When most of us think of threat to the Protected Health Information (PHI) for which we are responsible, we think about breach by outside sources. After all, those of us who work in Behavioral Health and Substance Abuse are highly sensitized to the need to protect the privacy of our clients. Given that, we assure that our electronic systems are protected by adequate security….that the PHI is encrypted, that our firewall is effective, that no one is connecting remotely who should not have access. Right? We don’t as often think about what goes on inside our offices.
This morning, Seth sent the SOS staff an account reported by one of the HIPAA security blogs to which he subscribes. This event sounded very much like two that have happened to customers of SOS. Two staff members leave the practice taking patient information with them in order to feed a new practice/business. Most people immediately think about the theft of the patients by the departing provider. We think about the theft of the PHI and the breach report the practice may now be required to make.
Since the Office of Civil Rights (OCR) started real enforcement of HIPAA including fines, breaches have resulted in settlements averaging $1M each. Six out of nine of those breaches were the result of an insider’s actions, not those of an outsider. The fines mostly came about as the result of investigation by OCR of reports made by the health organization that experienced the breach.
Today I attended a webinar provided by IDExperts. They are one of my favorite sources of information about privacy and security of PHI. While their software may be beneficial to some of our larger customers, it is clear to me that our smaller practices and agencies are very much in need of information and education and could benefit from some of the resources available on their site.
If you think your PHI could ever be viewed by an inappropriate person based on employee mistakes, the loss of portable devices, or the theft of patient information by someone with whom you contract, you need to assure that you have protective policies and procedures in place, that your employees are adequately trained, and that you all follow the needed procedures. Hiring a consultant or buying software to write policies for you and then forgetting about them is a major mistake. You must develop a culture of compliance to assure the safety of PHI. The Ponemon Institute, in a study sponsored by IDExperts, found that only 52% of employers believe they have policies and procedures to prevent and detect unauthorized patient data access. Are you part of that 52% or of the 48% who do not have adequate policies and procedures to protect your PHI?
What does your organization do to protect PHI? What is your role in whatever your organization does? When was your last HIPAA Privacy/Security training? Do all staff attend including providers and executive staff? Do you have Business Associate Agreements with all the businesses who might have access to your PHI? If I were to come to you as a client, would I feel assured that my PHI is protected from preying eyes and secure from threat?
Please share your thoughts and comments below.