Recent changes to the Health Insurance Portability and Accountability Act (HIPAA), enforcement of the Red Flags Rule by the
Federal Trade Commission (FTC), application of the Payment Card Industry Data Security Standard (PCI DSS) to health care transactions,
along with enactment of many state laws, have created an absolute requirement that health care professionals have in place
systems to prevent breaches of privacy and security, including identity theft, unauthorized access to protected health information,
and loss consumer debit and credit card information. If lapses do happen, they must be able to identify, communicate, and
fix them.
Mack
|
Breaches will occur. Health care providers must take proactive steps to communicate with patients and others. Before breaches
occur, they should educate patients in clear, understandable language about what the organization is doing to safeguard their
confidential information. They should set up effective communication channels for patients who have questions, or who feel
their information has been accessed inappropriately, or who have evidence of breaches. They should work with patients to resolve
issues. A proactive partnership can mitigate potential negative publicity resulting from breaches of information.
Everyone involved in providing health care must be educated about new disclosure rules and technical issues related to health
information.
Payment Card Industry Standard must be clearly communicated. Use of credit and debit cards as payment within organizations—from
an office front desk to the business office—creates privacy risks. Any network device that touches this electronic card payment
information is at risk. Health care providers should only contract with credit card processing organizations that are certified as Payment Card Industry
Data Security Standard (PCI DSS) compliant. Yet, certification might not be enough to prevent a practice or organization from
being negligent under PCI and potentially negligent as seen by FTC for payment card breaches.
The HITECH Act under HIPAA requires notification of security breaches unless data is encrypted or destroyed. Since entities
that have encrypted or destroyed protected health information are not required to report breaches, health care organizations
should prioritize efforts to do so, according to the guidance provided by the U.S. Department of Health and Human Services
(HHS). This will also mitigate reporting requirements as soon as possible.
It is paramount for practices and other health care organizations to set up a constant communication process with employees
to educate them about the requirements for protecting health information and for implementing the Red Flags Rule. Consider
discussing recently publicized cases where employees inappropriately accessed patient records, the sanctions that employees
face, including termination, and the methods and surveillance tools that the practice or organization uses to monitor data
access.
Well-publicized breaches have occurred in some of the most highly respected health care organizations. Use of internal benchmarks
and providing examples of publicized breaches elsewhere will help mitigate the frequency and magnitude of privacy and security
violations.
Here are some examples of breaches:
- In the first known joint investigation by the FTC and HHS, CVS Caremark Corporation and its subsidiaries were assessed a large
settlement agreed to implement other required corrective actions to resolve charges it violated HIPAA privacy and security
laws.1
- Providence Health & Services incurred the first fine levied against an organization for violating the privacy section of HIPAA.
Providence agreed to pay HHS $100,000 and enter into a three-year Corrective Action Plan.
- In the first administrative penalty charged a health care organization under California legislation (SB 541 and AB 211),2 the state's department of public health announced a $250,000 fine to Kaiser Permanente for breach of patient records. The
company was later fined another $187,500 for employees improperly accessing the medical records of octuplets born at a facility
in January.3
- TJX Companies Inc., a Massachusetts company that handles credit card, debit card, check and merchandise return transactions,
reported that for 18 months nearly 100 million credit card numbers and other personal information were stolen. Estimates of
costs caused by the breach of security range from $118 million to $1.35 billion, including legal fees, call center costs,
regulatory fines, etc.
These examples underscore the need for staff education. Here are some points to consider:
- Implement a compliance process
- Apply workforce sanctions
- Avoid intimidation or retaliation
- Develop safeguards
- Maintain documentation
- Obtain approval and commitment
- Include activities in annual reports or summaries
Most practices and health care organizations that are HIPAA-covered entities have implemented its standards. Teams and plans
originally created for HIPAA can be used to enhance existing policies, such as the new HIPAA, Red Flags and PCI rules.
Even the best automated monitoring and surveillance tools do not prevent breaches of information. Effective communication
will help mitigate damages and enable a quicker, more thorough response to breaches of privacy and security.
Joseph Mack, MPA, is president, Joseph Mack & Associates, healthcare business advisors in Dana Point, Calif. He can be reached at jmackdp@cox.net
Refrences
1 FTC File No. 072 3119. February 18, 2009
2 "Gov. Schwarzenegger Issues Statement on First Fine Assessed Under New Laws to Protect Patient Privacy," Press Release.
05/15/2009 GAAS:241:09
3 "Kaiser Fined for Employees Checking Medical Records of Octuplets" (Robertson, Sacramento Business Journal, 7/16).
For more articles, checklists, and links to other sources in this series on patient privacy and security within health care,
go to http://www.modernmedicine.com/privacy.
Practice Tools
