HIPAA Patient Privacy Update

by Jason Lopata

Patient privacy concerns continue to be in the headlines recently as more and more opportunities for possible breaches exist in our electronic, and ever more interconnected, world.   Importantly for private practices and hospitals alike, a recent hospital survey (published by Press Ganey Associates, Inc., a patient-satisfaction measurement firm) suggested that patients are viewing privacy concerns an increasing important component of patient satisfaction.   This suggests that practices must guard against breaches of personal health information (PHI) disclosure for not only HIPAA compliance purposes, but in order to avoid the loss of patients or a potential marketing disaster.  HITECH now requires disclosure of any privacy or information breach to not only a practice’s patient list, but if the breach affects more than 500 patients, the local media must also be notified.  Clearly this is an occurrence that could affect a practice’s reputation and in turn, their financial bottom line.

As reported by HHS officials in November of this year, the number one source of health data breaches is the theft of a laptop computer.   Practices must put safeguards in place and enforce proper protocols for all employees who may be using laptop computers that contain any form of PHI.  For those practices that use laptops, proper encryption of data remains the best safeguard to unfettered access to the data contained in a laptop, should it fall into the wrong hands.  While there is a cost with such enabling these security measures, it pales in comparison to the potential damage that could be done to your practice without it.

Not all security or privacy breaches involve laptops or “hacker”-like behavior tapping into an otherwise secure computer system.   Rather, as you can see from recent headlines, they come in all forms, such as these recent incidents:

  • A Mesa, AZ medical center lost data cards that contained information on about 2,300 patients.  Memory cards from endoscopic machines went missing, each which contained PHI for patients whose procedures took place between 2008 and 2010.  Notice was required to all patients, and while no credit information was contained on the memory cards, enough personal information existed on the cards such that the medical center offered credit protection and monitoring for one year to all affected patients.
  • An identity theft ring was arrested near Orlando, FL. after stealing nearly 1,500 patient data sheets from an emergency room and associated doctor’s office.  The compromised information includes names, addresses, dates of birth, Social Security numbers and brief initial diagnosis descriptions from ER visits, according to the hospital.  A press release was issued immediately and credit protection monitoring was offered to those who may have been affected.  Interestingly, this did not involve a computer or systems breach, but simply paper data sheets being lifted from the medical facilities.  (Goes to show that some security and privacy breaches can be fairly low-tech!)
  • A hospital in Long Beach, CA was hit with a $225,000 fine by the state compliance division after an employee used nine patients’ medical information to set up fake Verizon telephone accounts.  The employee admitted to memorizing personal patient information during a project to purge the hospital’s older ER records.
  • A medical center in Tennessee had to notify approximately 8,000 patients of a possible privacy breach after patient information was thrown in the trash instead of being shredded.

So the lessons to be learned from these occurrences?  Never stop being on guard for how patient health information can get into the wrong hands or be mishandled.  Constantly review policies for the handling of such data, and make sure that both physician, and non-physician staff, is keenly aware of the proper protocol and properly trained on how to deal with the necessary handling, transfer, and if needed, disposal, of PHI.  Keep this information secure, and avoid making headlines for all the wrong reasons.