Not worth the cost: 3 lessons about unprotected PHI

When it comes to protecting patient data, technology is evolving so quickly that it’s difficult for healthcare providers to keep up. While electronic recordkeeping through computers, smart devices, and web-based services can lead to higher efficiency and elevate patient care, providers must closely monitor use to ensure the data contained remains safeguarded.

There’s more at stake than just patient trust for healthcare providers who do not adequately shelter their patients’ Protected Health Information, or PHI. The U.S. Department of Health and Human Services’ Office of Civil Rights can hand down severe civil and even criminal charges for violations of patient privacy. Even if a company doesn’t give away the information intentionally, the government can hold it liable for data breaches, particularly if there’s proof the company didn’t guard the data properly.

Electronic data breaches are becoming the latest, greatest way thieves obtain sensitive information about patients, including Social Security and bank account numbers. But physical theft is also a rising concern. For instance, an average car break-in can turn into a massive data breach if the car contains a device with unsecure PHI on it. Take a look at the examples of PHI non-compliance below to better understand the seriousness of this infraction.

Lesson 1: Laptops

Recently, a private practice radiation oncology group named Cancer Care was ordered to pay $750,000 after someone stole a laptop containing PHI on patients from an employee’s vehicle. The thief could easily obtain the unencrypted data from the laptop. An investigation by the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) found that even before the laptop theft, Cancer Care was not compliant with HIPAA privacy rules.

Lesson 2: Web-based file sharing

Massachusetts hospital St. Elizabeth’s Medical Center was hit with another substantial HIPAA non-compliance fine, $218,400, for using a web-based file-sharing program to store sensitive patient data. The complaint, filed by employees of the hospital, pointed out that the information stored this way was not adequately protected, and that it put 500 patients’ data at risk of a breach. HHS agreed with the employees’ grievance and fined the hospital. The department also added a fine for data stolen from a former employee’s laptop and USB that breached information for 595 hospital employees.

Lesson 3: Physical files

Lincare, Inc., a home healthcare provider, was recently fined $239,800 after an employee’s ex-husband called HHS to report that his former wife had left behind protected health information for 278 patients when she left their shared home. Not only was the data available for view by an unauthorised person, but HHS also found that employees taking home any patient files, or storing them in vehicles, violated HIPAA privacy laws.

How to stay HIPAA-compliant

It’s important for every healthcare provider or contractor to know what data is Protected Health Information and to take inventory of all the places (physical and electronic) that data exists. Hiring an information security firm to evaluate your data management system and put safeguards, like encryption, into place is vital for protecting the trusted information patients share with you.

As the examples above show, it’s important to ensure that employees understand the HIPAA law and their responsibility to uphold it. To that end, put an employee PHI policy in writing and have employees sign that they read it and understand their role in keeping patients’ data safe.

Healthcare providers have a great responsibility to protect the data of their patients, and that includes traditional in-office recordkeeping as well as electronic data that extends beyond office walls.

Erik Kangas, President & CEO at Lux Scientiae