<div dir="ltr"><a href="http://www.itproportal.com/2016/03/09/not-worth-the-cost-3-lessons-about-unprotected-phi/">http://www.itproportal.com/2016/03/09/not-worth-the-cost-3-lessons-about-unprotected-phi/</a><br><br><p>When it comes to protecting patient data, technology is evolving so
quickly that it’s difficult for healthcare providers to keep up. While
electronic recordkeeping through computers, smart devices, and web-based
services can lead to higher efficiency and elevate patient care,
providers must closely monitor use to ensure the data contained remains
safeguarded.</p>
<p><span class=""></span></p>
<p>There’s more at stake than just patient trust for healthcare
providers who do not adequately shelter their patients’ Protected Health
Information, or PHI. The U.S. Department of Health and Human Services’
Office of Civil Rights can hand down severe civil and even criminal
charges for violations of patient privacy. Even if a company doesn’t
give away the information intentionally, the government can hold it
liable for data breaches, particularly if there’s proof the company
didn’t guard the data properly.</p>
<p>Electronic data breaches are becoming the latest, greatest way
thieves obtain sensitive information about patients, including Social
Security and bank account numbers. But physical theft is also a rising
concern. For instance, an average car break-in can turn into a massive
data breach if the car contains a device with unsecure PHI on it. Take a
look at the examples of PHI non-compliance below to better understand
the seriousness of this infraction.</p>
<p><strong>Lesson 1: Laptops</strong></p>
<p>Recently, a private practice radiation oncology group named <a href="http://www.hhs.gov/about/news/2015/09/02/750,000-dollar-hipaa-settlement-emphasizes-the-importance-of-risk-analysis-and-device-and-media-control-policies.html" rel="nofollow">Cancer Care was ordered to pay $750,000</a>
after someone stole a laptop containing PHI on patients from an
employee’s vehicle. The thief could easily obtain the unencrypted data
from the laptop. An investigation by the U.S. Department of Health and
Human Services (HHS), Office for Civil Rights (OCR) found that even
before the laptop theft, Cancer Care was not compliant with HIPAA
privacy rules.</p>
<p><strong>Lesson 2: Web-based file sharing</strong></p>
<p>Massachusetts hospital St. Elizabeth’s Medical Center was <a href="http://www.healthcareitnews.com/news/hospital-repeat-security-failures-hit-218k-hipaa-fine" rel="nofollow">hit with another substantial HIPAA non-compliance fine</a>,
$218,400, for using a web-based file-sharing program to store sensitive
patient data. The complaint, filed by employees of the hospital,
pointed out that the information stored this way was not adequately
protected, and that it put 500 patients’ data at risk of a breach. HHS
agreed with the employees’ grievance and fined the hospital. The
department also <a href="https://luxsci.com/blog/jumpthumb-drives-and-phi-dont-mix.html" rel="nofollow">added a fine for data stolen from a former employee’s laptop and USB</a> that breached information for 595 hospital employees.</p>
<p><strong>Lesson 3: Physical files</strong></p>
<p>Lincare, Inc., a home healthcare provider, was <a href="http://healthitsecurity.com/news/home-health-provider-to-pay-240k-in-hipaa-violation-fines" rel="nofollow">recently fined $239,800</a>
after an employee’s ex-husband called HHS to report that his former
wife had left behind protected health information for 278 patients when
she left their shared home. Not only was the data available for view by
an unauthorised person, but HHS also found that employees taking home
any patient files, or storing them in vehicles, violated HIPAA privacy
laws.</p>
<p><strong>How to stay HIPAA-compliant</strong></p>
<p>It’s important for every healthcare provider or contractor to know
what data is Protected Health Information and to take inventory of all
the places (physical and electronic) that data exists. Hiring an
information security firm to evaluate your data management system and
put safeguards, like encryption, into place is vital for protecting the
trusted information patients share with you.</p>
<div class="">
</div>
<p>As the examples above show, it’s important to ensure that employees
understand the HIPAA law and their responsibility to uphold it. To that
end, put an employee PHI policy in writing and have employees sign that
they read it and understand their role in keeping patients’ data safe.</p>
<p><span class=""></span></p>
<p>Healthcare providers have a great responsibility to protect the data
of their patients, and that includes traditional in-office recordkeeping
as well as electronic data that extends beyond office walls.</p><br></div>