Here’s a headline that grabbed my attention (and raised some alarm bells) recently: National Electronic Patient Database Soon To Be Mandatory For Healthcare Providers. I assume any other health care professional who saw it was also interested in the possibilities. As it turns out, this story is about a health care consumer database in Singapore, but the potential and concerns for this kind of “mandatory” database aren’t that far off point here in the United States.
In just the last couple of months, we’ve seen movement to large shared databases that allow for health care provider organizations to share consumer information over large networks. For example, New Jersey has created a “Master Person Index” database—available to health care provider organizations throughout the state—intended to improve health care quality in terms of facilitating access to care, reducing medical errors, and ensuring health record accessibility (see New Jersey Creates ‘Master Person Index’ With Goal To Improve Health Care Quality, Care & Accessibility). And in California, the County of San Francisco is rolling out a new database—called the Online Navigation and Entry (ONE) System—to coordinate assessment and referral for people experiencing homelessness, from 15 databases that were being used throughout the county (see San Francisco Launches New Database To Improve & Streamline Services For Homeless People).
And, whether we have government-mandated data sharing or not, the recent spate of big health-sector mergers (see The Merger Of Retail With Health Plans—Strategy, Please, Financing Innovation & Business Development Amidst The Mergers, and David Versus Goliath?) is creating very large private databases of consumer health information. At the same time, the news is full of the coverage of large-scale health care data breaches:
- Coplin Health System warns 43K of data breach after laptop was stolen from employee’s car
- SSM Health data breach compromised 29000 patients after unlawful intrusion by employee
- Emory Healthcare reports data breach involving 24K patients, a former physician and a OneDrive account
The question for executives and board members of health and human service organizations is what to do to prevent those data breaches from happening? In the current climate, this is an important question to answer before a mistake becomes a financial liability. In Connecticut, for example, provider organizations can be held accountable for unauthorized exposures of consumer health data and be subject to state-law negligence claims (see State Supreme Court Establishes Right To Sue Over Medical Record Breaches and Conn. Ruling Expands HIPAA Liability For Medical Providers).
OPEN MINDS Senior Associate, Sharon Hicks noted that provider organizations need to focus on building clear policies around consumer data – and making adherence to those policies a priority for staff. She explained:
The best defense for any health care organization is a dual focus on policy and security. Many disclosures that have been in the news are actually the result of a staff person failing to comply with written policy. Clinicians using unencrypted devices, staff from billing taking personal health information home to work on outside of the office setting, and medical records staff not following procedure before disclosing information; all are examples of breaches that have occurred. So in addition to the security and vulnerability risk assessments that should be part of standard practice, well-written and easy to follow polices, are an important part of the whole picture.
OPEN MINDS Senior Associate Ken Carr added that there are four key actions that organizations can take to insure that they are prioritizing data security and building an organizational culture that focuses on protecting consumer data. He writes:
There are many actions that an organization can take to secure protected health information. It is important to continually update specific actions around four aspects of compliance.
- Implement policies that ensure compliance with the HIPAA Security Rule, and continually update procedures to address risks as the environment changes. There are a number of resources available to help organizations ensure policy compliance with the security requirements, including the Health & Human Services resources to help organizations understand the requirements of the HIPAA security rule (see Guidance on Risk Analysis).
- Train staff on the policies and procedures. And beyond training, create a culture where staff value the security of client data as highly as delivering quality services. Staff can easily fall victim to phishing emails and other schemes, so update them on new criminal approaches to steal data frequently.
- Implement data security technology to and enforce Bring Your Own Device (BYOD) policies. There are just too many risks associated with having equipment lost or stolen, or having emails compromised. One study indicated that over 50% of breach incidents were related to lost or stolen devices. Encryption of laptops, phones and email can reduce information breach risks significantly (see 5 Ways To Avoid Health Data Breaches).
- Conduct a yearly risk assessment. This is required by the HIPAA Security Rule, but also ensures that all of the other actions taken are working. Any new areas of risk or non-compliance should be addressed through root-cause analysis, and the actions above updated to address the risk.
For more, check out these resources from the OPEN MINDS Industry Library:
- Digital Security Isn’t Where It Needs To Be
- HIPAA Fines & HIPAA Audits On The Rise
- Should 42 CFR, Part 2 Be Aligned With HIPAA?
- Substance Abuse Privacy Rules Could Be Changing
- Fixing The Data Sharing Problem
- The ‘Baby HIPAA’ Conundrum
- Do You Want “Granular” Control Over Your Health Record?
- When CRM & EHR Merge – The Potential & The Challenges
- Can You Be ‘Re-Identified’?
- HIPAA, HIE & The Art Of Sharing Information
And for more on this conversation, join me on October 23, 2018 at The 2018 OPEN MINDS Technology & Informatics Institute for my session, “The Challenges Of Data Management In A Digital World: An Executive Discussion On Security, Privacy, & Consumer Control.”