Keeping patient data safe and secure requires adherence to best practices and regular, ongoing vigilance. But many healthcare organizations aren’t doing nearly enough, according to Gerard Nussbaum, a healthcare attorney, consultant and principal of Chicago-based firm Zarach Associates, LLC.
I recently spoke with Gerard about the weak spots in many organizations’ privacy and security programs, as well as practical ways to drive improvement.
Maureen: This is obviously a very basic question, but why is it so important to safeguard patient data?
Gerard: I think meeting patient expectations should be at the top of the list. Obviously it’s very important for providers to comply with HIPAA and do the things they’re legally obligated to do, especially because there are substantial penalties involved; but ultimately a physician is running a practice to provide services to his or her patients and they are the top priority.
Part of what physicians need to bear in mind is that patients’ expectations regarding their data may sometimes differ from rules governing protected health information, so physicians need to be prepared to discuss those difference with patients.
For instance, a patient might think they’re just sharing information with their physician, but the nurse, medical assistant, and even in some instances the front desk staff, can have access to that data. In small practices, especially, people wear a lot of hats. It’s important that patients understand this.
The other challenge is as we move forward in value-based care and integrate the care patients are receiving from multiple providers, we’re trying to share data while also trying to protect it. Patients might not realize that their data is being made available to the other providers who are involved in their care. You want patients to have appropriate expectations about their data, of course, but you also don’t want them to withhold sensitive information—things like HIV status, mental health issues, and drug and alcohol use—because they’re worried about the information being shared.
Maureen: What are some procedures that healthcare organizations should have in place to keep patient data private and secure?
Gerard: I’ll start at the top. You really need to have educated staff. Employees don’t need to be security experts, but they have to understand that privacy and security are core aspects of their job and are part of their commitment to patients. They need to understand the basics of HIPAA and the risks involved. And they need to be trained to be suspicious of phishing attempts and social engineering tactics that criminals use to gain access to a system.
For example, if a staff person receives a call from an individual claiming to work for another practice, with which the staff person is not familiar, and asks for information about a patient, the employee needs to hang up and actually call that practice back to verify that the request is real.
Sometimes it is employees who are the source of an improper release or access to PHI, so it’s very important to have systems in place that monitor access and activity and alert you to any suspicious or improper access to patient information—and a process for taking action to investigate and act, if necessary. For example, noticing and acting on a staff person who accesses an unusual number of patient records in a short amount of time. When practices have employee turnover, they need to immediately turn off system access for the departed employees to all systems.
Unique passwords are also very important. A temporary employee can’t use Mary’s identification when she’s on vacation; the temp needs to have their own access credentials (username and password). Role-based security gives employees the access they need to do their job and no more than that.
Also, make a list of vendors that have access to PHI. Review the contracts and business associate agreements to make sure you’re clear on what commitments they made about keeping date private and secure and whether you have appropriate recourse if they’re not doing what they said they would.
Maureen: You really emphasize encryption. Why is it so important, and what steps should practices take to be sure their data is encrypted?
Gerard: I always tell people, “Encrypt, encrypt, encrypt.” Today there is no reason why it’s too hard or too expensive to encrypt your data both at rest and in transit. Under HIPAA, if your data is properly encrypted and thieves can’t access the encryption key, then a breach did not occur.
Mobile devices are still a significant hole in most organizations’ security. Go through the list of breaches on the Office of Civil Rights’ website: the number of breaches that are due to an unencrypted laptop is huge. Seriously consider whether you need to have files containing PHI on mobile devices. If there is a valid need, then make sure the data is properly encrypted and you keep close track of the mobile devices.
Maureen: Any other takeaways or advice, particularly for practices that want to do more to protect data but aren’t sure where to start?
Gerard: Yes, my piece of advice would be to start with a security risk assessment. Take it seriously and use it as an opportunity to find weaknesses. Don’t get demoralized; look at results and prioritize. It will be eye-opening when you see where all of your PHI is kept and who has access to the patient data.
There are decent HIPAA training modules available inline, including from some medical societies, which can help educate staff on privacy and security.