Archive for Unsecure PHI
Editor’s note: This is the third in a three-part series about breach notifications. Part one focused on how to prevent breaches. Part two tackled how to handle breaches. This installment offers some final tips if a breach occurs. focused on how to prevent breaches.
Now that you’ve followed protocol—the government’s and your facility’s—consider these final checklist items for after you respond accordingly to a breach.
They are offered by Andrew E. Blustein, Esq., partner and cochair of Garfunkel, Wild & Travis’ Health Information and Technology Group in Great Neck, NY; Hackensack, NJ; and Stamford, CT:
- Incorporate lessons learned into existing procedures (were internal reporting and investigation fast and efficient?)
- Include the breach on the annual log reported to HHS
- Modify policies as necessary
- Reeducate staff members regarding lessons learned
- Look for repeating patterns (e.g., one patient area that has multiple incidents)
- Include the unauthorized disclosure on the accounting of disclosures
- Include any sanctions on the HIPAA sanctions log
- Ensure that investigation notes and reports were appropriately detailed and that they are maintained
HHS has said it will not enforce breach notification provisions until February 2010—or 180 days from the publication of the interim final rule—but HITECH states that covered entities (CE) are subject now to penalties for noncompliance.
CEs should have breach response systems in place already, says Chris Simons, RHIA, director of UM and HIM and the privacy officer at Spring Harbor Hospital in Westbrook, ME.
However, if CEs still need to work on their policies, they should focus their energies on making sure staff members understand the process for and importance of prompt reporting.
“If your staff doesn’t know who their privacy officer is, that’s a problem,” Simons says. “That’s a good starting place. Make sure staff knows what a breach is and who to report it to. They should be encouraged to immediately report even the suspicion of an issue.”
Document everything your organization does in response to a suspected breach, Simons adds. Conduct a risk analysis to expose your internal weaknesses. It could help you prevent a breach in the first place, which, after all, is the goal.
“What are your serious risks, and what are your minor risks?” Simons says. “How are you educating people, and are your policies and procedures in place? Get out there and do your rounds to see what’s going on and see if you hear things.”
This series contained excerpts from the HCPro, Inc., white paper, “HHS Breach Notification Interim Final Rule. Form Your Incident Response Team, Set Policies and Procedures to Comply with New Federal HIPAA Regulations.”
Dom Nicastro is a senior managing editor at HCPro, Inc. in Marblehead, MA. He edits the Briefings on HIPAA and Health Information Compliance Insider newsletters. E-mail him at dnicastro@hcpro.com.
Editor’s note: This is the second in a three-part series about breach notifications. This installment focuses on handling breaches.
Your facility has a breach of unsecure PHI. What do you do?
In addition to following requirements spelled out in HHS’ interim final rule on breach notification, consider these tips for handling the breach:
- Initiate an investigation immediately. The team leader, or point person, must be ready for action, says Andrew E. Blustein, Esq., partner and cochair of Garfunkel, Wild & Travis’ Health Information and Technology Group in Great Neck, NY; Hackensack, NJ; and Stamford, CT. Immediately consider whether the organization needs to make a report to authorities. Ask the following questions: What information was potentially disclosed?; What technical safeguards were in place? How many people were affected? Could the information be used adversely against such individuals?
- Determine whether an exception to the notification requirement applies. Was the breach such that the person receiving the information would not be able to retain and use it? Was it an unintentional disclosure in good faith or an inadvertent disclosure to another individual at the same facility?
- Determine the need to notify the individual. Check the regulations contained in the HHS interim final rule and state breach notification laws. Consider whether notification could mitigate any harmful effects on the individual. If a patient’s credit card or Social Security information was stolen, it may be appropriate to offer him or her credit monitoring services, Blustein says.
- Determine appropriate sanctions. Following through on appropriate internal sanctions can send a chilling message throughout your organization, Blustein says. “Also, if [the Office for Civil Rights] comes in, and something egregious occurred and you’ve done nothing about it, what are you doing about mitigating the problem in the future?” he says. Depending on the employee involved and the type of violation, consider offering additional HIPAA training, issuing a warning, putting the employee on probation or suspension, or, in extreme situations, terminating the employee.
