Breach Prevention is Critical as HIPAA Compliance Worlds Collide

Dom Nicastro, February 12, 2010

Privacy and security officers have to comply with more rules than ever. The Federal Trade Commission's Red Flags rule, existing HIPAA laws, and the new Health Information Technology for Economic and Clinical Health (HITECH) Act require that covered entities:

  • Protect patient information with technical, administrative, and physical safeguards (HIPAA)

  • Lessen the negative effect of unauthorized disclosure (HIPAA)

  • Notify patients within 60 days of breaches that involve unsecure personal health information (PHI) and pose a significant risk of financial, reputational, or other harm (HITECH; enforcement effective February 17)

  • Inform HHS of breaches (HITECH; enforcement effective February 17)

  • Establish an identity theft prevention program with policies and procedures to detect, prevent, and mitigate identity theft (Red Flags Rule; enforcement effective June 1)

How should your facility handle these added regulations? Implement a three-step process to protect all patient information that includes plans for what to do before, during, and after a security incident, says Andrew E. Blustein, Esq., partner and cochair of Garfunkel Wild & Travis, PC's Health Information and Technology Group, in Great Neck, NY, Hackensack, NJ, and Stamford, CT.

"A medical record is chock-full of information that an identity thief can use to its advantage," says Blustein. "It's basically a treasure chest of credit card numbers, Social Security card numbers, and everything else someone needs to steal an identity."

Before the breach

Mitigate harm resulting from identity theft by preventing breaches from occurring, says David A. Mebane, Esq., senior vice president for legal affairs at Saint Barnabas Health Care System in West Orange, NJ.

"You want to create the right amount of technical safeguards so your patients are protected," says Mebane.

Safeguards include:

  • Encrypting laptop computers and other portable devices

  • Prohibiting the installation of unsecured software

  • Creating system firewalls

  • Establishing remote access roles specific to applications and business requirements

  • Destroying unnecessary patient information

  • Using and updating antivirus software

HHS also provides specific guidance for securing portable devices.

Establish policies and educate employees and vendors about their responsibility to protect information and report incidents, says Mebane.

"You'll also want to perform regular audits so you have a way of detecting breaches," says Mebane. "Once the information has been stolen and is in the wrong hands, a lot of the damage will already have been done."

Create an incident response program, advises Blustein. Form teams and designate leaders responsible for responding to and investigating any breaches. Ensure that your policies specify:

  • The type of information that must be reported

  • The entities to whom information must be reported

  • The deadline for reporting information

  • Penalties for individuals responsible for the breach

Dom Nicastro Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.
Facebook icon
LinkedIn icon
Twitter icon