Physicians Ensnared in Data Breaches
Last month, the names of "private practices" reporting breaches of unsecured protected health information affecting more than 500 people were revealed when the Office for Civil Rights, (OCR) the enforcer of the HIPAA privacy and security rules, lifted the veil of anonymity on the entities.
Judging from my calls to some of these physician offices who reported breaches—and their failure to return my calls, or simply responding with terse "no comment"—many would rather remain anonymous.
But for physicians who were involved in breaches, there are lessons learned, especially for small practices. Sometimes we just assume in this highly connected digital world, that every physician has ramped up to protect his practice against illegal data theft. That's definitely not the case.
One small practice, Daniel J. Sigman, MD, PC, based in Stoughton, Mass, was hit with a breach on Dec 1, 2009, affecting 2,860 patients, according to the OCR. The OCR tally noted: theft, portable devices, and medical records.
A key problem was the manner in which the data was kept in the plastic surgeon's office. Without giving me too many specifics, Kathleen Minnock, office manager, says the data was kept in a bag —similar to a purse —and taken offsite every night.
"We have a small server like many small doctor's offices," said Minnock, office manager, noting that the way the office handled the data seemed inexpensive and convenient.
After the practice learned the data was missing, the nightmare began, she says. The first worry was whether patient data was stolen, or compromised any other way. Thankfully, that didn't occur, Minnock says, without providing details. She says patient data doesn't appear to be compromised. Federal officials, however, demanded that each patient be notified and alerted to what had happened, all 2,860 of them. And over time, Minnock says, the practice has learned the lesson of keeping good records.
OCR reports that at least 11 "private practices" reported breaches of 500 or more over the past year, involving potentially thousands of patients and files.