When patients’ health information gets compromised, it’s more than a matter of potentially revealing whether or not someone is allergic to shellfish or suffers from chronic back pain. Names, home addresses and telephone numbers, and Social Security numbers can also be placed into the hands of the unscrupulous. So it’s imperative that healthcare organizations start taking the necessary steps to ensure the safety not only of their patients but also their patients’ personal data.
Every organization must have procedures in place to comply with laws like HIPAA. But now days, just being HIPAA compliant is not enough. Each state has its own laws and the HITECH Act also comes into play. While it may not be easy for health care providers to stay up to date with the myriad changes in these laws, the potential financial repercussions that both patients and healthcare organizations could suffer make staying current well worth the effort. All health care workers who come into contact with patient records should receive regular training and testing to ensure that they follow proper procedures and remain compliant with HIPAA and other regulations.
Breaches can happen at any time. Digital records are easily transferred from database to laptop or smart device in a matter of minutes. Once the laptop or smart device is lost or stolen, there’s potential for disaster. But even databases can be infiltrated. So it’s important that health care IT professionals conduct regular checks to ensure that everything is secure and running properly. There’s a saying in the military: “Ignorance is no excuse.” In other words, if someone didn’t know there was a weakness in his organization’s system that led to a breach, that doesn’t absolve him of guilt. Part of implementing procedures includes regular monitoring. And truthfully, ensuring the security of patients’ personal information is everyone’s responsibility, not just the IT team’s.
As unpleasant as it may be, health care organizations must also have disaster recovery plans. If a hacker does penetrate a health organization’s database, there must be procedures already established for either correcting any damage done or minimizing risk. Again, it’s important to know state, federal and local laws for the safeguarding of patients’ information. These laws also help health care providers to understand the difference between an “incident” and a “breach.” Encrypting data could be another safeguard worth looking into. But encrypting patient information doesn’t make it all right to become lax with other safety measures like regular monitoring and personnel training.
Because the definitions of “incident” and “breach” differ from state to state, it might be wise for organizations to err on the side of caution and do more than is required by law for whatever state they’re in. Encrypted files could be especially helpful for health care providers such as doctors or researchers who might be inclined to take work home with them on laptops or smart devices.
When it comes to protecting patients and their personal information, too much is never enough.