Up to this point, most private practice physicians treat HIPAA compliance as…”something we’ll get to.”

Most docs think their practice is compliant…they are wrong.

I’ve mentioned before the threat of lawsuits and now this article.

If this quote doesn’t send chills up your spine, then I don’t know what will:

““The privacy data breach area offers some new opportunities to expand the types of cases that we’re handling,” said Eric Grover, partner at the seven-lawyer California law firm Keller Grover.”

So what should I do?

The first thing you need to do is accept the fact that HIPAA compliance is a reality…and that is a threat.  Next you need to stop looking at HIPAA compliance as this “BS red-tape government program” and accept that, like taxes, this isn’t going away.

Now, switch your thinking from “having to do this” to How do I reduce my risk?

Let me break this down as simple as I can:

• You need to do a risk assessment on your practice or you have no clue where you stand
• You need to have current HIPAA policies in place or your staff doesn’t know where you stand
• You need to ensure HIPAA training occurs on regular basis – along with HIPAA security reminders

Take care of these first few items and everything will start falling into place.

If you haven’t seen the article in USA Today, it is a good wake up call for everyone.

The short version of the story is this:

• Guy trades in old phone for new phone
• Guy didn’t remove his info from the old phone
• Store employee notices this and begin to make posts on Guy’s Facebook page.

Except for the fact that the posts made by the “imposter” were quite embarrassing to the Guy, no real harm was done.

What could have been done?

Many things could have been done.  Pictures sent out.  I’m sure the owner’s home address and of course all his contacts, were still in the phone.  He could have had his online banking info readily available.  If he was a physician, he might have had access to his EHR on the phone.

This can get real ugly real fast.

How to prevent this?

First, if you don’t password protect your phone, it is your fault.  The information in your phone is too valuable to NOT password protect your phone.  Typically being relieved of your phone is by your own choice, but theft of smart phones is huge right now, so you better password protect that phone.

Second, whether you are turning in your phone to a store or mailing it someone, heck even if giving it to your child, you need to accomplish a factory reset.  Each phone is different, but in general, in the settings area on your phone, there will be an option to reset your phone to factory settings.  This is kind of like reformatting a hard drive.  All you data will be gone.

Of course, someone with the right tools still may be able to grab information from the phone, which is why the best idea is to wipe the phone of all data using an app for that.

So Doc, a quick review:

• Password protect your phone…
• Factory reset phone before turning in…
• Use a phone wiping program before turning in.

Realize this, your office should have a HIPAA policy on this exact issue.  If you are using your phone for work at all, you better have a policy for what steps to take when a phone is stolen or turned in.

In part 1 of my PHI breach story I mentioned that I’d keep an update running, specifically that I’d write an update “in a few days”.

Well, that didn’t happen.

Mainly because after I filled out my paperwork and send it in…nothing has happened.

I suppose this is a good thing.

But this article reminded me of the situation.

First a quick reminder of what happened:

“a Pentagon contractor left 25 computer tapes in the back seat of a Honda Civic in Texas”

From this, upward of 70,000 people had their personal data stolen.

Obviously the main thing we focus on here is patient health information (PHI), but the reality is thieves are not really interested in the medical condition of the people on these tapes, no…they are interested in the identity theft value of these names.

It is the fact that there is a black market for people’s personal information so identity theft can occur that is typically the greater threat.

There are now 3 lawsuits regarding this data breach.

The deeper the pockets the more lawyers you attract…and you know that lawyers view doctors as having deep pockets.

Let’s take this to the local level now.

If you (or a business associate) have a data breach what do you need to do?  Section 13402 of the HITECH Act give the direction:

• Covered entities must notify affected individuals following the discovery of a breach of unsecured protected health information.
• must provide this individual notice in written form by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically.
• IF you have out of date contact information for more than 10 individuals you must provide details by:
• Posting the details of your breach on the home page of your website, or
• Provide the notice in major print or broadcast media where the affected individuals likely reside

This is just the beginning (we haven’t even gotten into posting your breach in the HHS site), but let’s take a look a the scrutiny, ridicule and potential lawsuits you now opened yourself up to.

Public Relations: there is no getting around the fact that a data breach is a public relations nightmare.  It is one thing to be a big “faceless” company when a breach happens, but when it is your practice in your town…everybody will know and everybody will be talking about this.

Practice Value: I’m no expert in practice valuations, but I am confident that if you have a breach, the value of your practice will surely take a hit.

