With electronic storage of protected health information (“PHI”) becoming more common, healthcare providers are rightly concerned about ensuring their data and security systems are not breached, and developing an established course of action in the event that their systems are breached.
The most important security precaution that a provider can have in place is a stable system for breach prevention. Otherwise, navigating the field to ensure there are no breaches can be difficult.
Do not place your bets on good luck or assume that the system you currently have will prevent a breach. It’s impossible to plan for every possibility, and your practice will be better prepared if you view breaches as an inevitability. So, prepare as if a breach will happen—but keep your focus on prevention, as that is the ideal.
How to Prevent a Data Breach
Your patients are depending on you to provide them with a safe and secure system, and they are the ones who will be most affected when a breach occurs. Here are a few tips to ensure that your system is as secure as it can be, adapted from this resource:
1. Test, test, test.
First, make sure your current system is effective. To do this, you must test the system. This means performing constant random testing—data breaches are random, so your testing should be as well—as well as conducting a yearly risk assessment.
2. Restrict access to patient information.
One of the key concepts of the Health Insurance Portability and Accountability Act (HIPAA) is that only those who need to use the data have access to it. Make sure that the systems you have in place only allow employees to access required information. Furthermore, ensure each employee has his or her own login information, as this makes audit trails easier to follow.
Make sure you provide constant, current education for both yourself and your employees about HIPAA compliance and the impacts of a health data breach.
4. Deploy encryption technology and monitor devices and records.
Be sure to employ technology that protects the PHI stored on the devices. This should be done through the use of encryption technology for all your data and hardware—whether the data is stationary or in motion. This is a standard that you should always keep up to date. Make sure that your system strictly manages identity and access, so that only those who need to use the information, can.
While HIPAA does not require data encryption, the Health Information Technology for Economic and Clinical Health (HITECH) Act states that if encrypted data is stolen, this does not constitute a breach.
There should also be strict rules for employees who use their own devices to access information, as this can lead to breaches (i.e., if those devices end up lost or stolen). Educate employees on how to secure their belongings, and perhaps encourage them not to store their data locally.
5. Review and modernize IT infrastructure.
If you work in a hospital or large practice, subnet your wireless records. This way, you can provide Wi-Fi to your patients while also ensuring that they are unable to access records.
If you use a cloud system, it’s crucial that you read over the contracts carefully. Make sure you will still be HIPAA-compliant and that the systems will be secure.
You may want to invest in quality IT staff to work on these networks. The individuals you have will determine whether your systems will work and will be there to defend you against breaches.
6. Collaborate with compliant business associates.
It is likely that you currently have business associates—or that you will have one or more in the future. Business associates can assist in locking your information in a safe place, but this means that they have access to PHI. Make sure that your business associates are compliant with HIPAA and that they have the proper security procedures in place to prevent breaches.
7. Invest in a good legal team.
Remember, as helpful as these tips are, you must view a breach as inevitable. Even if you do everything right, bad things can still happen. Investing in a good legal team allows you to know that even if something goes wrong, you have a plan to move forward.
How to Respond to a Data Breach
Now, let’s assume you’ve set up an appropriate system to prevent a breach, but something has happened, and your patients’ PHI has been accessed. Let’s look to what steps you should take.
1. Conduct an initial assessment of the breach.
Once you have discovered a possible breach, you need to conduct an initial assessment of the situation. This can be done through creating a task force. This group will need to determine:
- What went wrong?
- Was any PHI compromised?
- When did it happen?
- Who is responsible?
2. Address the risks.
Now it’s time to fully dive in and determine what happened and how. That way, you can ensure it does not happen again. This can be done through conducting a root cause analysis—and documenting the steps you take along the way. When looking through your data, you should have documentation including:
- policies and procedures for security and privacy,
- details on employee education and awareness programs, and
- evidence of disciplinary action taken on employees.
Don’t limit your focus on the system that experienced the breach. If something went wrong in one system, it is highly likely the same thing can and will happen in another system.
3. Notify the appropriate parties.
Even though it is difficult, it is necessary that you notify all the appropriate parties of what has happened. While you might be worried about losing patient trust, patients prefer to know the truth.
4. Manage the consequences.
After you’ve studied the causes of the breach and reported your findings to the appropriate parties, it is possible that you will be investigated and have to pay legal fees. Remember, HIPAA laws were created to protect the patient, not the practice.
As previously mentioned, your relationship with your patients may suffer because of the breach. So, after you’ve taken appropriate measures to combat the breach and implement new security measures in your system, you must take steps to rebuild your patient relationships. If this situation was something outside of your control, explain this to your patients. Patients appreciate honesty and transparency.
If you are struggling to handle the breach, reach out to legal counsel for assistance. There is no shame in asking for professional help.
5. Don’t panic.
Remember, you prepared for a breach, and you’ve done damage control. Sometimes things happen that you cannot prevent, and all you can do is react appropriately. Review what happened and make sure that you took all the proper measures to ensure the same thing does not happen again.
Again: Don’t panic. With proper preparation, you can combat any potential breaches. If you’re still unsure about your readiness for a potential PHI breach, seek out professional help to get all your legal ducks in a row.
Connor D. Jackson is a Chicago-based healthcare attorney with Jackson LLP Healthcare Lawyers. Connor works with small physical therapy practices and regularly advises his clients about corporate and compliance matters, including HIPAA, the False Claims Act, Medicare, and scope of practice. Connor enjoys working with clients to create their ideal practice environment and to quell their compliance concerns. As a former litigator, Connor understands the financial and emotional cost of litigation, and he collaborates with his clients to minimize the risk of getting sued. You can email Connor at connor@JacksonLLP.com or follow him on Twitter at @cjacksonESQ.