How to protect valuable patient data

Key Points

A medical student trainee at the University of Texas MD Anderson Cancer Center boarded an employee shuttle bus on July 13, and when she exited, she left behind a portable hard drive that contained the unencrypted protected health information (PHI) of 2,200 patients. It was never found.

Earlier this year, an MD Anderson faculty member's laptop was stolen during a home burglary. It contained the unencrypted PHI of more than 30,000 patients, including their names, treatment data, and (for some of them) their Social Security numbers. The laptop was never recovered.

These kind of incidents are not uncommon. In the past few years, healthcare providers all over the country have experienced PHI security breaches because computer hardware was either lost or stolen. The questions are, why was the PHI was there in the first place, and why was it not encrypted?

Simply having a HIPAA-compliant EHR, however, does not guarantee the security of your patients' medical records. For that, you must take specific steps and accept personal responsibility.

DOCTOR VULNERABILITY

Primary care practices are especially vulnerable to security breaches, says Sean P. Kelly, MD, a board-certified emergency medicine physician who practices and teaches at Beth Israel Deaconess Medical Center in Boston, Massachusetts. That's mainly due to the large amount of data exchanged internally between practice departments, as well as externally with hospitals, specialists, health plans, home health organizations, hospices, physical and occupational therapy offices, and other external care providers and payers.

"Whenever data are exchanged, practices are vulnerable," says Kelly, also chief medical officer of security product company Imprivata. "Especially with elements that are part of protected records such as HIV status, psychiatric, and other chronic diagnoses that might not be specifically relevant to the patient's immediate healthcare needs."

This issue is of particular concern in the claims submissions process, where administrative assistants might submit information to billing agencies or insurance companies to justify payments for services or equipment or to receive pre-authorization for tests that might also include other privacy protected PHI.

UNDERSTANDING HIPAA

Rebecca Herold, CISM, CISSP, CISA, CIPP, FLMI, is an information security, privacy, and compliance consultant, author, and instructor who has provided assistance, advice, services, tools, and products to organizations in a wide range of industries, including healthcare, for more than 2 decades.

She blames lack of awareness of HIPAA requirements and the inherent opportunities to mishandle PHI for most of the recent breaches in PHI security at hospitals and in primary care practices. Herold notes the following categories where physician education and implementation of security protocols can prevent exploitation of lax PHI security.

Device encryption

Researchers estimated that as much as two-thirds of the mobile medical device market soon will be comprised of remote healthcare- related technology for managing chronic diseases.

This change can be a boon for doctors who want to carry patient records with them as well as receive alerts and test results immediately. Many physicians, however, are not aware that to fully comply with HIPAA as well as the PHI policies of the hospitals where they work or have privileges, the PHI stored on their mobile devices must be encrypted.

"Many [physicians] believe that they have good personal habits that will not lead to the devices being lost or stolen," Herold says. "However, the long and growing list of incidents involving such lost and stolen devices demonstrates otherwise."

Herold says "many to most" doctors regard encryption as too cumbersome and complicated to use, or they believe that it's not necessary for mobile computers and storage devices. Both assumptions could lead to lost or stolen PHI. Serious breaches have resulted in steep fines levied against physicians, and even lost privileges.