Patient Information Breaches: Leadership's Responsibility
Let's stipulate, before I go on, that I don't know much about technology or how computers work. I can run routine maintenance on my computer, but that's about it. In fact, a good (and patient) friend of mine is coming over tonight to help me hook up my wireless internet router, which really isn't all that difficult for him, but gives me hives just thinking about it. Give me a lawnmower engine to rebuild or a set of brakes to change, and I'm your man. Give me a computer to work on, and you'll get a blank stare in return.
I'm guessing many of the readers of this column fit the same mold, minus perhaps, the car repair abilities, and plus the overwhelming responsibility of being in charge of a health plan, a hospital, a physician practice or health system. No, you're not likely a computer security guru, but given the almost weekly news item about embarrassing and costly patient health information breaches in healthcare, it's appropriate to remind those of you who are in charge of your hospital, health system or physician practice: protecting this data is YOUR responsibility. I know you depend on delegates to get these jobs done, and you pay them well. You can't micromanage this stuff.
After all, what healthcare CEO doesn't have an expert in charge of the organization's finances or its information technology needs? But what you can do is make sure your deputy, the CIO, has encrypted all the organization's laptop computers. The buck stops with you, as Harry Truman wonderfully put his take of the chief executive's responsibilities.
According to my colleague Dom Nicastro, the problem of protected health information loss can most often attributed to unencrypted laptops that are stolen from hospital or health plan employees. Let's leave behind the question of whether patient health information really needs to be stored anywhere other than on computers that stay on the organization's physical property. I understand that sometimes employees need to take their work home, and that some of that work involves working with patients' protected health information.
But really, how difficult is it to protect laptops' security so that even if a thief gets his grubby hands on your organization's property, the information contained within is safe? Not very, apparently, making it all the more ridiculous that not even close to all healthcare organizations do it. It happens all too frequently to organizations that have loads of IT staff doing what they do. They just don't always get to the laptops, I guess.
Here's my point: Even if you're not a lawyer, you wouldn't think of entering a joint venture with a physician group that doesn't meet federal safe harbor guidelines. Those safe harbors protect you and your organization should anyone ever question whether such deals pass legal muster.
Similarly, you shouldn't wonder whether any laptops owned by your organization are protected by several methods of encryption that provide a similar safe harbor in case of a stolen laptop or other possible breach of PHI. The Office for Civil Rights, the enforcer of HIPAA's privacy and security rules, lists several methods of encryption that create just such a safe harbor.