Dealing with Data Breaches
Qualify for a free subscription to HealthLeaders magazine.
"We have a two-strike policy. The first time they get counseled and trained again in the HIPAA regulations, and they have to sign a statement that they understand the privacy protections," Moroses says. "The second time can lead to termination."
Continuum hasn't had to terminate anyone yet for violating HIPAA privacy rules, he says, because staff clearly understand not only that complying with HIPAA is the right thing to do, but also that their employer is monitoring them closely. The health system also was an early adopter of data loss-prevention technology, a set of information security tools that is intended to stop users from sending sensitive or critical information outside of the corporate network.
"It looks at every frame going in and out of the Internet and searches for a combination of PHI—Social Security number, address, ZIP code, name—and will flag it with a report saying this looks like PHI, and then you can investigate what happened," Moroses says.
The beauty of a DLP system is that it shows you what actually happens with PHI, which might not be what your tech professionals expected. The tech experts may think they have plugged every potential hole in the system, every way that PHI could leave without authorization, but DLP will reveal that the information is still leaking out and allow you to trace the origin, Moroses says.
Other technological defenses include encrypting all mobile devices and ensuring that the computer system clears the cache after PHI is viewed, Moroses says. As mobile devices use more and more applications for data transfer and storage, providers face a constant challenge to keep defensive technology up to date, he says. The biggest fear these days is the loss of mobile devices, Moroses says. "It's not some criminal hacking into your system; it's somebody leaving a laptop on the train or the bus."
Continuum uses whole disk encryption on its laptops with PHI, but all the technological solutions rely on a culture that respects privacy, Moroses says.
"It's not a lot of money or something you can't afford," Moroses says. "It really comes down to discipline and a dialogue with the clinical community."
This article appears in the January 2012 issue of HealthLeaders magazine.
Greg Freeman is a contributing writer for HealthLeaders Media.
- Hospital Groups Strike Back at Hospital Rating Systems
- AHIP: Enormity of HIX Challenges Sinks In
- The Secret to Physician Engagement? It's Not Better Pay
- 5 Hot Healthcare Ideas from SXSW
- Another SGR Patch Likely, Lawmaker Says
- How Succession Planning Boosts Employee Retention Rates
- 4 Reasons PCMH Principles Aren't Going Away
- Two-Midnight Rule Must be Fixed or Replaced, Say Providers
- Don't Underestimate Emotional Intelligence
- Rules to Rein in HIX Narrow Networks Could Drive Away Payers