Lawsuits: once word gets out that you have had a data breach, I imagine lawyers will be getting in line to sue you for damages.  So, piled upon the embarrassment is the cost of defending yourself in one, and potentially multiple lawsuits.

Most of the time when I read a story on a stolen laptop, it is just the singular topic – Hey genius, if you encrypted your laptop this wouldn’t be an issue.

The latest story I’ve come across pulls pieces in from multiple issues that a medical practice needs to consider.  Though the incident revolves around a hospital and a contractor, this same situation plays out daily at all sizes of private practices.

This all began, sort of, in the summer of 2011 when Fairview Health System of Minnesota hired a contractor from Chicago to work on some billing issues.

In 2010 this contractor had a laptop stolen from an employee’s car.  Fortunately this laptop was encrypted, granting them “safe harbor”, which simple means this incident does not need to be reported as the patient health information (PHI) is not readable.

Back to 2011 – this same contractor had another laptop stolen from another locked car.  The problem this time is the laptop was not encrypted – OOPS!  Now thousands of patients have to be notified along with the CMS.

“During the theft in Minneapolis, an Accretive Health employee left his laptop in plain view of a thief who broke into the car and stole the computer, the report states. The laptop contained confidential data on about 23,000 patients of Fairview, North Memorial Health Care, as well as data from a hospital in Detroit.”

Well, it turns out that this contractor has actually lost multiple laptops, enough in fact to catch the ear of a U.S. Senator who then got involved.

As you can see, this is not going well and I’m sure you wouldn’t want your practice to get sidetracked by this kind of issue.

This topic could easily turn into a multi-hour discussion, but here are the major issues from this story that concern every private practice physician AND how to deal with them:

• Contractors – every contractor you hire that has any possible access to PHI should sign an Associates Agreement.  This agreement should specify that if any PHI will be stored on a portable device, that entire device must be encrypted.
• Encryption – This is a no-brainer.  Every laptop in an office should be encrypted.
• Computer Policies – It is apparent from reading the article that the contractor did not have a clear policy as to how employees dealt with laptops.  To think management had to tell employees not to leave laptops in plain site of their car is scary.  As I always say, your computer policy is the foundation to the way your office operates.  If you are not crystal clear you will have problems.
• Whistle blowers – Note that much of the extra information about this contractor was via whistle blowers.  If you are not concerned about a whistle blower, you are kidding yourself.  Take a look at my recent whistle blower article and don’t be ignorant enough to dismiss it.

Most major HIPAA issues are easy to fix, but they are not always simple to implement.  Without a clear set of policies your office is heading down the road to disaster.

This is for the paranoid out there, and if you are a physician, you need to be paranoid about how your practice handles patient health information (PHI).

Cloud computing is the hip, in-thing right now.

Cloud storage is where things can get tricky…note: you better have a HIPAA office policy on this matter.

What is Cloud Storage?

At its most basic level, cloud storage makes it very easy to share documents among staff and computers by creating a “virtual hard drive” that many people can access.

Google’s version of cloud storage is called Google Drive.

Whether or not you believe Google is trying to take over the world by having as much knowledge as possible, you can’t ignore some recent issues.

First, let me say this: You should not store any PHI in a system like Google Drive.  Also, I don’t think it is smart business either.

So, What is the Problem?

The real problem is the creeping of privacy guidelines by Google.  What starts as “we don’t look at your data” over time becomes something quite different.

Take for example this latest bit of info: Google is currently going through more drama about gathering personal information.  This current hoo-ha is based around the issue that when Google’s cars that drive around the world mapping everything, they also connect to unsecured WiFi networks and gather whatever data they can.

So, now you want to store your business information on Google hard drives?

Bad idea for HIPAA compliance.

Not a smart business decision.

But my EHR is Cloud Based

Apples & Oranges my friend.  The fact that your electronic health records (EHR) system is cloud based – also called web-based or Software as a Service (SaaS) is completely different.  Though, something to realize – many free EHRs will mine your patient data.  This may not be anything you really care about, but de-personalized patient health information (PHI) can be quite valuable for research.  Many physicians who have a server based EHR get paid to allow research institutions to mine their patient data.

What About Off Site Backup?

Also different….usually.  If you are using an off site backup service, you must ensure they are HIPAA compliant.  No data should leave your property that isn’t completely encrypted – this also prevents unwanted data mining.

The moral of this story is, the easiest solution tends NOT to be HIPAA compliant.