In any healthcare environment, a major concern for staff and patients alike is the security of protected health information. This data is at risk in both the physical form and the electronic records kept. Organizations must rely not only on technical safeguards, but also on good decision-making by staff.
“You don’t have to be hacked,” Borten says. “You don’t have to be a highly visible target of some international bad guys. [Data breaches] happen at the smallest practice level.” -- Kate Borten, C.I.S.S.P., C.I.S.M.
Once daily may be a good regimen for vitamins or prescription drugs, but not when it comes to checking for data breaches of health information.
Yet, that’s exactly what happened in 2017, when 477 breaches occurred impacting 5.6 million patient records.
Securing patient information is a constant challenge for health-related organizations, and according to Kate Borten, C.I.S.S.P., C.I.S.M., 3M privacy consultant, and founder of The Marblehead Group, an information security and privacy consulting firm for the healthcare industry, that challenge is particularly daunting for dentists.
“[Dental practices] have a significant burden of responsibility with the HIPAA privacy and security regulations, and yet they don’t have the staff and expertise in house,” Borten explains. “It’s a struggle, but I do think dental practices in general should be doing more than they are.”
When thinking about securing patient and employee information against breaches, the first line of defense is often targeted to warding off cyber attacks. But Borten believes that, especially at the small dental practice level, the risk is less from hackers and more from what she calls "inadvertent goofs."
“Cleaners come into a practice at night,” she explains. “They’re not HIPAA business associates, they’re not governed by HIPAA, and they can just rifle through any records left out in paper form.”
And the practice is still on the hook. That’s because there’s a very low bar under HIPAA. It doesn’t matter whether the breach was caused as the result of a lost or stolen laptop, or papers thrown out in the trash that were not shredded. If it contains patient identifiable information, all the other aspects are almost immaterial from the HIPAA perspective.
“You don’t have to be hacked,” Borten says. “You don’t have to be a highly visible target of some international bad guys. It happens at the smallest practice level.”
Borten says that, first and foremost, practices need to designate an employee as the privacy and security person. Who should that be? She recommends someone who understands the responsibilities that accompany the position, and is then provided the training, time and resources to ensure those responsibilities can be fully executed.
Next, develop written policies and procedures—the practical dos and don’ts required of everyone at the practice. Reinforce their importance at weekly or monthly staff meetings.
“Provide reminders about shredding or locking up at night,” Borten says. “Make it clear that it’s important, and not just another government mandate that has to be done.”
She also recommends developing an end-of-day checklist. For example, if the practice has an end-of-day closing or reconciliation procedure, then add the security and privacy elements to that. Put someone in charge of walking around to confirm that everyone has logged off. Make certain no papers are left out containing patient information.
“Even just a name and a phone number, that’s protected health information,” Borten says.
Are computer screens visible to someone visiting the practice? Borten recommends walking around, checking screen angles, to see if information might be exposed to passersby. Small practices might operate in tight quarters, so if changing the angle or location of a computer screen is not practical, privacy filters for monitors can be helpful as well.
Also, where do you keep your server? If your records are stored on a cloud-based system, that’s a plus. But Borten has seen far too many practices that keep the server in a room that is used for housekeeping supplies.
“There are literally mops and buckets in the same room,” she says. “And the room isn’t locked because the cleaners who come in at night, who are not covered by HIPAA, have full access.”
Any electronic system where patient or employee data is stored should be kept in a room that is properly ventilated, but the doors should be locked. Only a select few people should have the key or combination.
“And that [information] should be documented,” Borten adds. “Very carefully controlled.”
Why? Because data breaches can be extremely costly not just from a monetary perspective, but a reputation one as well. Settlements related to a data breach can result in very high dollar amounts, Borten says. And if your practice is in a highly competitive community, word of a data breach will help prospective patients narrow their choice of practice.
“Harming a practice’s reputation is definitely something that needs to be considered,” Borten says. “You want to send a message to the patients and the community that your practice really does take this seriously. [That your practice] really does care about having good security and privacy for the patients that come to them.”
Image credit: maxkabakov/Adobe Stock