How to Avoid Data Breaches in Your Practice
Did you know that the three most common ways that a data breach occurs are theft (29% of all breaches), hacking (23%), and accidental public access or distribution (20%)? Over half of all data breaches occur in health care entities. Health data is more valuable to thieves than credit card information because it can be used to access bank accounts and obtain prescriptions for controlled substances.
Minimizing the threat
The steps for minimizing, or preventing entirely, breaches of patient data are well established. They start with identifying all areas of potential vulnerability. This includes overall security for the practice’s premises, records and equipment. Computers must be protected by adequate electronic security for protected health information (PHI). Devices that carry PHI must be encrypted, including desktops, laptops, tablets, smartphones, memory sticks and centralized servers. Loss or theft of such devices is one of the most common breach risks, and encryption is the best defense.
So, how can you ensure your practice is safe? First, you need to train all practice staff on how to protect PHI, using HIPAA-compliant policies. That means restricting open discussion of patient PHI among staff members. Your practice should also audit or test physical, electronic, and procedural security policies regularly — including the steps that will be taken if a breach occurs. Last, insure your practice against the high costs that can flow from a breach.
The best practices already have most of these defensive measures in place. Despite them, breaches can sneak through and it’s prudent to plan in advance how the practice will respond.
Act quickly if a breach occurs
The actions taken in the first 24 hours after a breach is recognized can influence how the government and your patients view you. It’s critical to minimize the damage.
The first step is to keep the situation from getting worse. If the practice is found guilty of willful neglect, it will face higher civil money penalties. If an employee appears to be mishandling patient data or inappropriately distributing it, that person may have to be suspended or denied access to the data. If the breach involves criminal activity, the police must be notified. If the protected information has been placed on the Internet, it must be removed. In addition, failing to respond promptly to a breach by one of your business associates may be attributed to the practice.
After the initial damage has been contained, assess the gravity of the breach. Contact an attorney experienced in advising health entities and their HIPAA obligations. Together, you will carry out the four-part risk assessment described in the HIPAA Breach Notification Rule to determine whether PHI was truly compromised. The four elements of that assessment are 1) the nature and extent of the PHI involved, 2) the person or party to whom the PHI was exposed, 3) whether the PHI was actually acquired or viewed, and 4) the extent to which the risk has been mitigated.
If you conclude that PHI was compromised, numerous others must be notified of the fact. Federal law requires it, and many states have data breach laws that impose additional requirements. If more than 500 patient records have been breached, you must inform the HHS and be prepared to notify local media, as required by the HIPAA Security Rule.
The greatest challenge is likely to be breaking the news to patients. The basic message should be candid. State what happened, what steps already have been taken, and what steps will be taken in the future.
Quickly notify all staff and business associates of the breach, and prepare them for the questions they’ll receive from patients in the coming weeks by phone, e-mail and in person. The questions will be in response to a letter sent to all patients whose PHI was compromised. Legally, you have 60 days to send this letter. But it’s best to send it within 10 days.
Train staff on how to address patient questions
Start by appointing certain staff to answer questions. Train them on how to handle calls, helping them with a list of answers to frequently asked questions. Next, implement new security measures to patch the holes that allowed the breach to occur. The HHS will want to know what’s being done to prevent it from happening again. This likely will involve new policies and physical and electronic controls, as well as privacy and security training for employees.
Document all actions
Next, prepare for an investigation by the Office for Civil Rights. This process can take as long as a year. And document all actions taken and new preventive changes introduced. Be sure to keep a copy of your risk assessment.
Once you’ve gone through the entire process, draw up a plan for future incidents. Based on lessons learned from the current breach, designate who will be responsible for monitoring possible breaches in the future. Finally, contact your health care advisor. He or she can help you work through the red tape.
Sidebar: Ouch! Breaches can be expensive
In 2012, Phoenix Cardiac Surgery was required to pay the HHS a $100,000 settlement after it posted clinical and surgical appointments on a publicly accessible, Internet-based calendar. The investigation into the practice also found that it had few procedures to comply with HIPAA, limited protections for patients’ electronic health information, no documentation of staff training on security policies and procedures, no conduct of a risk analysis, and no appropriate agreements with business associates. The practice was required to implement a corrective action plan that included a review of recently developed policies and other actions it would take to come into legal compliance.
This material is generic in nature. Before relying on the material in any important matter, users should note date of publication and carefully evaluate its accuracy, currency, completeness, and relevance for their purposes, and should obtain any appropriate professional advice relevant to their particular circumstances.