Health Care IT: Five Best Practices to Protect Against PHI Breaches

Written by on June 4, 2012 in Law & Finance - No comments

By Frank J. Rosello

Health care information technology continues to be acquired and implemented by medical organizations throughout the United States at historic levels. This significant trend in health care IT adoption can be attributed to the myriad of government initiatives and polices currently in place to promote the use of health care IT. As accessibility to patient information continues to increase, so does the risk of protected health information breaches.

Protected health information (PHI), also referred to as personal health information, can include demographic information, test and laboratory results, medical history, insurance information and any other data collected by clinicians to identify an individual or determine appropriate care. As a result, the Health Information Portability and Accountability Act of 1996 (HIPAA) was established to create national standards to protect a patient’s electronic PHI. HIPAA requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. The Office for Civil Rights (OCR), a department within the U.S. Department of Health and Human Services (HHS), is responsible for enforcing the HIPAA Privacy and Security Rules.

Further, under the Health Information Technology for Economic and Clinical Health Act (HITECH) Breach Notification Rule, notification to OCR of breaches involving five hundred or more individuals must occur contemporaneously with notice to affected individuals. According to a HHS report to the U.S. Congress of PHI data breaches since 2009, 252 incidents occurred that went on to affect more than 10 million patients. The breach reports submitted to OCR for the reporting period described the five common causes of incidents in rank order:

  • theft
  • loss of electronic media or paper records containing PHI
  • unauthorized access to, use, or disclosure of PHI
  • human error
  • improper disposal

The largest PHI breach reported to date involved a covered entity that had 57 unencrypted computer hard drives stolen from a leased facility. The hard drives contained the PHI of more than 1 million individuals, including member names, social security numbers, diagnosis codes, dates of birth and health plan identification numbers. The OCR investigation found the entity failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls. Both of these safeguards are required by the HIPAA Security Rule. The lack of compliance resulted in the entity agreeing to pay HHS $1.5 million dollars for violations of HIPAA privacy and security provisions. This was the first enforcement action resulting from the HITECH Breach Notification Rule. Interestingly, the second largest breach occurred not because of a hacked password, but when computer back-up tapes were stolen from the back of a truck.

Security within the health care industry is changing and PHI data breaches are a significant issue. At risk are not just a patient’s privacy and personal information, but also the reputation and financial well being of the medical organization. Health care administrators have a clear choice – either maintain internal staffing levels to effectively mitigate the risk of PHI data breaches or hire an outside health IT vendor that can help develop and manage their security policies and procedures.

To help medical organizations and providers effectively plan for, mitigate and protect against PHI data breaches, consider the following five best practices:

1. Perform an enterprise-wide

Performing a risk assessment is the most effective way to understand where the threats and vulnerabilities are within the organization with regards to patients and their PHI. In many instances, risk assessments and mitigation plans are being discussed only at the executive level within an organization. The discussions are typically about risk transfer and mitigation, but should also include processes for securing patients PHI in the wake of new emerging threats. Deploying the latest security technology alone will not reduce the risk of PHI breaches, as that’s not where the vulnerabilities lie. Understanding when, who and how patient information is accessed are critical components that should be included in a comprehensive risk assessment.

2. Develop a PHI security strategy

A sound PHI security strategy involves not only understanding where PHI information resides, but also developing a strategy to protect it. Once this understanding is achieved, it’s essential to communicate it to employees and other associates who are part of the organization. It is highly recommended to have a third party come in to bring a fresh perspective during the assessment stages and to help with developing a strategy. There has been a tendency for internal IT teams to look at security strategy and develop a check-the-box solution. To prevent this situation, it can be very helpful for organizations to consider selecting an outsourced health IT vendor who can be a trusted partner and can provide an organization a fresh and objective view of its PHI security vulnerabilities.

3. Implement PHI processes, technologies and polices

Once the risk assessment is complete and all potential issues are identified, it is important to leverage the tools and technologies in place, making it easy for employees and doctors to secure patient information. Establishing random inspection routines is essential to insure compliance with internal PHI policies and procedures. Fortunately, there are effective techniques for implementing these routines with virtually no disruption to the primary focus of health care professionals, which is patient care.

4. Conduct impactful training sessions with employees

When it comes to protecting patient information, it’s about getting employees to understand how to best protect it and what to do if there is a data breach. Training is essential and should include not only administrative employees, but also doctors, nurses and other clinicians throughout the organization. All employees with access to patient information need to have the understanding of how to maintain security protocols when it comes to patient care. Many clinicians tend to look at PHI breaches as simply an IT issue. The HHS report to Congress validates that the risk of PHI breaches is far greater than a failure of technology alone.

5. Have a PHI breach response plan ready

Medical organizations should always be prepared in advance for a PHI breach. Many organizations operate their facilities as if unauthorized disclosure of health information could never happen to them. Organizations that assume this posture often believe that they have effectively addressed all PHI security risks. However, there are thousands of unauthorized disclosures happening on a monthly basis all throughout the U.S. It is of critical importance for medical organizations to take a proactive approach in being prepared for a PHI breach. A reactive posture could be devastating, both on a reputational and economic level. The PHI breach response plan should be a living document within the organization and should include specific procedures along with clearly defined roles and responsibilities in case of a PHI breach.

As medical organizations implement health care IT systems that offer greater portability, interoperability and electronic data exchange capability, the development and execution of data security policies and procedures should be a key priority included in all health care IT strategic plans. Medical organizations and physicians that take preventative action by putting controls in place to safeguard sensitive patient information will be ahead of the game. Information security is not just a regulatory matter for providers; it’s the right thing to do for their patients.

To learn more about our Physician Focused – Patient Driven approach to EHR & Health IT Visit our website:

Article Source

Leave a Comment

Please type the characters of this captcha image in the input box

Please type the characters of this captcha image in the input box