       |
||
      |
Everyone goes to a healthcare provider at some time in life. And every person who goes has to fill out the same types of forms you require your patients to complete — medical history, family history, surgeries, symptoms and problems, and drug allergies. Those files have to be stored somewhere in the office so you can access them when a patient comes in for an appointment. The question is: How can you put a lock on those files so they are not improperly accessed? The privacy of a patient’s medical information is paramount with computer and information theft on the rise nationally. To help protect the electronic and physical medical records of patients in the United States, Congress got involved. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) laid down some very specific informational guidelines, as well as serious repercussions for those in noncompliance. HIPAA is not only good for patients, but for healthcare providers as well. Staying HIPAA-compliant helps healthcare providers build patient loyalty and also reduces the risk of legal issues. If a patient’s personal medical records are secured properly, whether physically or electronically, the risk of their being stolen or improperly viewed, or handled is reduced. Some healthcare providers and other personnel affected by HIPAA include hospitals, doctors, dentists, medical labs, pharmacies, pharmaceutical companies, health insurance providers, and consumers. That being said, how secure is your clinic? Chiropractic Economics spoke with five individuals closely tied to patient-information security for their respective organizations:
These experts were asked about physical and electronic security, as well as some things you can do to help secure your clinic. PHYSICAL SECURITY Patients’ medical records can be stored in a myriad of physical locations, such as file cabinets, lockboxes, private record rooms, or fire safes. According to Jodi Butts, corporate privacy officer for Mount Sinai Hospital in Toronto, the top threat to patient information in a physical setting is destruction or loss as a result of flood, fire, human error, or other cause. “Once a paper copy is lost, it is lost forever, as there is no additional layer of security that prevents its total destruction,” Butts said. “Another concern with patient records is that there is no record as to who has accessed the information,” she added. “When there is an allegation that someone has inappropriately accessed patient health information stored on paper, there is no record to which to refer in order to determine if the allegation is valid.” “Some states mandate a minimum square footage for an office as well as requirements for maintaining the patient charts,” said Russell Bourke, RN, MBA, who is patient safety and quality outcomes manager at Healthcare Information and Management Systems Society (HIMSS) in Chicago. “A paper-based practice may require up to 50 percent of the office space just for the charts; thus, strict adherence to best practices for keeping charts filed when not in use promotes added security. A clinic’s staff needs to sign a nondisclosure agreement, indicating they are aware of the security policies and have been oriented to the requirements,” he said. Dr. C. T. Lin, University of Colorado Hospital’s senior medical director of informatics, believes there are three other threats to the physical security of patient information. Lin went on to say standard practices involving paper records must be implemented in order to assure patient-information security. “Clinics should have standard practices on securing paper records by locking them in a medical records chart room after hours and limiting access to that room to employees,” Lin says. “There should be standard policies and procedures in place on who can remove records, and where they are located when they are taken out of the secured room.” HIPAA requires routine audits of a clinic’s security hardware (walls, doors, and locks in sensitive areas) so make sure your locks and physical security methods fit the bill. “The easiest and most important thing to do is to limit where paper records are stored. In a paper-based system, limit the information to an appointment book, billing records, and to the patient’s health record,” Butts said. “All of these sources should be kept in locked cabinets when not in use and in secure areas that are always monitored and not accessed by persons without legitimate reason.” ELECTRONIC SECURITY Storing files electronically, whether on disk or computer hard drives, is where most clinics are heading in today’s healthcare arena. “Organizations really have no choice these days other than storing data electronically,” says Rob Ciampa, vice president of Trusted Network Technologies. “It’s not just an economic issue, but it could be a lifesaving one as well when a patient’s life is at stake and this data is needed immediately.” Electronic files open up a completely new set of security parameters of which clinics need to be aware. “With respect to patient health information stored electronically, the threats to patient information security relate to how easily the information can be transported and how easily it can be shared through the networking of systems,” Butts said. “As far as easy transport is concerned, one only has to look at the recent breach of patient confidentiality that occurred at the Hospital for Sick Children involving a laptop stolen from a clinician researcher’s minivan. The laptop contained personal health information belonging to almost 3,000 patients and former patients. “If the information had been stored on paper, it simply would not have been possible for the clinician researcher to remove that much information from the hospital environment,” said Butts. “The top threat to patient-information security is the risk of a data breach. One outcome of a breach is the exposure of confidential