Safeguard personal health information

May 1, 2013

While it may be impossible to prevent a data breach, anticipate vulnerabilities and implement fixes

The statistics are staggering. A December 2012 study by the Ponemon Institute notes 94% of healthcare organizations have suffered at least one data breach over the past two years, and 45% have suffered more than five incidents in the same time period.

The healthcare industry is one of the most vulnerable industries to data breaches. Security gaps and weak or non-existent IT security and internal training protocols can make organizations easy targets for hackers as well as accident waiting to happen. According to a 2011 study by Kaufman, Rossin & Co., 4.9 million individuals had their protected health information (PHI) compromised during 2009 and lost or stolen laptops were the cause of more than  25% of the reported breaches during that year-affecting more than 1.5 million individuals.

The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted in 2009 in part to promote and expand the adoption of health information technology. The HITECH Act has made significant changes to the 1996 Health Information Portability and Accountability Act (HIPAA), previously the federal standard with respect to the privacy and security requirements of PHI. The HITECH Act Final Rule, released in January 2013, provided additional clarification and guidance to the Act including an expanded definition of “business associate.”

The Final Rule also includes additional burdens and liabilities on both covered entities and business associates with respect to the handling and sharing of PHI.  In addition, breaches are now presumed reportable unless there is a low probability that the PHI has been compromised as determined after a risk assessment.

With the HITECH Act Final Rule just released and compliance required on or before September 23, 2013, managed care organizations and all other healthcare organizations (as well as their business associates) should consider putting pre-breach risk management and risk assessment policies into place now, before a data breach occurs and the HITECH Act’s new requirements come into play.

The Office of Civil Rights currently does not offer definitive guidance on what “full compliance” with HIPAA and the HITECH Act means. However, recent government settlements and court cases involving civil monetary penalties as a result of a health care data breach demonstrate there are several steps healthcare organizations could be taking to build the best pre-breach defenses possible.

 

The following list of eight protocols can help mitigate the risk of a data breach and the potential liabilities if a breach should occur. 

 

1

Conduct an internal security risk analysis, and document ongoing risk assessment activities. Identifying and shoring up known and discovered security gaps as a result of these efforts may go a long way to positioning your organization as deliberate, thoughtful and committed to data security in the wake of a breach and a possible government audit.

 

2

Routinely test your organization’s incident response plan, so that key people are not only aware of their duties and responsibilities when a breach is discovered, but can act quickly and effectively.  Document these internal “dry runs” to demonstrate, if needed post breach, that your organization’s response plan was not collecting dust on a shelf but was routinely tested.

 

3

Conduct an internal self-audit, using the Office for Civil Rights’ (OCR’s) audit standards. The OCR’s pilot protocol (used to complete 115 audits last year), is the basis for the permanent protocol scheduled to begin late 2013 or early 2014. The OCR also offers examples that show how covered entities can effectively comply with the requirements of the HIPAA Privacy and Security Rules.

 

4

Strengthen security protocols for all mobile electronic devices, and consider creating a security policy dedicated to mobile devices.  According to the Ponemon Institute’s Third Annual Benchmark Study on Patient Privacy and Security, 81% of respondent health care organizations allow their employees and medical staff to use personal mobile devices to connect to the organization’s network and 46% do not require any security safeguards for these devices. Since it’s common for a lost or stolen laptop or smart phone to result in a breach of PHI, managed care organizations should take steps to shore up security with respect to these devices (encrypting data, restricting access or use, developing policies and procedures prohibiting the downloading of PHI, employing data loss prevention technology).

 

5

Re-evaluate your business associate agreements and their security practices; the HITECH Act final rule provides that, in some cases, business associate compliance failures may become your organization’s problem. Liability for customer/patient notification under the HITECH Act always remains with the managed care organization as the “covered entity”-even if the notification obligations are delegated to a business associate.  In addition, healthcare organizations with operations in multiple states may be subject to an evolving series of state privacy laws, which may impose stricter requirements than those under the HITECH Act.

 

6

Consider your organization’s use of cloud computing, as well as that of your business associates.  According to Ponemon Institute, more than 60% of healthcare organizations use the cloud both for storage of and sharing access to PHI. Your organization should have policies in place regarding the use of cloud-based services. Review your business associates’ use of cloud-based services and their policies to insure that any inconsistencies in usage protocols can be addressed by both organizations to help better safeguard stored PHI.

 

7

Train your employees.  Apart from the fact that it’s required under the HITECH Act, data privacy training for all employees and other individuals under your organization’s control is essential. The training should be frequent, pertinent to an individual’s job function and, to be most effective, it should be delivered in person by your organization’s data security officers or other IT security personnel. In the wake of a data breach, training offered as an annual online program may not strongly demonstrate your commitment to fully educating all employees about their roles with respect to maintaining the security of the organization’s PHI.

 

8

Maintain rigor and discipline around the simple basics, such as: locking cabinets and doors to rooms where PHI is stored; limiting access to PHI to only those individuals with a need to know; paying particular attention to keeping paper records locked up and closely monitored for access; and ensuring employees have the ability to easily lock and freeze their computer screens to prevent errant viewing of PHI by others.

 

Our fast-evolving, technology-dependent world has made it more difficult to protect and secure PHI. While it may be nearly impossible to prevent a data breach from occurring, healthcare organizations should anticipate vulnerabilities and implement fixes to shore up their organization’s risk profile in advance of a breach. Taking these steps will also help increase the possibility of having an unremarkable outcome if the OCR either audits or post-breach evaluates your organization’s commitment to preparedness and security with respect to safeguarding PHI.

 

Kimberly B. Holmes is deputy worldwide healthcare product manager for specialty lines at the Chubb Group of Insurance Companies.  She can be reached at holmesk@chubb.com.