Last month, the names of "private practices" reporting breaches of unsecured protected health information affecting more than 500 people were revealed when the Office for Civil Rights, (OCR) the enforcer of the HIPAA privacy and security rules, lifted the veil of anonymity on the entities.
Judging from my calls to some of these physician offices who reported breaches—and their failure to return my calls, or simply responding with terse "no comment"—many would rather remain anonymous.
But for physicians who were involved in breaches, there are lessons learned, especially for small practices. Sometimes we just assume in this highly connected digital world, that every physician has ramped up to protect his practice against illegal data theft. That's definitely not the case.
One small practice, Daniel J. Sigman, MD, PC, based in Stoughton, Mass, was hit with a breach on Dec 1, 2009, affecting 2,860 patients, according to the OCR. The OCR tally noted: theft, portable devices, and medical records.
A key problem was the manner in which the data was kept in the plastic surgeon's office. Without giving me too many specifics, Kathleen Minnock, office manager, says the data was kept in a bag —similar to a purse —and taken offsite every night.
"We have a small server like many small doctor's offices," said Minnock, office manager, noting that the way the office handled the data seemed inexpensive and convenient.
After the practice learned the data was missing, the nightmare began, she says. The first worry was whether patient data was stolen, or compromised any other way. Thankfully, that didn't occur, Minnock says, without providing details. She says patient data doesn't appear to be compromised. Federal officials, however, demanded that each patient be notified and alerted to what had happened, all 2,860 of them. And over time, Minnock says, the practice has learned the lesson of keeping good records.
OCR reports that at least 11 "private practices" reported breaches of 500 or more over the past year, involving potentially thousands of patients and files.
Several of the breaches involved different practices in related Torrance, CA offices. The Los Angeles Times reported that the medical records of more than 18,000 patients of at least five Torrance doctors were "potentially accessed by cyber-thieves on a single day." I called the practices; either they would not return my call or declined to speak about it.
However, a spokeswoman for another practice ensnared in a breach told me: "It was really horrible. The (doctor) found out about the breaches the same day it happened. He's a victim, yet he's responsible for taking care of it. It all goes back to him." She wouldn't elaborate and he didn't want to discuss it.
Minnock, the office manager at the Massachusetts physician's office, says her office has taken major steps toward improving the manner in which records are kept. "The lesson is, don't take the tapes home, don't take the laptop home. You really need appropriate safeguards," Minnock says. Not only are the records now encrypted, "now they are double locked like the banks do."
But it doesn't have to be a small physician's office to find out the hard way about losing data. "Over at South Shore Hospital, they are big and they had a breach," she points out. South Shore Hospital, in South Weymouth, MA, recently disclosed it had a major breach.
In a statement last month, the hospital reported that back-up computer files containing personal, health and financial information affecting potentially 800,000 people may have been lost by a professional management company, according to a statement from the hospital. The missing files included information on patients, employees, physicians, volunteers, donors, vendors and other business partners dating from Jan. 1, 1996, to Jan. 6, 2010.
The hospital said it sought to destroy the files because they were in a format it no longer uses. Apparently, however, a freight carrier lost a shipment of files scheduled for destruction.
Hospital officials say they have no evidence that information on the backup computer files had been accessed by anyone. An independent security consulting firm told the hospital that specialized software, hardware and technological knowledge and skill would be required to access and decipher the files. Still, the incident is under investigation by state authorities.
The hospital will send letters to individuals affected once it verifies whose information may have been included in the missing back-up files. Once the investigation is completed, the hospital said it will determine whether to provide free credit and identity theft monitoring to any of those affected.
South Shore is only a reminder to Minnock that security can't be taken for granted, as well as the swirling demands of HIPAA compliance.
To help physicians, David Ginsburg, president of PrivaPlan Associates Inc., a consultant specializing in HIPAA, prepared a white paper for the California Medical Association on "Practical Steps Practices Can Take To Ensure HIPPA Compliance. Ginsburg writes that "most medical practices feel they have done all they need to satisfy HIPAA requirements" and are "reluctant to dedicate precious resources to additional compliance efforts."
He urges physicians to "routinely review system activity and conduct technical audits to monitor suspicious activity. Your practice management system should have auditing capabilities to track employee activity and patient accounts."
"A number of gaps can expose medical practices to patient identity theft and violation of state laws," he writes. "It is more critical than ever that physicians review their current policies and procedures" to determine if upgrades are necessary. The best defense, Ginsburg advises, is "not to have a privacy or security violation occur."
Joe Cantlupe is a senior editor with HealthLeaders Media Online.