patient information. Another is the use of the captured information for identity theft,” Ciampa said. “There is now a black market for information on individuals, which includes Social Security numbers, credit card numbers, bank accounts, and other personally identifiable information.” Concerned about the risk to medical records, California State Assemblywoman and Speaker Pro Tempore Sally Lieber (D-San Jose) introduced legislation for California in February 2007 that requires companies to disclose all security breaches of a person’s electronic medical or healthcare records in order to protect patients from identity theft and inappropriate use of their private medical records (Assembly Bill 512). “Victims of medical identity theft have more to worry about than financial problems — their physical health and future insurability is at risk as well,” Lieber said. “If someone steals and uses your medical identity, that person’s information, including different blood type, allergies, prescriptions, and medical conditions, will then end up on your health records,” Lieber explained. “It is often overlooked that care providers have the same sensitive information as financial institutions and more, they have medical records of patients. This creates amazing security and privacy risks that have been recognized by organized criminals,” explained Kurt Long, CEO and founder of EpicTide. “Organized crime now understands that they can steal SSNs, date of birth, insurance information, and financial information by colluding with a rogue health worker. There are 14 million healthcare workers in our country at 545,000 healthcare locations, and it only stands to reason that there will be a few persons willing to compromise themselves for ill-gotten gain,” he said. KEEP INFORMATION SAFE Long identifies six areas of threat to electronic patient information security:
If you are looking to shore up your electronic security, don’t do it yourself. “Hire a security consultant to evaluate your security network, especially if wireless technology is deployed,” Bourke recommended. “A complete and encompassing security analysis will reveal any internal or external weaknesses and vulnerabilities you may have.” A professional can do a full assessment of your security needs, but don’t overlook several simple-to-do action items:
• Use password protection. Employ some form of password protection for your desktops, laptops, and other information terminals. The password should be easy for the users to remember, yet hard to be guessed by someone else. Most computer systems, as well as other types of electronic systems, come with a password setting. “It is always a good idea to prompt users to change their passwords on a regular basis with password expiration dates,” Butts said. “That way, if someone has guessed and is misusing a user’s ID and password, then such abuse cannot continue for long.” • Keep audit records. If a clinic’s patient information is stored electronically, then an audit record can be referenced. An audit record makes it possible to randomly check to see if people are accessing information only within the scope of their job duties that allows a health-information custodian to prevent unauthorized use and/or disclosure or at least to identify an issue in its early stages. It is a type of a computerized paper trail. • Use document-level protection. Document-level protection can also be employed in order to prevent improper access. When you have this type of protection, anyone in the clinic can use any computer, but individuals can only view certain documents or records if they have appropriate security access. • Create and use standard procedures. Lin believes technology alone is not enough to secure or provide patient-information security. He believes it is a combination of best practices, security, and having some kind of standard record procedures. “It is necessary to appoint and empower a security and privacy officer, have well-established policies and procedures, training methodology, and make sure all staff and providers are aware of and proficient so that these procedures are followed,” Lin said. “Technology alone (passwords, firewalls, locking desktops) is not sufficient and can be much more easily defeated if standard procedures are not in place. For example: Password systems are no good if providers never log out between patients, or if they tape their password to the computer monitor in patient areas,” he said. For more information about HIPAA and ways to ensure your patient information is secured, visit HIPAA’s Web site at www.hhs.gov/ocr/hipaa. (NOTE: The responses from Jodi Butts, corporate privacy officer for Mount Sinai Hospital in Toronto, are not intended, and should not be construed, as legal or professional advice or opinion. Healthcare providers concerned about the applicability of privacy legislation to their activities are advised to seek legal or professional advice based on their particular circumstances. In addition, Ontario’s Information and Privacy Commissioner has an important role to play in providing further guidance on how the Personal Health Information Protection Act, 2004 is being applied and interpreted. You may consult that office and/or review its Web site at www.ipc.on.ca.) |
How secure is your
clinic?
“Three things you have to worry about are the theft of clinic computers or servers, clinic employees looking into patient records out of curiosity, or patients reading their medical charts when they just happen to be conveniently available,” Lin said.
Hackers sell this information to organizations or individuals who end up creating additional accounts, ultimately creating substantial monetary damage. 
John V. Wood is a freelance writer and frequent contributor to Chiropractic Economics. He can be reached by e-mail at Advertising | Classifieds | Cardpack | Datebook | Past Issues | Chiro History
How are we doing?