5 Key Steps to Preventing Patient Data Breaches
The following article is written by Eric J. Stenson, director of enterprise applications for Surgical Notes. The views expressed are those of the author and are not endorsed by Surgical Notes.
Stanford University Hospital recently suffered a major breach of patient confidentiality with the posting of patient information on the internet. The event unfolded on Aug. 22when a billing contractor posted HIPAA-protected information of more than 20,000 patients to a website support forum. This unfortunate event created significant legal, regulatory and financial exposure, as well as considerable reputational harm to the institution.
The seriousness of unlawful data release, and its alarming frequency, is one that impacts all healthcare providers in the United States. According to the U.S. Department of Health and Human Services, there were 5.4 million individuals affected by data breaches in 2010. Here are five steps your ambulatory surgery center can take to reduce similar exposure when dealing with PHI and third-party vendors.
1. Security is fundamentally non-technical — As illustrated by the Stanford incident, the breach was not caused by a rogue hacker or malicious attempt to steal patient data. All too often healthcare information security policy focuses on technical aspects of security: firewalls, data encryption authentication controls and IT-driven measures. While technical measures are important, a security program centralized on technical security of data and prevention of unauthorized intrusion will ignore the largest area of exposure: authorized users.
2. Red flag: "That's illegal under HIPAA" — Hallway conversations about information security often include the phrase "that's illegal under HIPAA." This is a red flag your organization is missing key policies and procedures. Although true that 45 CFR §164 does enumerate permitted uses and disclosures of PHI, most technical and implementation aspects of the Privacy and Security Rule are open to the healthcare provider to create risk and resource based implementations. For example, HIPAA does not have a password complexity requirement — instead, 45 CFR §164.308(a)(5)(ii)(D) states that the covered entity must "implement procedures for creating, changing, and safeguarding passwords."
3. Create a privacy-aware organization — For an ASC to function, the business office must communicate with third parties and access vast amounts of PHI. While in a perfect office each employee would only access one patient chart at a time and no patient data would be unsecure and in the open, the realities of healthcare operations are much different. However, the continuous flow of PHI in the business office and the considerable pressure to operate efficiently under high caseloads often results in a culture that does not actively consider privacy concerns. Business office managers and facility administrators need to actively communicate reminders about maintaining PHI in a safe and secure manner. Regular training meetings and staff reviews regarding the handling of PHI should be conducted and leadership should make safeguarding PHI an organizational priority.
4. A reminder a day keeps the government away — Employees need constant reminders about their obligation to safeguard PHI. In addition, every employee should feel ownership, responsibility and a sense of urgency in maintaining patient confidentiality. Post a placard at every computer workstation and telephone handset that reads the following: "Every day I come in contact with sensitive, confidential, private medical information. It's my responsibility to keep it safe and secure and to exercise sound judgment when handling patient information." Similar to a seatbelt chime in an automobile that reminds its passengers to fasten seatbelts, a posted reminder will promote patient confidentiality.
5. Contract with reputable vendors — It is often enticing to create organizational savings by reducing transcription costs by a few cents per line or outsourcing coding overseas to save a dollar or more per report. Although these numbers impact the facility's operating expenses, they present significant exposure and financial risk. Working with well-established vendors that have significant United States-based operations will significantly help reduce the likelihood of your exposure to data breaches.
Learn more about Surgical Notes.
More Articles Featuring Surgical Notes:
© Copyright ASC COMMUNICATIONS 2012. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.
New from Becker's ASC Review