Tip

Avoiding a patient data breach -- and how to handle one if it does occur

SALT LAKE CITY -- Since the HITECH Act tightened privacy rules, toughened penalties for patient data breaches and expanded HIPAA enforcement to state attorneys general, health care providers need to

    Requires Free Membership to View

toughen data-breach prevention measures, said two experts presenting at the American Health Information Managers Association 83rd Convention and Exhibit. Moreover, providers need to put into place policies that enable them to respond quickly to data breaches -- to minimize harm to patients as well as to the organization.

HIPAA complaints more than doubled from about 3,750 in 2003 to 8,500 in 2010 according to the U.S. Department of Health and Human Services Office for Civil Rights (OCR), said attorney Scott Edelstein of Squire, Sanders and Dempsey, LLP. He predicts more complaints and audits of health care providers in the coming years, which will likely lead to more enforcement activity.

Forty-six states, the District of Columbia, Puerto Rico and the Virgin Islands also have their own privacy laws, some of which are more stringent than HIPAA, Edelstein added. These additional state laws increase potential legal risks when data breaches occur.

To help providers avoid data breaches and, when they happen, lessen the fallout in the community as well as with HIPAA enforcers, co-presenter Mary Poulson offered best-practice advice to AHIMA attendees. She serves as director of compliance for western regions for MEDNAX Services, which employs 1,650 physicians (mostly neonatal physicians and anesthesiologists) in 33 states and Puerto Rico.

Prevention begins by making employees aware of what a data breach is in the first place: "Have a clearly articulated data breach incident response plan, know who the members on your response team are [and] have investigative forms in place -- we have a form that's 'who/what/where/when/why' and it's located on the intranet within the company, and every employee's been trained to use it," said Poulson, who also contributed to a briefing published in the Oct. 2011 Journal of AHIMA outlining more detailed strategies for dealing with data breaches.

Encryption is the best policy

Even though encryption isn't mandated in HIPAA privacy or security rules, OCR has gone on the record saying it's a "safe harbor," meaning that patient data breaches involving encrypted data don't count as breaches. Paulson urged attendees to make sure their organizations encrypt data both in motion on the network and at rest, in storage. Encryption should be a top priority.

Beyond that, she offered other suggestions for avoiding data breaches:

  • Develop a privacy policy with input from employees working in the various departments that handle protected health information;
  • Read articles about the latest data breaches as well as ongoing HIPAA enforcement cases for both your own knowledge and for examples to use in employee training courses; for example Paulson said she learned many do's and don'ts from following the details of the Cignet case earlier this year, which resulted in a $4.3 million fine;
  • Network with privacy-officer peers at other health care providers and share strategies that work; also keep in mind that academic medical centers are required to post privacy policies -- read them to see if you can borrow any good ideas they might contain;
  • Don't just deliver printed internal privacy policy documents to employees; train them, test them and periodically refresh that training;
  • Don't allow PHI to be stored on laptops, desktops or removable drives;
  • Create a policy for removable drives and their use;
  • Maintain strong physical safeguards wherever paper records are stored; and
  • Practice what she called "managing privacy by wandering around," or choosing a department and observing its handling of protected health information.

On that last note, Poulson said her privacy team members have uncovered issues by sitting anonymously in waiting rooms (such as in radiology or outside operating rooms) and discovered that physicians would come out and loudly discuss details of a patient's case with family members.

"I have found more [protected health information] left over in meeting rooms after physician meetings than any other time," she added.

I have found more [protected health information] left over in meeting rooms after physician meetings than any other time.

Mary Poulson, director of compliance for western regions, MEDNAX Services

They've also discovered bad practices by donning rubber gloves and going through a department's trash on the hunt for improperly disposed paper documents containing protected patient data. The whole "wandering around" technique has become so effective in helping shore up privacy holes that the team now does it on a quarterly basis -- and when a problem's discovered, privacy staffers invite themselves to department meetings and reinforce policy training.

MEDNAX's privacy team also randomly reviews electronic access logs and follows up questionable queries of the system. The team gently re-educates employees it discovers skirting HIPAA rules -- usually it's an innocent transgression, Poulson said, such as a physician looking up the record of a family member, who isn't technically his patient.

Response to patient data breaches: Speed matters

When breaches occur, Poulson stressed that speed in discovery and addressing the situation are key to showing the public -- to whom you'll have to report breaches involving 500 or more patients -- and enforcement authorities that you're committed to protecting patient privacy. Conversely, a delayed response weakens your organization's position when negotiating settlements, and not sanctioning a worker in accordance to the severity of his privacy policy violation signals to the rest of the employees your commitment to compliance may not be that strong.

Poulson outlined the tenets of solid data breach response plans:

  • Treat each breach report seriously, "as if OCR was coming in," Poulson said -- so if they do, you'll be prepared;
  • Upon learning of a breach, assemble the response team and conduct immediate risk assessments to understand how big it could be, as well as how much harm has been done;
  • Identify and preserve the compromised data;
  • Determine what notification is required;
  • Assess appropriate mitigation measures; and
  • Maintain open lines of communication with patients after sending out breach notification letters; MEDNAX goes as far as imagining what questions a patient receiving a breach notification letter might have, and puts those (and their answers) in a list for whomever's answering the phone number in the letter.

"We try to do everything within 30 days, and not go over that," Poulson said. After that, she added, begins a review process in which the response team determines what went right in the response process, what could have been done better, and how to improve the response if another breach occurs.

Let us know what you think about the story; email Don Fluckinger, Features Writer.

 

This was first published in October 2011

Join the conversation Comment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.