7 tips to help you protect patient privacy
Chiropractic professionals and other individuals and organizations that collect, store, and use personal data in any capacity are facing challenging times.
Given stringent legal and regulatory obligations existing under HIPAA and other health-privacy legislation, you and other healthcare professionals have long recognized the importance of maintaining the privacy of health information. Even prior to the enactment of HIPAA, health professionals had legal obligations to protect patient privacy.
However, privacy is getting tougher to maintain, and consumers are expecting more guarantees from those in which they entrust their most private information.
As a result, itís now more important than ever to have a solid, proactive privacy strategy. Yet few organizations actually do. Anecdotal evidence suggests many organizations continue to take a reactive approach to privacy, choosing to direct their privacy strategy toward addressing specific requirements of laws and responding to actual breaches when they occur as required by law.
In addition, studies and surveys confirm that many organizations predominantly view privacy as a risk to be avoided rather than as an opportunity to build consumer trust. Organizations that take a more holistic, proactive approach to privacy are likely to reap the rewards, with increased patient confidence and trust.
While there is no one-size-fits-all approach to adopting a privacy strategy, certain key steps apply to all organizations. The following recommendations are provided to guide practitioners through a checkup of their information privacy and security programs.
1. Conduct an initial and ongoing internal audit. Before an organization can provide its patients with useful information about its privacy policies and practices, it must first understand what they are.
To do this, conduct an internal audit to identify what data you are collecting, how you are using that data, with whom you are sharing that data, and how you are protecting that data.
Once you complete the initial audit, conduct additional compliance audits each 90 days to ensure compliance with law and your internal policies and procedures.
For covered entities, it is important to note that providers must have documented policies and practices clearly stating patient privacy and protected health information security. Patients must receive policies regarding consent, authorization, disclosure, and rights.
3. Be prepared for the inevitable. It is essential to think ahead and anticipate the unforeseen, including the potential that you could face a government subpoena demanding patient information.
By understanding this may occur, you can prepare policies in order to set patientsí expectations regarding the privacy of their personal information. This may help you avoid making a strong privacy promise to consumers that changing circumstances may not allow them to maintain.
4. Give your patients control of their information. Organizations subject to HIPAA have legal obligations to obtain consent prior to certain processing activities, including most third-party disclosures of information.
With few exceptions, a patientís data should be used for health purposes only, including treatment
and payment. In addition, specific patient consent must be sought and obtained prior to engaging in any nonroutine uses and most nonhealthcare purposes, such as releasing information to financial institutions determining mortgages and other loans, or selling mailing lists to interested parties, such as life insurers.
Patients have the right to request restrictions on the uses and disclosures of their information.
It is extremely important to understand the circumstances under which consents must be obtained and have processes in place to ensure that requisite consents are in place before transfers are made. In addition, it is important to note that patient authorization to disclose information must meet specific requirements.
Establish and implement an effective disclosure-tracking mechanism. Long-term compliance with accounting of disclosure provisions will be possible if disclosure of protected health information is recorded on a regular basis.
5. Conduct due-diligence when sharing data. When you share patient data with third parties, you rely on that third party to do its part to allow you to maintain promises you have made to your patients.
Because one false move by a contracted third party can do immeasurable damage to the trust and goodwill you have established with your patients, conduct proper due-diligence on all third parties with whom you may share data. Examine the third-party service providerís experience with privacy and data security and investigate any privacy complaints the service provider has faced.
Of course, subject to very limited exceptions, organizations subject to HIPAA are required to have business-associate agreements in place with such third parties. These are important, but they are not sufficient and should be augmented with the due-diligence procedures.
6. Invest in security. You cannot protect the privacy of information if the security of the information is not protected.
Consequently, organizations must integrate technical, administrative, and procedural safeguards into their overall privacy strategy. The security program should, of course, meet all requirements of HIPAA and cover all security vulnerabilities by installing needed measures to protect data confidentiality.
7. Train, train, train. The extreme importance of training cannot be overemphasized. Many of the most high-profile and damaging data breaches have been a result of relatively simple employee errors. Regular, consistent, comprehensive training is fundamental to true data privacy and security.
The tips presented in this brief summary are intended to serve as a starting point for you to begin a review and revision of your internal policies and practices. The challenges of protecting the privacy of customer data will continue to expand and increase.
Of course, if you violate HIPAA, you become exposed to civil and/or criminal prosecution, which may, in turn, result in large monetary penalties and possible imprisonment.
Successful organizations view privacy issues beyond the confines of specific legal requirements and as a tool for building loyalty, trust, and goodwill with their patients and customers. Organizations that prepare for and address these privacy challenges in a proactive and holistic manner are likely to be viewed most favorably.
Jacqueline Klosek is a senior counsel in the business-law department of Goodwin Procter LLP, where she practices in the intellectual property practice area. The author of two books, The Legal Guide to e-Business and Data Privacy in the Information Age, she can be reached by e-mail at JKlosek@goodwinprocter.com or through the Web site, www.jacquelineklosek.com.