Privacy and security officers have to comply with more rules than ever. The Federal Trade Commission's Red Flags rule, existing HIPAA laws, and the new Health Information Technology for Economic and Clinical Health (HITECH) Act require that covered entities:
- Protect patient information with technical, administrative, and physical safeguards (HIPAA)
- Lessen the negative effect of unauthorized disclosure (HIPAA)
- Notify patients within 60 days of breaches that involve unsecure personal health information (PHI) and pose a significant risk of financial, reputational, or other harm (HITECH; enforcement effective February 17)
- Inform HHS of breaches (HITECH; enforcement effective February 17)
- Establish an identity theft prevention program with policies and procedures to detect, prevent, and mitigate identity theft (Red Flags Rule; enforcement effective June 1)
How should your facility handle these added regulations? Implement a three-step process to protect all patient information that includes plans for what to do before, during, and after a security incident, says Andrew E. Blustein, Esq., partner and cochair of Garfunkel Wild & Travis, PC's Health Information and Technology Group, in Great Neck, NY, Hackensack, NJ, and Stamford, CT.
"A medical record is chock-full of information that an identity thief can use to its advantage," says Blustein. "It's basically a treasure chest of credit card numbers, Social Security card numbers, and everything else someone needs to steal an identity."
Before the breach
Mitigate harm resulting from identity theft by preventing breaches from occurring, says David A. Mebane, Esq., senior vice president for legal affairs at Saint Barnabas Health Care System in West Orange, NJ.
"You want to create the right amount of technical safeguards so your patients are protected," says Mebane.
Safeguards include:
- Encrypting laptop computers and other portable devices
- Prohibiting the installation of unsecured software
- Creating system firewalls
- Establishing remote access roles specific to applications and business requirements
- Destroying unnecessary patient information
- Using and updating antivirus software
HHS also provides specific guidance for securing portable devices.
Establish policies and educate employees and vendors about their responsibility to protect information and report incidents, says Mebane.
"You'll also want to perform regular audits so you have a way of detecting breaches," says Mebane. "Once the information has been stolen and is in the wrong hands, a lot of the damage will already have been done."
Create an incident response program, advises Blustein. Form teams and designate leaders responsible for responding to and investigating any breaches. Ensure that your policies specify:
- The type of information that must be reported
- The entities to whom information must be reported
- The deadline for reporting information
- Penalties for individuals responsible for the breach
Responding to the breach
"Installing a program to prevent loss of PHI is like putting an alarm on your house," says Blustein. "It's a good start and it will prevent some thieves, but it doesn't mean you'll never have a problem."
If you discover a breach, alert your attorneys and consider retaining outside counsel. This serves two purposes. It provides an unbiased look at the event and helps protect your organization.
Activate the response teams you previously established, says Blustein. They should be prepared to investigate all aspects of the breach, including:
- How the theft occurred
- Who took the information
- Whether employees were at fault
- The amount of information taken
- The number and identity of affected patients
- The type of information stolen
Soon after making these determinations, decide whom you must notify and how you must do this. You'll need to consider state law, HIPAA, and the HITECH Act, says Blustein. You also must ask yourself what the right thing to do is, he says.
"You need someone in your organization who can make these decisions quickly to avoid the bottleneck problem," says Blustein. "The concern is that often things pile up and it takes too long to get approval and the notification letter ends up sitting on an administrator's desk."
Also consider offering affected individuals free credit monitoring for a specified time to help reduce the effect of the identity theft.
"You want to do everything you can to protect yourself and your patients," says Blustein. "By monitoring credit and notifying the right people, you might be able to cut off the use of their personal information before any damage is done."
Learning your lessons
The nature of the breach will help determine whether you want to amend your existing policies to be better prepared, educate staff members with respect to prevention, or implement more safeguards, says Blustein. Shore up any documentation pertaining to the incident in case there is an investigation, he says.
Even if you don't experience a security incident, monitor businesses and healthcare organizations in your area that may have been affected, advises Mebane.
"You can't just roll out policies and be done with it," says Blustein. "The challenges are always changing, and you need to be able to keep up with them."
Ensuring uniformity throughout your organization is important. "An organization should strive to ensure that your clinic down the street should have the same policies and protection as the computer in your main lobby," says Blustein.
Pages
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.