Recently, at least three health systems across the country have reported stolen laptop computers or mistakenly posting unsecured data on the Internet. As a result, data on hundreds of thousands of patients were put at risk for identity theft.
With the rush to meet the government’s 2014 deadline to adopt electronic medical records (EHR), security has not necessarily kept pace. Since 2009, 330 large breaches (over 500 patients for each breach) have been reported to the Office for Civil Rights. Of that amount, 88 involved stolen laptops and other portable electronic devices.
“In addition to fines, data breaches can result in bad publicity for physicians,” noted Mark Swearingen, an attorney with Hall Render. “Any breach could require notification to patients, the federal government or the state attorney general, and even the media if the breach affects more than 500 individuals.”
The best legal defense is to have policies and procedures in place that address portable electronic devices. Additionally, comprehensive employee training should be provided.
“Any violation of HIPAA standards can result in fines ranging from $100 to $1.5 million for one infraction,” said Swearingen. “The higher amount may be awarded if there is willful disregard of HIPAA requirements, and the problems are not corrected within 30 days.”
Also, snooping into patient records is becoming more prominent, and it can present a legal risk to you. Swearingen recommends auditing your system to make sure people aren’t looking at something they shouldn’t, and that personal passwords or other access controls are being used.
“There is a growing attitude of zero tolerance for snooping,” he said. “However, if a physician has implemented reasonable safeguards to secure patient data and an employee disregards those safeguards, the physician likely will not be held accountable, so long as the physician appropriately addresses the situation. If, however, a physician has not implemented reasonable safeguards or does not appropriately address the situation, the physician is more likely to be held accountable for such actions by an employee, which could result in fines for the physician or even disciplinary action by the licensing board.”
Swearingen cited a case in California in which a physician reviewed unauthorized patient information. The physician was sentenced to four months in jail.
|Steps you can take to protect yourself
Mark Clausman, a member of the Indiana Security and Privacy Network and account manager for the Sterlyn Group, an information security provider, gave these tips to help you comply with HIPAA regulations and the Indiana Security Breach law.
- Develop policies and procedures addressing security and privacy issues, and train employees on them.
- Have an incident response plan to notify patients in case of a data breach.
- Make sure electronic health records are encrypted and password protected. “It’s important that each employee has their own password,” explained Clausman. “Most EHRs have audit trail capabilities allowing you to know who was using the computer when.”
- Encrypt all wireless, Internet-based data transmissions and portable devices containing sensitive data. Proving you have this safeguard in place will help protect you legally in the event of a breach or HIPAA audit.
- Have a plan for disaster recovery. If the power goes out or a server crashes, have a backup system in place so you can get to critical data, such as patient information.
- Conduct a risk analysis. Use an outside company to do a complete assessment of your facility and electronic health records system.
“If you have done your due diligence and can prove it, you will be less likely to have a breach and will be better off in the event of an audit,” commented Clausman.