Patient Information Breaches: Leadership's Responsibility

Let's stipulate, before I go on, that I don't know much about technology or how computers work. I can run routine maintenance on my computer, but that's about it. In fact, a good (and patient) friend of mine is coming over tonight to help me hook up my wireless internet router, which really isn't all that difficult for him, but gives me hives just thinking about it. Give me a lawnmower engine to rebuild or a set of brakes to change, and I'm your man. Give me a computer to work on, and you'll get a blank stare in return.

I'm guessing many of the readers of this column fit the same mold, minus perhaps, the car repair abilities, and plus the overwhelming responsibility of being in charge of a health plan, a hospital, a physician practice or health system. No, you're not likely a computer security guru, but given the almost weekly news item about embarrassing and costly patient health information breaches in healthcare, it's appropriate to remind those of you who are in charge of your hospital, health system or physician practice: protecting this data is YOUR responsibility. I know you depend on delegates to get these jobs done, and you pay them well. You can't micromanage this stuff.

After all, what healthcare CEO doesn't have an expert in charge of the organization's finances or its information technology needs? But what you can do is make sure your deputy, the CIO, has encrypted all the organization's laptop computers. The buck stops with you, as Harry Truman wonderfully put his take of the chief executive's responsibilities.

According to my colleague Dom Nicastro, the problem of protected health information loss can most often attributed to unencrypted laptops that are stolen from hospital or health plan employees. Let's leave behind the question of whether patient health information really needs to be stored anywhere other than on computers that stay on the organization's physical property. I understand that sometimes employees need to take their work home, and that some of that work involves working with patients' protected health information.

But really, how difficult is it to protect laptops' security so that even if a thief gets his grubby hands on your organization's property, the information contained within is safe? Not very, apparently, making it all the more ridiculous that not even close to all healthcare organizations do it. It happens all too frequently to organizations that have loads of IT staff doing what they do. They just don't always get to the laptops, I guess.

Here's my point: Even if you're not a lawyer, you wouldn't think of entering a joint venture with a physician group that doesn't meet federal safe harbor guidelines. Those safe harbors protect you and your organization should anyone ever question whether such deals pass legal muster.

Similarly, you shouldn't wonder whether any laptops owned by your organization are protected by several methods of encryption that provide a similar safe harbor in case of a stolen laptop or other possible breach of PHI. The Office for Civil Rights, the enforcer of HIPAA's privacy and security rules, lists several methods of encryption that create just such a safe harbor.

So what are you, as the CEO, doing to make sure your organization is safe from any possible breaches from laptops? I'd love to know. The possible financial and legal headaches from such a breach are too severe to ignore this issue. I'm thinking a simple directive to the CIO should suffice. There can't be that many laptops that they would be impossible to track or to protect. And given the importance of this issue, shouldn't the CIO represent to you in some way that the laptops are protected?

If you aren't requiring your CIO to certify to you in some way that all laptops your organization owns are encrypted, well, you deserve your fate, which in the case of a stolen laptop, would be severe.