About 10 percent of the privacy violations tracked by consumer advocacy organization privacyrights.org in 2005 occurred in healthcare organizations. That figure jumped to 16 percent in 2006, and should be up another 5 percent to 6 percent this year if trends continue, says M. Peter Adler, of Alexandria, Va.-based InfoCounsel, a consulting firm focused on the intersection of legal and technology issues.
Clearly, security is a significant and growing issue in healthcare. Trouble is, it’s hard to recognize possible breaches in your own office. You’re just doing business the best you can. When there is a hitch, it’s a surprise.
Preemptively shoring up your practice’s security protocols can seem daunting, especially considering the industry’s obsession with EMRs and all things electronic. It’s easy to focus on IT and forget about basic, mundane physical security, says physician Jeffrey Hertzberg, president of Medformatics, a Minneapolis-based consulting firm specializing in the design, implementation, and selection of healthcare information systems. But some of the more common — and easily addressed — security cracks in medical offices are in fact comparatively low-tech. At the very least, attend to these.
Get physical
Indeed, everyone worries about the security of EMRs, application service providers, and data on handheld devices. Meanwhile, the chart room door hangs open and unlocked, consulting reports arrive at front-desk fax machines, staffers strew charts all over workstations, and physicians routinely take charts home, leaving them in their unlocked cars when they stop to buy milk.
Take some time to review these basics:
| • | Where are faxes printing out, and who can see them? |
| • | Who has access to paper charts? Who can get into the records room or see charts currently in use? |
| • | Is the record room locked when it’s not being used? |
| • | Do paper charts travel outside the office? What keeps them safe? |
| • | What happens to paper with patient information on it? Does it get thrown into the trash or is it shredded? |
| • | Do you replace the locks or change the alarm pass code when staff turns over? |
| • | Do you have written standards for staff to follow regarding patient privacy, and can you prove you’ve provided training on these standards? |
It’s not just HIPAA
Certainly you do need to worry about complying with patient privacy regulations, although some practices remain unclear about just how to comply.
“I just talked to an office the other day where they were sending ordinary e-mail to patients and they didn’t realize it was a problem,” Hertzberg says. Everyone loved it, but any criminal interested enough to sort through voluminous Internet service provider records and piece together messages could see that a particular patient had a specific condition — a clear violation of HIPAA security regulations. Hertzberg advised the practice to switch to an encrypted e-mail model.
However, while HIPAA sets the standard for most security and privacy issues in physician practices, that’s not all you need to worry about. Thirty-nine states have “notice of security breach” laws that require practices (and other businesses, as well) to let individuals know if their names, Social Security numbers, credit card information, and other similar data may have been accessed improperly.
The laws are meant to give consumers a chance to protect themselves from identity theft. “So if there is a group that is taking credit card information or using Social Security numbers as identifiers on files” they need to be ready to comply, Adler stresses. “I don’t know many practices that have these policies in place. They need to look at the laws.” He encourages physicians to get away from relying on Social Security numbers, as far as possible, for this reason.
As for taking credit cards for payment, you must comply with privacy stipulations in the contract you have with your merchant as well as with the 2003 Fair and Accurate Credit Transactions Act, or FACTA. This law is the same one that lets you get a free credit report. But it also says credit and debit card receipts should not include more than the last five digits of the card number or the card’s expiration date.
While you are busy protecting your patients’ data, think about destroying some of your own. Businesses are increasingly setting rules regarding the destruction of electronic information and e-mails to avoid undue liability, Alder explains. This idea has merit. Look at how long you need to retain information for legal or business reasons; get rid of what you don’t need, he advises. If you have cleanup rules and follow them as a normal course of business — rather than in response to concerns about a specific case — you’ll be much better protected in the long run. There are now services that erase hard drives for you — which is harder than it sounds — and shred the hard drive itself into little metal nuggets.
Safe travel tips
You might have a firm policy prohibiting physicians from taking home paper charts. But how are staff and physicians using memory sticks — those handy little drives you stick into a USB port? Ross Duncan, vice president of channels for digital security firm Gemalto North America, worries about “the growing popularity of the use of memory sticks. Once [physicians put charts on one] they have probably violated half a dozen regulations.”
Most memory sticks have no protection whatsoever. If someone found the gadget, they could immediately access patients’ medical records. It’s better not to transfer data like that or to use a memory stick that requires a password or some other security.
Same thing goes for laptops and PDAs, which can be vulnerable to hacking. “Every time I put [my laptop] down in an airport, it leaves my sight. Anyone could steal it and break into it. So the information on my computer is encrypted,” says Robert M. Cothren, director for clinical information systems of Northrop Grumman’s health solutions division. What’s on the laptops and PDAs in use at your office? Make sure you regularly clean them and scrupulously protect the data.
