By Qahim Moosavi & Lawrence S. Simon, CPA
Whatsoever things I see or hear concerning the life of men, in my attendance on the sick or even apart there from, which ought not be noised abroad, I will keep silence thereon, counting such things to be as sacred secrets. – Oath of Hippocrates, 4th Century, B.C.E.
As illustrated by the Hippocratic Oath, the issue of patient privacy is not a new one. Patient-doctor confidentiality is taken for granted by most people as a fundamental right. Despite the recognition of the need for patient privacy, it was only in 1996 that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was federally legislated. Among its provisions are rules set forth to guard patient privacy, with a strong emphasis on safeguarding electronic patient data.
Medical information is critical to the functioning of any practice and it must be complete, accurate, uncompromised, secure and available. However, medical records are no longer simply locked in filing cabinets only to be accessed by a few authorized people – a patient record can reside in many locations including a physical file, a patient database, and on back-up mediums. The diverse storage methods and the dynamic nature of the data make it difficult to keep it confidential and secure.
With the passing of HIPAA, legislation mandated the protection of patient privacy by all covered entities, which included health care providers, health care plans, and health care clearinghouses. Two significant rules were enacted that specifically addressed patient data. One of the main functions of the Privacy Rule is to control how a patient’s heath information is used, and in particular, requires each covered entity to create and enforce policies to protect that privacy. The requirements of the Security Rule mandate protection of all Electronic Protected Health Information – that is, protected health information (PHI) that is transmitted or stored electronically. The Privacy Rule requires that administrative, physical and technical safeguards be enforced to ensure that data is protected from inappropriate access, modification, dissemination and destruction. In this way, it is critical to evaluate the handling of patient information, identify vulnerabilities and secure data so as to mitigate the risks associated with information breaches. Although each situation may vary, the following steps may help lay a foundation towards achieving the ultimate goal: secure data.
Establish a Plan of Attack
The process of securing data may seem daunting. The amount of data in its many forms has been increasing at an exponential rate. Before driving toward a possible solution, take time to assess the situation. Establish a committee with the power and the ability to implement and enforce your solution. The committee should include personnel from different departments including top management.
Conduct an Internal Review
In this section, identify all departments that use confidential information and categorize the sensitivity of the data and its level of vulnerability. Make sure to note assets such as software, servers, firewalls and routers that may impact data security. As in any audit, speak to the persons working with the data to assess the value of the data and how the practice would be impacted if that data was lost or compromised. In addition, the practice should perform a vulnerability assessment to get a better understanding of how and if the data may be compromised. Types of vulnerabilities associated with electronic information include:
· Unauthorized access to patient data from within the practice and outside sources (hackers).
· Data eavesdropping (interception or viewing of data that is being transmitted over an unsecured line).
· Unauthorized physical access to server rooms, computers and back-up tapes.
· Exposure to malicious software such as viruses and malware.
· Threats from unauthorized web-surfing or applications such as instant messaging.
Some vulnerabilities need to be tolerated because they are an inherent part of doing business and thus cannot be reduced or eliminated. The storage of medical information can itself be considered a risk but is one that obviously needs to be taken.
Other vulnerabilities may be mitigated by reducing the level or type of exposure. For example all servers and computers should reside behind a business-level firewall – a properly configured firewall controls data flow between internal and external networks. Personal patient data should be encrypted at all times. Wireless networks pose a serious threat to privacy as data packets can be intercepted as they travel across the network. All components of a wireless network – including laptops and PDAs – must be physically locked down, where possible, and the information must be encrypted.
The third option would be to remediate the risk entirely. The practice may need to reassess some policies and procedures to better address data privacy. In addition, many of the vulnerabilities can be removed by a properly configured and maintained network. Be sure to keep the systems updated with the latest version of the practice management software and apply all security patches to the workstations and servers. There are many cases in which a properly maintained network would have prevented or reduced a malicious attack.
Develop a Security Plan
After gaining an understanding of the data and its vulnerabilities, establish a clear and concise plan to protect the data. Be sure to use best practices from accepted guidelines such as COBIT (Control Objectives for Information and related Technology) to configure your firewalls, workstations, servers and encryption of data.
Communicate the Plan
Every practice must create detailed Patient Privacy and Acceptable Use Policies that specifically define data protection and patient privacy. All staff must be trained to observe and comply with these policies and appropriate procedures must be in place to address any issues. These policies must be presented and enforced by management including the physicians. Policy compliance is most successful when top-level management recognizes its importance.
It is critical for a practice to create, enforce and routinely test its patient health information protection policies. A responsible practice will also ensure that all agents and partners they do business with are HIPAA-compliant and proactively protect their client information. With the cost of medical malpractice insurance rising and the obvious financial and professional consequences of patient privacy breaches, it is necessary for practices to document their internal business processes and outline a policy that evaluates and tests data processing controls.
A medical practice must proactively maintain the confidentiality of its patients’ protected health information to the highest degree possible. The cost of hiring an outside consultant to conduct a thorough risk analysis and help create a comprehensive acceptable use and data protection policy is nominal as compared to the costs associated with a breach in patient health information. Doctors and health care providers have a professional and moral obligation to protect the integrity and confidentiality of their patients’ private health information to the best of their ability through appropriate and robust policies that address both the handling of the information by its own staff and authorized agents and also the physical and technical safeguards in place to protect the electronic health information.
Qahim Moosavi is the head of Margolis Consulting Services, and Lawrence S. Simon, CPA is a principal and co-director of the Health Care Services Division in the CPA and business consulting firm of Margolis & Company P.C. in Bala Cynwyd, Pa.