Tomorrow, we will conclude the series with tips for how to proceed after a breach. All material comes from excerpts from the HCPro, Inc., white paper, “HHS Breach Notification Interim Final Rule. Form Your Incident Response Team, Set Policies and Procedures to Comply with New Federal HIPAA Regulations.”
Check out our new white HIPAA whitepaper, “HHS breach notification interim final rule: Form your incident response team, set policies and procedures to comply with new federal HIPAA Regulations. November, 2009.”
HHS published in the Federal Register today the HIPAA enforcement interim final rule as part of the provisions in the HITECH Act, according to an OCR press release.
No major changes to HITECH enforcement. Just some slight language changes.
The interim final rule becomes effective November 30. HHS has invited public comments on the interim final rule, which will be considered if received by December 29.
While many popular Web sites have strong privacy practices in place, there is no better time to analyze where, when, how, and if your personal health information (PHI) is circulating through these types of Web sites.
The Ponemon Institute and TRUSTe released its 2009 Most Trusted Companies for Privacy Award recently and ranked eBay, Verizon, the US Postal Service, WebMD, and IBM as the top five.
But health leaders must also beware of employees sending any PHI on the Internet. The last thing you want is to get burned because someone in your organization without authorization sent PHI across Yahoo!, Facebook, or similar sites.
It’s not common—though it’s possible—for healthcare workers to use these sites to intentionally and maliciously violate patient privacy laws. More often, healthcare workers sign on during breaks, or when they are off work, and vent about their day with friends without realizing that they share identifiable information and violate HIPAA.
Regardless of how you respond to these privacy and security vulnerabilities, education is crucial, says Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR and a HIPAA expert. “A lot of people are panicking,” Apgar says. “But one thing that’s not well understood is the danger related to all this.”
Transmission over an unsecure network is inevitable, particularly if the sender and the receiver don’t share a secure network, says Apgar. Combat this with these four education models:
- New employee training (orientation)
- Annual refresher training
- Security reminders (weekly helpful e-mails; information in hospital newsletters; and flash reminders on staff computer monitors)
- Communications policy—as with confidentiality agreements, require staff members to acknowledge in writing that they have read and understand it. Do this annually at staff performance reviews.
An article in the September issue of the Journal of the American Medical Association entitled “Online Posting of Unprofessional Content by Medical Students,” revealed that 60% of 80 medical school deans reported incidents involving unprofessional postings on these types of Web sites. Another 13% acknowledged incidents that violated patient privacy. Some of these violations resulted in expulsions from medical school, according to the article.
“These professionals are well educated, but that doesn’t mean they are savvy with security,” says Apgar. The finality of disclosures on these types of Web sites is what makes it so dangerous, says Apgar. “Once you put something out there, it’s out there, and it’s never coming back,” he says.
Simply banning these Web sites from the hospital network is one strategy that many organizations use, Apgar says.
Spring Harbor Hospital, in Westbrook, ME, doesn’t allow access to Web sites, such as Facebook, on facility computers, says Chris Simons, RHIS, who serves as the facility’s director of HIMS and privacy officer. “We also include it in orientation as a no-no,” she says. “We have had some issues with staff on Facebook saying inappropriate things about their managers, and have addressed that.”
Access to personal e-mail accounts is just as dangerous for many reasons, and organizations are beginning to ban this practice as well. A physician who logs onto a personal Yahoo! Mail account to send himself or herself a list of patients to access at home is one example of inappropriate use, Apgar says. That’s a breach of a lot of information, says Apgar. The hospital network may be encrypted, but the information won’t be on the other side once the physician opens the e-mail at home.
Freelancer Corey Goodman contributed to this report.
Get blog updates in your e-mail
Subscribe to our e-zine
Click here to learn how!