By Kim Holmes and Barry Fonarow
How secure are your patients’ data? Storing patient health records electronically may be an efficient solution to the antiquated paper filing system of the past, but despite the many upside perks (including financial incentives from the government to adopt electronic health records), a failure in your system that results in breached data may come at a hefty price.
As a psychologist, you understand that maintaining confidentiality between patient and therapist is core to your ability to practice. Suffering a data breach could not only cost you time and resources but could cost your professional reputation.
While federal and state laws vary, generally a data breach can occur when sensitive protected health information (PHI), including mental health records and personally identifiable information (PII), is accessed without authorization, which can occur through intentional or unintentional means.
According to a recent U.S. Department of Health and Human Services report, roughly 7.9 million people’s medical records have been exposed in 30,750 cases of health care-related data breaches since 2009 — a trend that is expected to continue.
The U.S. Congress first addressed individual privacy infringements in 1996 when they enacted the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules, which sought to set a national legislative standard for protecting electronic individual health information. The issue was revisited in 2009 with the signing into law of the Health Information Technology for Economic and Clinical Health Act (HITECH) — a piece of legislation that was introduced as part of the Patient Protection and Affordable Care Act (the “health reform” law) that amended HIPAA — giving it “teeth” for the first time in the form of potential civil monetary fines and penalties.
While HIPAA/HITECH now provides that fines and penalties may be incurred by a health care organization in the event of a breach (on a sliding scale ranging from $50,000 up to $1.5 million per violation for the most egregious breaches), whether and to what extent these fines and penalties may be levied is always a subjective assessment by the government. An organization’s preparedness to prevent a data breach and its timely and appropriate response to a breach are factors taken into account by the federal government in determining whether and to what extent fines and penalties will be assessed under HITECH.
In addition to lost and/or stolen laptops and other portable electronic devices, one of the largest causes of health care-related data breaches is employee negligence. For instance, in 2010 NewYork-Presbyterian Hospital at Columbia University Medical Center reported a data breach which resulted in 6,800 patients’ PHI, including 10 social security numbers, being accidentally posted on the internet by an employee.
Additionally, allowing access to information by third party vendors and service providers may add another layer of vulnerability that is often overlooked when identifying cyber security weak spots. From 2010 to 2011, the personal PHI pertaining to 20,000 patients who visited the emergency room at Stanford Hospital in Palo Alto, Calif., remained publicly accessible on an online homework help site following an incident with the hospital’s third party billing contractor.
In the event that a cyber-related data breach occurs, there are often far-reaching repercussions including reputational harm and financial burdens due to potential fines and penalties and civil and class action lawsuits. There may also be expenses related to privacy notification, credit monitoring, health records resolution services, crisis management and forensic investigation.
The first step to protecting against a cyber-related data breach is through education. Learn about the federal and state laws that could apply to your organization and understand the reporting and notification requirements that may apply in the event of a data breach. Utilizing best practices both in advance of and at the point of discovering a data breach may also position your organization to be viewed more favorably by a federal or state reviewing authority post breach.
With most health care organizations only allocating 2 percent to 3 percent of their IT budgets to cyber security, an all-inclusive plan will probably be a distant reality at first for most practices. However, being caught unaware and unprepared when a breach occurs could have catastrophic consequences that an organization may not be able to weather. Therefore, in addition to consulting with a trusted advisor such as a specialized privacy/data breach attorney or risk management consultant, following these few simple guidelines may help reduce the impact of a cyber-related data breach:
- All portable/mobile electronic devices should be encrypted with data encryption software.
- When outsourcing work, do your due diligence by researching the third party vendor or service provider’s data breach policies, whether and to what extent they have errors and omissions liability and/or cyber liability insurance in place, and seek to put in place a written indemnification agreement with all vendors and service providers.
- Draft an internal incident response plan for data breaches and make it part of your organization’s culture. A clear plan outlining how to respond to a data breach within your internal organizational structure should help reduce the time between when a breach occurs and when it is appropriately responded to – all of which may place your organization in a more favorable light with an after-the-fact government audit or review of the data breach.
- Consider the purchase of a cyber liability insurance policy to help weather the financial burden of the “when” not “if” of a data breach occurring.
Complete peace of mind concerning the subject of data breaches and cyber security is not something most organizations can enjoy these days. But, you may be more confident regarding the safeguarding of your patients’ protected health information against a data breach if you have put an appropriate response plan in place to help mitigate the potentially devastating financial and reputational impact a data breach can bring upon your organization.