Guest post by Xavier E. Martinez from Power Your Practice
If you thought this would be the year securing patient data would finally become easier, you may be in for an unpleasant surprise. A recent Experian report predicts the healthcare industry will see more large-scale security breaches affecting patient privacy in 2014. According to Michael Bruemmer, Vice President of Experian’s Data Breach Resolution, the sheer size of the healthcare industry is what makes it vulnerable to security risks.
If you add all currently insured patients to the 7 million incoming patients resulting from the new Health Insurance Exchanges, then couple that with the haphazard manner in which Healthcare.gov was implemented, you create a larger area potentially vulnerable to attack.
At Experian, which provides recovery services for companies dealing with personal data loss, 46 percent of breaches in 2013 were healthcare-related. In fact, their remediation group worked on more than 2,200 healthcare breaches in 2013, compared to 1,700 in 2012.
Patient information is a valuable commodity in today’s fraud market. Personal records suitable for use in identity theft can be worth between $10 and $28 depending on the income status of the victim. When enriched with health data, the value of an identity data set jumps to almost $50 per record because it can be used for medical and insurance fraud – a far more lucrative business.
However, in most cases, data breaches have less to do with advanced hacking techniques and more to do with lost laptops, failing to shred paper records and easily avoidable employee blunders.
In three out of 10 breaches Experian serviced last year, most errors were tracked to sloppy system administrator password practices like neglecting to change a default password or carelessly sharing PINs.
So what data protection methods can you implement to better protect your patients?
There are several steps and precautions your practice can carry out:
- Provide an up-to-date training program on handling protected health information (PHI) for employees performing health plan administrative functions.
- Never share sensitive PHI with others who shouldn’t have access, including co-workers or personal acquaintances.
- Avoid accessing a patient’s record unless needed for treatment or with written permission from the patient.
- Minimize occurrences of others overhearing patient information. Do not use a patient’s whole name within hearing distance of others.
- Secure all paperwork containing PHI by placing in a drawer or folder when not in use. Cover charts so patient names are not visible. Never leave records and other PHI unattended.
- Close computer programs containing patient information when not in use. Practice management (PM) systems with automatic time out settings are helpful in this regard.
- Limit e-mail transmissions of PHI exclusively to those circumstances when the information cannot be sent another way.
- Always use a cover sheet when faxing PHI.
- Back up all disks containing PHI. Storing your patients’ information in a HIPAA compliant cloud-based system is safer than using a client-server or paper documents.
- Assign different levels of security clearance to specific people. This prevents employees from accidentally changing or seeing information that does not pertain to their specific duties.
- Ban the sharing of passwords between staff members.
- Properly dispose of information containing PHI by shredding paper files.
- Make sure computers have updated anti-virus scanning software installed. This guarantees your practice is reasonably guarded against malicious software.
- Ensure associated vendors and businesses are properly following HIPAA standards as well.
As the healthcare industry continues to grow, outdated administrative practices will no longer stand up to security threats. It is important, therefore, to take full advantage of secure technologies like Meaningful Use certified patient portals and EHRs, and cloud-based practice management systems to help keep your patient data secure.