Be prepared for breaches of protected patient information

Q: More and more of our practice's patient data are in electronic form, and I keep hearing about the growing numbers of data breaches. What should I do if our protected information is breached?

A: If your patients’ protected health information is breached, your first requirements are to notify the individuals whose data have been accessed illegally within 60 days of discovering the breach, and to log the event. The log should include:

• the date of the breach,

• the date that you discovered the breach,

• the number of persons affected by the breach, and

• how affected individuals were notified.

If fewer than 500 individuals were affected by the breach, you must include the incident as part of required annual reporting to the U.S. Department of Health and Human Services (HHS). If the number affected is 500 or more, you need to notify HHS and media outlets in your area. Examples of logs and notifications are available at www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html.

You can minimize the chances of a data breach occurring by encrypting patient data, having firewalls in place, and making sure that all data are password-protected and that passwords are changed regularly.

In addition, develop a written response plan that addresses the following questions:

• How did the breach occur? Most breaches are the result of lost or stolen mobile devices, such as smart phones, tablets, and laptop computers, on which patient information has been stored.

• What information was breached? Not every breach involves protected patient information. If the information is not protected, you don’t have to notify HHS.

• Can the breach be mitigated? If the protected information is locked and can be wiped within 24 hours, it is not considered a breach.

• Who must be notified? Include a list of individuals and organizations (the Centers for Medicare and Medicaid Services, hospitals, payers, law enforcement, news media) to notify, along with assigned notification responsibilities among staff members.

It’s worth noting that  a recent HHS ruling extended liability for breaches to business associates, a category that includes anyone with access to your patients’ data, with penalties ranging from $100 to $50,000 per violation, capped at $1.5 million per calendar year, and criminal penalties of up to 10 years’ imprisonment.

Incidentally, you are correct that breaches are occurring more frequently, and not just among small  practices. For example,  an employee of Emory Healthcare in Georgia recently misplaced 10 backup disks containing information for more than 315,000 patients.

You can find additional advice and resources for data breach preparations at:

• www.cms.gov

• www.nist.gov

• www.sans.org

• www.himss.org

• www.ahima.org

The answer to our reader’s question was provided by Dean Sorensen, MBA, CPHMS, principal consultant and chief executive officer of Sorensen Informatics in Lombard, Illinois.

Send your technology-related questions to medec@advanstar.com.