[BreachExchange] Do careless ‘low tech’ HIPAA breaches threaten patient privacy?

[Audrey McNeil]

http://www.dentistryiq.com/articles/2016/12/do-careless-
low-tech-hipaa-breaches-threaten-patient-privacy.html

That casual conversation between front office staff and a patient can
actually be a HIPAA breach. But does everyone in the office know what's
considered a breach? Only training will guarantee everyone's in the know.

Dental health-care providers who work in small practices might read
headlines about huge data breaches and million dollar fines and believe
HIPAA breaches are a concern only for large health plans and medical
centers.[1] But many small breaches that don’t make headlines occur daily
in small medical and dental practices. Even though the civil fines and
penalties might be smaller, the costs of compliance can be daunting. In
addition to potential lawsuits, reputational harm, and staff morale, there
are the costs of mitigation, sanctions, patient notification, and
reporting. These are HIPAA requirements that apply to all covered entities,
regardless of the entity’s size. Added up, these expenses can cause serious
problems for your pocketbook and your practice.[2]

If you use electronic health records (EHRs), you no doubt have protections
in place to keep the records secure and safe from cyber criminals intent on
ID theft. But what sort of training are you providing to your front desk
staff, billing clerk, and chairside assistants to prevent “low-tech”
privacy breaches? Does your training meet the “reasonableness” standard
applied by federal investigators after a breach? This is an area where you
might be the most vulnerable, and unless you train every member of your
staff when they’re hired, and on a regular basis thereafter, you’re not
only at risk for a breach but also for fines and penalties related to your
failure to take reasonable measures to prevent the breach from happening at
all.

Here are five examples of “low tech” breaches that occur far too frequently
in health care:

1. Your front office manager has been with you for years and knows your
patients well. Clearly patients love her. But have you ever heard her
casually greet someone and note that she saw his mom at the office earlier
in the week? Or have a patient tell her, “Today must be teeth cleaning day
for Oak Street” after seeing a neighbor in the parking lot, andshe
responds, “Well, maybe a little more than teeth cleaning.” Little comments
like this violate HIPAA, even if they don’t communicate details such as a
patient’s birth date or social security number. Whether it’s an offhand
remark made to a neighbor implying more serious dental problems, or the
simple sharing of contact information with someone’s probation officer, a
privacy breach has occurred.

Solution: Instruct your staff that under no circumstances should they
discuss patient information with others unless the law requires or permits
it, and your policy allows it. HIPAA regulations provide that the mere fact
someone is your patient and receives services from you is confidential.

2. You have been meaning to get a new copier because the “three-in-one”
(copy, fax, and scan) in the front office is getting old. Staff have been
told that anything with patient information on it should be shredded, but
the shredder is noisy. So instead, staff occasionally toss an imperfect
copy into the wastebasket. A skewed copy that includes even a tiny glimpse
of patient information is “protected health information” (PHI) according to
HIPAA. That PHI might journey to the dumpster when cleaning staff comes in,
followed by an early morning ride in a bag atop a garbage truck, with a
final drop into the city’s landfill. Scavengers looking for copper wire who
come across PHI now have something else of value they can sell on the black
market. Something that started with a blurred copy innocently tossed in the
wastebasket is now a reportable HIPAA security breach.

Solution: Instruct your staff to scrupulously separate PHI from other
materials and shred it promptly when needed. Never leave it out overnight
if others have access to your office. Patient information that makes its
way to your trash out back is most definitely not secure from “dumpster
divers” who specifically look to steal patient information in order to
commit ID theft.

3. That same copy machine has a collection tray that catches incoming faxes
as well as copies. You ask your chairside assistant to walk your implant
patient to the waiting room and to make her a copy of her discharge
instructions. Unbeknownst to your assistant, a fax came in a few minutes
earlier from another patient’s cardiologist with recommendations for
prophylactic antibiotic care prior to his procedure next week. Everything
in the tray is accidentally handed to your implant patient, who now goes
home with her instructions plus the cardiologist’s report about another
patient’s heart problem. This careless error resulted in a privacy breach.

Solution: Train your staff to carefully look at every single page of
information they hand to patients. Although it’s tedious, if it saves you
from even one HIPAA breach it’s well worth the extra minute or two. A
related problem can happen when “boiler plate” documents accidentally
include a former patient’s ID number or name when a new document is
created. Tell staff that some things should be done slowly, and you want
them to double check all documents they create in order to avoid oversights
of any kind.

4. Have you ever sent out a mass email to your patients? You may think your
administrative assistant knows what she’s doing, but this recent breach may
give you pause. Over 500 patients received a notice from a small specialty
clinic informing them they could now sign up to access the patient portal
of the clinic’s EHR system. This would allow them to make or change
appointments, access their records, and leave messages for their provider.
When the phone started ringing the next day, the clinic staff learned to
their horror that the person who hit “send” did not make sure that blind
carbon copy was properly activated. Now each patient had 500 other
patients’ email addresses and knew they were receiving specialty care, and
each patient now also knew that 500 other people had the same information
about them. Clearly this was not a sinister or deliberate breach, but it
required costly mitigation in the form of ID theft protection, reporting,
and notification. That was just the cost of compliance; fines, penalties,
and privacy lawsuits could still be in their future.

Solution: Ensure that all of your staff members are trained on your
office’s communication tools. Always send a test email prior to actually
sending a large multiple-recipient communication to make sure that other
actions have not accidentally disabled the blind carbon copy function.

5. Do all of your staff members understand when it’s acceptable to provide
records to third parties? Do they know to check with you before they send
off dental records to the coroner? How would they respond to a subpoena?
Does every member of your staff know what your state laws say about
permissive or mandatory disclosures of PHI, and which law they must follow?
It is very likely that most of your new hires will not be HIPAA experts. A
very common “low tech” error involves disclosing PHI to third parties, for
example, to friends, family, or neighbors who just want to help. When it’s
too late comes the realization that there was no legal pathway that would
have permitted the disclosure. Prevent this through training.

Solution: The HIPAA Privacy Rule is complicated, and if your state law has
stringent privacy provisions, it’s not easy to know what to do. It is
therefore essential that staff members be trained to know when they must or
cannot disclose PHI. Perhaps even more importantly, they need to be
reminded to always check with you if they are not sure.

Conclusion
You’ve no doubt told your staff to keep paper records securely locked at
night, and to never open suspicious emails that might shut down your
system. But the more likely cause of a breach in a small dental practice is
an inadvertent, careless, or unknowing wrongful disclosure by your own
staff. This is why it’s essential to provide thorough privacy training to
new staff, with ongoing training for all staff on a regular basis. If you
do experience a breach event, part of your mitigation will involve
retraining.

Taking the time to provide staff training will reduce the risk of low tech
breaches, help you demonstrate that you have engaged in reasonable measures
to protect patient privacy, and save countless hours and dollars in the
long run.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161205/e65bd404/attachment.html>