Security breaches can cost a healthcare organization an average of $2.4M over 2 years as the healthcare sector is among the most vulnerable to hacking and cyberattacks.
Healthcare’s slow response to technology advancement has made the industry a prime target for data breaches and cyberattacks. Aging technology combined with software and security flaws has resulted in 94% of healthcare organizations having at least one data breach in the past two years.
According to the infographic shown below created by Backgroundcheck.org, 2,769 records are lost or stolen per breach. The findings included in the infographic are based on the Third Annual Benchmark Study on Patient Privacy & Data Security from Ponemon Institute.
Infographic about HIPAA Violations
Recent Breaches:
- University of Connecticut Health Center
- Northwest Georgia Hospice Group
- Froedtert Health in Milwaukee, WI
- Walgreens
- Samaritan Hospital in eastern New York
- Lucile Packard Children’s Hospital
- Lawrence Melrose Medical Electronic Record Inc., in Melrose, Mass
Paper records the most susceptible
Believe it or not paper is at much more risk then our computers. We wrote an article outlining the top breaches of 2012 with a the first of our 2 part series about privacy breaches, “Paper Records More Susceptible to Breach than Any Other Medium – Are You Next?”
You will be surprised to our findings and how critical it is to upgrade your systems.
Let’s start with the basics…
When is it ok to share PHI (Patient Health Information).
- Share only the minimum amount of PHI necessary to fulfill the job responsibility
- Share PHI only with those with a clinical or business need to know
- Share only the amount of PHI requested. The entire medical record may not be needed.
Examples of minimal need
-
A billing clerk may need to know what laboratory test was done, but not the result
-
An admissions clerk does not need to have access to the full medical record in order to carry out his/her job
-
A patient transporter typically does not need to access the full medical record to do his/her job
Casual disregard for policy is our greatest risk
Casual disregard and snooping continues to be a significant risk factor in our facilities. A wide variety of excuses are often given by staff; including:
- It’s my own record [Doesn’t matter, there are defined policies to follow in accessing a Medical Record including one’s own record].
- I’ve worked with that person for years and was really concerned about what was going on with them [Doesn’t matter, HIPAA does not have an ‘I care’ exception]
- I just needed an address or phone number so I could let the court know where this person is now. They haven’t paid their child support and I really need the money! [This does not give any employee the right to access another person’s Medical Record]
With few exceptions, those who get caught snooping, have been terminated. It’s an unfortunate outcome to an easily preventable incident.
Are you a criminal?
- Choosing not to comply with HIPAA could result in civil and criminal penalties, including going to jail
- If you obtain or disclose PHI without proper authority, you may face a fine of up to $50,000 and up to one year of jail time
- If you obtain PHI with the intent to sell it, give it to someone else, or for malicious reasons, you could receive a $250,000 fine and up to 10 years in jail
So how do you protect yourself?
First and foremost, HIPAA is such a broad security guideline. Very few staff or doctors that I know have ever actually even read it. So without knowing every detail, how do you protect you and your staff, and your livelihood?
Do:
- Close curtains and speak softly when discussing treatments in semi-private rooms
- Log off of the computer when not attended
- Dispose of patient information in accordance with hospital policy and procedure
- Clear patient information off of your desk and place in a secure location when not in use
- Verify fax numbers and addresses before sending PHI (or use referralMD.co to automate the referral process without the paper)
Don’t:
- Discuss a patient in public areas such as elevators, hallways or cafeterias or outside the facility or office
- Share your computer username, ID, or password
- Look at information about a patient unless you need it to do your job
- Take information about patients (including nursing report notes) home
- Discuss patient information in front of visitors without the explicit, documented authorization of the patient
- Post any patient related information in church bulletins, Facebook, MySpace, or any other social networking websites
- Bring friends or family into areas of the facility, clinic, or agency where they can see or hear patients receiving care or where they might have access to PHI
Examples of HIPAA Potential Violations
- Text messaging medical information about a patient to anyone!
- An employee passing on information to her son about his spouse or their children
- Allowing a former employee, friends, family or co-workers into off-limits areas where PHI is located – this includes children
- Taking pictures of patients with a cell phone camera
- Releasing information to a caller who is not properly identified as being authorized to receive information
- Mailing/faxing PHI to the wrong person
- Looking at the PHI of a co-worker, supervisor, family, friends, or self for non-work reasons
- Posting information about a patient or specific information about a day at your workplace on a social networking site such as Facebook
Want more information?
Want even more information about the above article and how to protect your healthcare organization? Please send me a personal email to jonathan@getreferralmd.com and I will send you more detailed information via pdf.
Thanks and chat soon!