Safeguarding Patient Data – Part One: More Data, More Opportunities for a Breach

Data. Indeed, it may be one of year’s biggest buzzwords, but data’s impact and possibilities for the healthcare industry continue to have many insiders, myself inclused, very excited. Its potential for increased efficiencies and effectiveness in providing a more comprehensive care is vast. But many questions still remain: how do we get our hands on it; how do we use it; how do we share it; and most importantly, how do we keep it safe?

That last bullet is of particular importance to those of us in the healthcare industry because of the strict regulations and the high costs of being non-compliant. As the industry becomes more digital, thanks to EHR and the Health Information Exchange, more and more patient data is being accessed electronically and available for instantaneous sharing.  On one hand, this streamlined process helps to improve the quality, safety and efficiency of healthcare. On the other, it raises many red flags as to the security of the data and, ultimately, the patient.

A data breach, especially one that puts sensitive patient information at risk, can be devastating. And they aren’t as uncommon as you may think! Check out this list of 15 patient-related data breaches in the past month alone!

The U.S. Department of Health and Human Services is feverishly trying to address data concerns and decrease the number of such breaches by implementing rules and provisions that require strict compliance. Last year they released the HIPAA Omnibus Rule, a set of final regulations that modified the privacy, security and enforcement protections of HIPAA, by implementing a number of provisions from the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009.  Some of the highlights of the Omnibus Rule include:

• Patients must be notified if their Protected Health Information (PHI) is subject to breach
• Any breach, regardless of its content, must be treated as a breach (in the past, some incidents were considered exceptions to the rule)
• Penalties for non-compliance are based on levels of negligence with a maximum penalty of $1.5 million per violation
• Many requirements extend to business associates of health care providers, health plans and other entities that process health insurance claims, including contractors and subcontractors

While these regulations are certainly helpful in understanding the requirements and associated expectations, the digital world is moving at a much faster pace than the governing bodies. As such, the regulations can become outdated even as they’re being released, and this creates the largest challenge of all for privacy and compliance.

The best solution for any organization is to remain in a constant working posture for privacy. In our next post, we will outline the five keys to developing a framework that allows your organization to do just that.