Are you worried about your patients' privacy as your practice becomes increasingly paperless? Learn how to protect against breaches.
Q: More and more of our practice's patient data are in electronic form, and I keep hearing about the growing numbers of data breaches. What should I do if our protected information is breached?
A: If your patients’ protected health information is breached, your first requirements are to notify the individuals whose data have been accessed illegally within 60 days of discovering the breach, and to log the event. The log should include:
If fewer than 500 individuals were affected by the breach, you must include the incident as part of required annual reporting to the U.S. Department of Health and Human Services (HHS). If the number affected is 500 or more, you need to notify HHS and media outlets in your area. Examples of logs and notifications are available at www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html.
You can minimize the chances of a data breach occurring by encrypting patient data, having firewalls in place, and making sure that all data are password-protected and that passwords are changed regularly.
In addition, develop a written response plan that addresses the following questions:
It’s worth noting that a recent HHS ruling extended liability for breaches to business associates, a category that includes anyone with access to your patients’ data, with penalties ranging from $100 to $50,000 per violation, capped at $1.5 million per calendar year, and criminal penalties of up to 10 years’ imprisonment.
Incidentally, you are correct that breaches are occurring more frequently, and not just among small practices. For example, an employee of Emory Healthcare in Georgia recently misplaced 10 backup disks containing information for more than 315,000 patients.
You can find additional advice and resources for data breach preparations at:
The answer to our reader’s question was provided by Dean Sorensen, MBA, CPHMS, principal consultant and chief executive officer of Sorensen Informatics in Lombard, Illinois.
Send your technology-related questions to firstname.lastname@example.org.