continued from HFMA Visions, Issue 3
Unfortunately, experts predict this trend to continue well into 2010 and beyond, and hospitals want to mitigate their risk as well as protect their patients’ medical information and their network from this potential financial and public relations disaster.
Health care is well-suited for breaches
Most data breaches can be attributed to employee theft or mismanaged data practices, often initiated by disgruntled or departing staff. This is bad news for hospitals. Health care organizations experience a high churn rate of employees annually — 6.5 percent — almost double the general turnover average of 3.6 percent, according to the Ponemon Institute. With more employees entering and exiting the hospitals’ payroll, the risk of breaches increases.
Additionally, health care is expensive, and identity thieves see it as a business opportunity. With more individuals out of work or underinsured, the market for health information is more lucrative, which draws even more attention from identity thieves.
The government responds with the HITECH Act
Proactive protection of health information is now mandated under the Health Information Technology for Economic and Clinical Health (HITECH) Act — which requires health care institutions to develop notification and prebreach programs — as well as state laws in California and Missouri. This 2009 legislation expands current federal privacy and security protections of health information.
According to the Energy and Commerce, Ways and Means, and Science and Technology committees, the HITECH Act strengthens the enforcement of federal privacy and security laws by increasing penalties and providing greater resources for enforcement and oversight.
Among other mandates, the HITECH Act outlines how hospitals notify their patients and community of a breach through the following notice types:
- Actual notice: Affected individuals, guardians or next of kin must receive written notice at their last known mail or email address.
- Substitute notice: If contact information is not available, the health care network must provide substitute notice, usually in the form of a conspicuous posting on the network’s Website or other location and/or a media notice, as soon as reasonably possible.
- Media notice: For breaches affecting 500 or more residents of a single state or jurisdiction, the hospital is required to provide notice to prominent media outlets in that area.
- Secretary notice: Hospitals must notify the U.S. Department of Health & Human Services in all instances of breach. The format and timing of the notice vary based on the number of affected individuals.
Given these guidelines and penalties, a hospital’s best choice is to proactively curb medical data breaches before they occur.
Best practices for hospitals
Deterring and detecting data breach threats don’t happen by chance. Leading health care companies are taking advantage of new processes and proven solutions used in other industries, namely financial and credit card markets, to prevent breaches from occurring. The following are a few best practices that hospitals should consider implementing in 2010:
- Appoint a responsible party. Hospitals should make data breach avoidance part of an individual’s or a team’s job description. Naming an accountable resource, will initiate process improvements, direct noncompliance inquiries to a centralized area, determine who would perform any investigations, and lead all legal and notification efforts in the event of a breach.
- Expand compliance training. A variety of individuals need access to patient health information to perform their job. They may be staff, contractors, third parties or temporary workers. Hospitals need a process to ensure that all these individuals participate in annual compliance training. No exceptions.
- Build a compliance culture. The entire hospital community should value the privacy of patients’ data as part of the organization’s mission. This includes offering trusted avenues to report noncompliance activities. All individuals — staff, contractors and partners — should be diligent in their compliance and alert the responsible party to processes and/or individuals who may be operating outside of privacy policies.
- Monitor information. Automated monitoring of employee and patient information will alert hospitals of possible data breaches, often before they impact hundreds of individuals. Used by thousands of corporations across the United States, third-party products and services are available to monitor credit reporting agencies and proactively alert organizations of fraudulent events. Equipped with this unbiased information, hospitals can take appropriate action.
Medical data breaches are problematic for hospitals. Progressive health care professionals are looking at new means to protect themselves, and they are finding their answers from colleagues in other industries. To provide maximized results, hospitals need to advance their culture, training and systems to encourage compliance in every activity and have planned responses to potential threats.
|