employees and other associates who are part of the organization. It is highly recommended to have a third party come in to bring a fresh perspective during the assessment stages and to help with developing a strategy. There has been a tendency for internal IT teams to look at security strategy and develop a check-the-box solution. To prevent this situation, it can be very helpful for organizations to consider selecting an outsourced health IT vendor who can be a trusted partner and can provide an organization a fresh and objective view of its PHI security vulnerabilities.
3. Implement PHI processes, technologies and polices. Once the risk assessment is complete and all potential issues are identified, it is important to leverage the tools and technologies in place, making it easy for employees and doctors to secure patient information. Establishing random inspection routines is essential to insure compliance with internal PHI policies and procedures. Fortunately, there is effective techniques for implementing these routines with virtually no disruption to the primary focus of healthcare professionals, which is patient care.
4. Conduct impactful training sessions with employees. When it comes to protecting patient information, it’s about getting employees to understand how to best protect it and what to do if there is a data breach. Training is essential and should include not only administrative employees, but also doctors, nurses and other clinicians throughout the organization. All employees with access to patient information need to have the understanding of how to maintain security protocols when it comes to patient care. Many clinicians tend to look at PHI breaches as simply an IT issue. The HHS report to Congress validates that the risk of PHI breaches is far greater than a failure of technology alone.
5. Have a PHI breach response plan ready. Medical organizations should always be prepared in advance for a PHI breach. Many organizations operate their facilities as if unauthorized disclosure of health information could never happen to them. Organizations that assume this posture often believe that they have effectively addressed all PHI security risks. However, there are thousands of unauthorized disclosures happening on a monthly basis all throughout the U.S. It is of critical importance for medical organizations to take a proactive approach in being prepared for a PHI breach. A reactive posture could be devastating, both on a reputational and economic level. The PHI breach response plan should be a living document within the organization and should include specific procedures along with clearly defined roles and responsibilities in case of a PHI breach.
In conclusion, as medical organizations implement health IT systems that offer greater portability, interoperability, and electronic data exchange capability, the development and execution of data security policies and procedures should be a key priority included in all health IT strategic plans. Medical organizations and physicians that take preventative action by putting controls in place to safeguard sensitive patient information will be ahead of the game. Information security is not just a regulatory matter for providers, it’s the right thing to do for their patients.