Safeguard Patients’ Privacy and Understand Notification Requirements
Next to your medical expertise and the relationships established with those you’ve treated, your patients’ records—and privacy—are among your most important assets. With the proliferation of online and transportable data—thanks to Blackberrys, smart phones, iphones and other devices—the number of incidents involving unintended release of proprietary medical and financial information has skyrocketed.
At the same time, lawmakers have incorporated the Health Information Technology for Economic and Clinical Health (HITECH) Act as part of the American Recovery and Reinvestment Act of 2009. This is designed to encourage widespread adoption of health information technology and electronic sharing of clinical data among physicians, hospitals and other healthcare stakeholders.
Some industry experts have predicted that the U.S. could save up to $150 billion annually, not to mention benefits such as timely access to medical records, avoidance of medication errors, and improved quality of clinical decisions, and better communication with patients and other providers. But while electronic health records give physicians easy access to medical history—and give patients a sense of power over their personal health—they also come with risks. Both patients and physicians need protection from record-tampering by external parties.
Given the explosion of the Internet and the push toward electronic records, the next few years will present mounting challenges to physicians looking to protect privacy and data security. Already, countless medical practices nationwide have paid a price for their errors.
The scenarios below illustrate some of the risks your practice faces, all triggering patient notification and some forcing medical practices to invest time and financial resources to defend charges and protect reputations.
1. Scenarios to avoid
Discarded medical records discovered in trash bin
Medical records—including patients’ names and social security numbers—that were discarded by a physician were found in a convenience store’s trash bin. After being contacted by a news organization, the physician said he mistakenly put the files in the trash bin over the weekend and was taking steps to recover them and then properly dispose of them. He also admitted that he had previously dumped files.
Patients’ financial information exposed
A citizen called a local TV station to report medical records blowing around a parking lot of a major retail store. When a reporter arrived, she found hundreds of papers, including medical records of patients who had recently visited a dermatology office a few blocks away. Records included patients’ insurance information, phone numbers, social security numbers and treatment records.
Hospital pays $280,000 for compromised records
About 24,000 patient records were compromised at a mid-sized hospital, triggering state regulations. The hospital was forced to notify every patient of the breach by certified mail and wound up paying $240,000 in damage and more than $40,000 in defense costs.
Part-time employee accesses confidential records
A part-time healthcare worker who gained unauthorized access to confidential electronic patient records revealed a patient’s HIV status to another employee. The patient sued the hospital for lack of adequate IT security measures, which should have protected the patient’s digital records from being breached. The hospital had to pay $250,000 in damages and $85,000 in defense costs.
Rehabilitation center’s sensitive information exposed
Investigators with the State Attorney General’s office discovered that a local rehabilitation center exposed more than 4,000 pieces of its customers’ sensitive information, including social security numbers. The state’s investigation was launched after reports from the local police department indicated that bulk customer records were dumped in garbage containers behind a local building. The records also included credit and debit card information.
2. Be prepared to notify
According to the Health Information Technology for Economic and Clinical Health Act of 2009, directed by the Federal Trade Commission, healthcare providers must not only provide stronger safeguards for patient data, but they need to notify patients promptly when their information has been breached. Plus, if the breach affects more than 500 people, the provider must also notify the Health and Human Services Secretary and the media.
Below are some steps to take if you learn a patient has become a victim of identity theft.
Conduct an investigation.
Review your records relating to the services performed and any supporting documentation that verifies the identity of the person receiving the services. Also, review the patient’s medical record for inconsistencies. If there was medical identity theft, notify everyone who accessed the patient’s medical or billing records, telling them what information is inaccurate in the patient’s files and asking them to correct the records.
Understand HIPAA breach rules
If your investigation reveals that your organization improperly used or shared protected health information, determine whether a breach occurred under the HIPAA Breach Notification Rule (45 CFR part 164 subpart D) or any applicable state breach notification law.
Know your obligations under the Fair Credit Reporting Act (FCRA)
If you report debts to credit-reporting companies, determine how the identity theft affects your responsibilities. If a patient gives you an identity theft report, you can’t report any debt associated with the theft to the credit reporting companies according to FCRA.
Advise victims of their rights under the HIPAA Privacy Rule
Let patients know that they have the right to get copies of their records. Any inaccurate or incomplete information must be corrected by the originator of the information. The originator must also notify other parties, such as labs or other health care providers, that they have received incorrect information. If an investigation doesn’t resolve the dispute, patients can ask that an explanation of the dispute be included in their records
Ensure that patients have copies of your Notice of Privacy Practices
The notice should include contact information for someone in your practice who can respond to questions about the privacy of their health information. You also may put the person in touch with a patient representative.
Be sure you carry the right insurance coverage to protect against the threat of privacy and data security breaches. And, as with any other type of insurance, all coverage is not created equal. While standard insurance packages may be available for coverages like employment practices liability, there may be coverage that has been customized to your specific needs as a physician. Many times, these types of coverages can be obtained at reasonable rates, or may even be included as part of your existing professional liability policy. The security and peace of mind that comes from adequate protection will be well worth the investment.
Patricia Costante is the Chairman and CEO of MDAdvantage Insurance Company of New Jersey in Lawrenceville. For more information, visit www.MDAdvantageonline.com.