Submitted Courtesy of Leeanne R. Coons, Esq. and Krieg DeVault, LLP
Used by permission from the MGMA
With increasing frequency, the media report another security breach that compromises sensitive personal information. Breaches can occur in any sector of society, including health care, and affect millions of people annually. Such breaches occur in a variety of ways, including system hackers; theft/loss of laptops, personal digital assistants and computer disks; or unencrypted information e-mailed to the wrong address. Given the sensitive nature of information held by health care providers and the increasing use of electronic technology, medical practice administrators should take steps to prevent such security incidents. You should also prepare a response plan in the event that such an incident occurs.
Laws to Consider
Implement the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA) through policies and procedures employed in everyday practice. State laws, too, deal with patient confidentiality, data-breach notification and disposal of personal information. Many of these laws overlap one another, so check your state’s provisions.
To prevent security incidents involving patient information in your practice, consider thefollowing steps:
- Access and Crowd Control. Limit access to your practice and its computers. Change passwords frequently and store them in a secure location.
- Information and Electronic Media Management. Maintain an inventory of electronic media used to store protected information. Back up these media frequently and store them securely. Delete protected information when media are no longer used. Always transmit protected information in a secure fashion.
- Education and Enforcement. Develop and enforce organizational policies to safeguard protected information. Education of staff is critical and should be documented. Conduct internal compliance reviews and have policies and procedures in place for incident reporting. Develop investigational procedures and corrective action plans.
Formulating a response plan
Formulate a response plan in the event of a security breach in your practice. Steps should include:
- Notifying key persons, including legal counsel, when appropriate
- Mitigating the damage of the breach, if possible
- Conducting and documenting an investigation of the breach
- Securing and maintaining a chain of custody for breach evidence
- Conducting forensic analysis of data
- Implementing a corrective action plan
- Meeting patient and credit-agency notification obligations in accordance with state law
- Meeting HIPAA accounting obligations
- Considering public relations activities, depending on the size of the breach
With careful planning, you can mitigate the risk of a security incident in your practice and prepare for a quick and effective response if such an incident occurs.
Reprinted with permission from the Medical Group Management Association, 104 Inverness Terrace East
Englewood, Colorado 80112. 877.ASK.MGMA.