Your friends have recently been spending more time worrying about their data security, and some have even moved their servers out of their office to a secure data center. They are talking about "Breach Notification" and some million dollar fines that have been levied against another doctor. But you aren't exactly sure what they are referring to; your data is safely on a server in your office, and you haven't had any complaints, so what's the problem? The problem is there are many recent changes to the laws that deal with HIPAA Privacy and Security, and what happens if that sacred trust between the patient and the covered entity is broken. And if you are blissfully unaware today, you might be in for the shock of your life tomorrow.
Imagine a day way back in 1998 when you went to see your dentist for a standard cleaning. Your appointment wasn't anything out of the ordinary because you remember to floss regularly. As it turns out, your dentist had to rush out of the office after your appointment to see her daughter's piano recital and didn't have time to make any notes in your chart before leaving. Your dentist takes the your chart with her, in her briefcase now sitting on the passenger seat, planning on making chart notes at the recital, while waiting for the show to begin. In her rush to make it into the recital on time, she leaves the briefcase in her locked car. And a few minutes into her daughter's rendition of "Clair de Lune" an unsavory character smashes the window on the car and steals the briefcase with your medical records in it.
In those days, the repercussions of this theft would have been fairly mild. At the worst, you might get need to have some x-rays done earlier than ALARA suggests, but for the most part the doctor would have been held harmless of any responsibility. Nowadays, there is a totally different landscape when it comes to patient information, and there are protections in place now that can significantly penalize someone who mishandles the data in your patient chart.
Since 2003, the Department of Health and Human Services (HHS) has protected the privacy of a patient's information, and in 2005 set rules to protect the security of the electronic data. These were the rules that encouraged software companies to create features that required strong passwords, would automatically log you out after a short amount of idle time, and would also remove patient identifiable information from software screens that might be seen in high-traffic office areas. This was a good start, but there was no real enforcement, and it appeared as though not everyone took the HIPAA rules as seriously as they could have. At the time it could be argued that the covered entity "didn't know" of the problem and would not be punished for any misconduct.
The reality is that anyone who has access to patient information is responsible to secure that data and prevent any occasion that it might fall into the wrong hands. And the "wrong hands" refers to anyone who isn't authorized to view that patient data. It sounds simple, yet it's easy to underestimate what it takes to actually fulfill. The HIPAA Security Rule recognizes "the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without using a confidential process or key," also known as encryption.
The HITECH Act would later explain something called Breach Notification , the steps you should take to notify the Secretary of HHS if there is any kind of potential unauthorized access to protected health information. There are four levels of severity to this kind of breach, and the most minor infraction, the one that covered entities could previously use to avoid any punishment now carries much stiffer penalties.
The number one issue in investigated cases of breach closed with corrective action has been Impermissible Use & Disclosure. This is what happens when you allow Protected Health Information (PHI) to potentially fall into the wrong person's hands. Interestingly enough, there doesn't actually need to be any kind of actual disclosure for there to be a breach, and the severity of the breach is based on four criteria:
- What kind and how much PHI was involved, and how likely is the PHI to be attributed to an individual;
- Who the person is that the PHI was disclosed to;
- If the PHI was actually viewed or used; and
- How much mitigation was done to lower the risk to the PHI.
Penalties and fines are also levied based on these criteria, with the severity ranging $100 per violation up to $1.5 million per violation plus 10 years imprisonment. The doctor is also required to self-report in a timely manner, and for any breach greater than 500 individuals you need to send notice to the prominent media in the area, in addition to sending a letter to the affected patients and the HHS Secretary. The effect of these penalties is potentially a death sentence for the practice; cash-strapped and with a potential loss of patients, the practice faces a significant uphill battle to recovery.
It is really no wonder why healthcare professionals are so worried about this. And it's easy for anyone to check whether a particular doctor has reported a breach in the past. So what do you do? You have been made ultimately responsible for the privacy and security of your patients' health information. You need to guard it like you have never before, but how do you do that with the tools at your disposal?