Share this article on:
This year has seen a number of large data breaches which have exposed the Protected Health Information of millions of Americans, placing them at an increased risk of becoming victims of identity theft and medical fraud. While some deliberate attacks have infiltrated computer networks, in many cases it is human error that exposes patient data to unauthorized third parties. Misplaced or unguarded portable devices have resulted in massive data breaches and many simple errors and oversights have resulted in patient details being exposed.
Healthcare organizations are now required to store an increasing volume of data in electronic format. While data security used to mean locked filing cabinets and a small security presence, the increased risks faced by today’s healthcare providers requires an increasingly technical array of security measures to be employed to keep patient data secure.
Even when legislation is followed to the letter and all of the appropriate technical, physical and administrative safeguards are put in place, a simple mistake by a member of staff can easily cause a data breach that can have major implications for the individual concerned, the healthcare provider and its patients.
According to Rachel Seeger, Spokesperson for the Office for Civil Rights, “Human error increases risk when there are already vulnerabilities in place,” It is therefore essential that HIPAA-covered organizations conduct a full and thorough risk analysis to identify any security vulnerabilities and any issues raised must be effectively managed.
Deliberate hacks are on the rise due to the high value of health data to thieves and cybercriminals have discovered that the healthcare industry is poorly protected. Banks and financial institutions have installed robust security systems to protect the financial data of customers, yet many hospitals and clinics underestimate the threat posed by hackers and fail to take even basic precautions.
While the threat of data theft is ever present and more cases are reported each year, in terms of the number of security breaches reported each year, human error causes far more breaches than cyber attacks.
Many errors are caused by people not being aware of current data privacy and security regulations, what their job should entail and their obligations under HIPAA, HITECH and other legislation introduced to keep data protected. Training the staff about obligations under HIPAA legislation is mandatory, but in addition to training, employees should be provided with checklists which can easily be followed to ensure compliance and reduce the potential for mistakes and omissions.
Privacy and data security policies are devised by administrators, compliance officers and the management, and while they cover all requirements of legislation it is essential that these policies are assessed in practice and feedback should be obtained from the staff responsible for protecting data. Procedures may require fine tuning to ensure that data is protected and work processes remain efficient. Particular care must be taken when technology is used; a full risk assessment must be conducted to ensure that data is not unwittingly exposed.
A number of steps can be taken by healthcare providers to reduce the possibility of human error causing data breaches. Adopting the following ‘best practices’ can greatly reduce the risk of Protected Health Information being exposed and causing HIPAA violations:
Encourage Self Reporting of Security Concerns
Create an environment where the staff is comfortable reporting any potential HIPAA violations, mistakes or accidental disclosures of PHI. While employees must understand the seriousness of data security, it is also important that they appreciate why security or privacy issues must be immediately reported. It may not be possible to undo the mistake, but it is possible to take rapid action to mitigate any damage is causes.
Instruct Staff to Report the Errors of Others
Errors can be unwittingly made that expose PHI, yet they may not be noticed by the individual concerned. It is therefore important to communicate to the staff that the reporting of any security concern is mandatory, and to adopt a policy of zero tolerance for any retaliation against persons who report vulnerabilities, breaches or other security concerns.
Provide Training to Eliminate Common Mistakes
Many HIPAA breaches result from employees not being aware of their data security obligations or from making errors under pressure or by taking short cuts. Convey the importance of data security to the staff, provide specific training on common problem areas and ensure all employees are aware of the latest data security policies and procedures, as well as the repercussions for not following them.
Correct Bad Habits Promptly
Once bad habits start to develop they can easily spread throughout the workforce. It is vital that supervisors, line managers and compliance officers identify bad practices quickly and take corrective action. Identify any persons, groups or departments that are sloppy and cut corners and provide selective retraining or other corrective actions.
Automate Compliance Wherever Possible
The easiest way to eliminate the possibility of human error is to automate as many compliance processes as possible. If the staff is only required to store data on encrypted devices, a security system should be implemented that makes it impossible for data to be transferred to an unsecured hard drive. Users can be automatically logged out of databases and computer systems after being idle for a set and other automated procedures introduced to keep data secure.
Employ Fail Safes to Keep Data Private
While procedures and company policies can be set to reduce the possibility of human error, when a mistake is made it should not have catastrophic consequences. Alarms and system alerts should be set up to identify breaches quickly and non-technical fail safes should be implemented to prevent untrained or unauthorized staff from accessing PHI.
Conduct Internal Audits to Assess HIPAA Compliance
Once policies and been put into place it is wise to conduct regular internal audits to check for non-compliance issues. If the OCR conducts an investigation it has the power to issue fines for each non-compliance issue discovered. It is far better to take proactive steps to address any non-compliance issues before they are uncovered by a surprise OCR audit.
Proceed with Caution
There are likely to be a number of situations where the staff is unsure whether it is permissible to release or disclose PHI. It should be communicated to all staff that the golden rule should be, “if you are unsure whether an action violates data privacy and security regulations do not do it; seek advice.” After all, once a breach occurs, data cannot be undisclosed.