...And What You Can Do About it, Today!

By Linda Garrett, JD

Healthcare professionals who work in small practice settings may read headlines about huge data breaches and million dollar fines and think HIPAA breaches are only a concern for large health plans and medical centers. [1] But many small breaches that don’t make the headlines occur on a daily basis in small professional practices. And, even though the civil fines and penalties may be smaller, the costs of compliance can be daunting. In addition to potential lawsuits, reputational harm and staff morale, you’ve got the costs of mitigation, sanctions, patient notification and reporting -- HIPAA requirements that apply to all covered entities, regardless of their size. Added up, these expenses can cause serious problems for your pocketbook and to your practice.[2]

If you use electronic health records, you no doubt have protections in place to keep those records secure and safe from cyber-criminals who are intent on ID theft. But what sort of training are you providing to your front desk staff, billing clerk, and medical/dental assistants to prevent “low-tech” privacy breaches? Does your training meet the “reasonableness” standard that will be applied by federal investigators after there has been a breach? This is an area where you may be the most vulnerable, and unless you train every member of your staff when they are hired, and on a regular basis thereafter, you are not only at risk for a breach but also for fines and penalties related to your failure to take “reasonable measures” to prevent the breach from happening at all!

Here are five examples of the kind of “low tech” breaches that continue to occur far too frequently in healthcare:

1. You have established a thriving dental practice and take pride in the fact that your front desk office manager has been with you for years and knows your patients, their families and their dental history off the top of her head. Clearly your patients love her, and she cares about them. But have you ever heard her casually greet a patient and note that she just saw his mom at the office earlier in the week and how nice it was to see her? Or, have a patient tell her “today must be teeth-cleaning day for Oak Street” after seeing his neighbor in the parking lot, and have her say with a smile, “well, maybe a little more than teeth cleaning today!” Small comments like this are privacy breaches and violate HIPAA even if they don’t communicate details like a patient’s date of birth or social security number. Whether it is an offhand remark made to a neighbor implying more serious dental problems than a routine cleaning, or the simple sharing of contact information with someone’s probation officer who asks for a patient’s phone number, a privacy breach has occurred.

Solution: Instruct your staff that under no circumstances should they discuss patient information with others unless your policy, and the law, requires or permits it. Remember, HIPAA regulations provide that even the mere fact that someone is your patient and receives services from you is confidential.

2. You have been meaning to get a new copier for your primary care clinic because the “three-in-one” (copy, fax, and scan) in the front office is getting old and doesn’t always produce copies the way it should. Staff has been told that anything with patient information on it should be shredded, but the shredder is noisy, and it’s in the back billing office. So instead, staff will occasionally toss an imperfect copy into the wastebasket next to the copy machine. A blurred or skewed copy that includes even a tiny glimpse of patient identifying information is “protected health information” (PHI) according to HIPAA. That PHI might then begin a journey to the dumpster out back when cleaning staff comes in at night, followed by a bumpy early morning ride in a bag atop a garbage truck the next day, with a final drop into the city’s landfill on the edge of town later that evening. Scavengers looking for copper wire who incidentally come across protected health information now have something else of value that they can sell, perhaps to the highest bidder on a “dark net” black market Internet site. Something that started with a blurred copy thoughtlessly tossed into the wastebasket is now a reportable HIPAA security breach!

Solution: Instruct your staff to scrupulously separate PHI from other materials and to shred it promptly when it needs to be disposed of. Never leave it out overnight if others have access to your office. Patient information that makes its way to your trash bin out back is most definitely not secure from “dumpster divers” who specifically look to steal your patients’ information in order to commit ID theft crimes.

3. That same copy machine has a collection tray that catches incoming faxes, as well as copies as they are made. You ask your medical assistant to walk your patient out to the waiting room and to make her a copy of home-care instructions following a minor office procedure. Unbeknownst to your assistant, a fax has come in a few minutes earlier from another patient’s cardiologist with recommendations for medical management of his vascular disease. Everything in the tray is handed to the patient who now goes home with her own instructions plus the cardiologist’s report that includes information about another patient’s heart problems. In a small town they might know each other, but regardless of the setting, a careless error has resulted in a privacy breach.

Solution: Train your staff to always carefully look at every single page of information they hand to a patient. Although it is a tedious task, if it saves you from even one HIPAA breach, it is well worth the extra minute or two it takes to make sure information about someone else isn’t inadvertently sent home with the wrong patient. A related problem can happen when “boiler plate” documents accidentally include an old patient’s ID number or name when a new document is created. Tell staff that some things should be done slowly, and that you want them to double-check the documents they create in order to avoid “human error” oversights of this kind.

4. Have you ever sent out a mass-email to your patients to alert them to your new Saturday hours, or to introduce a new member of your staff? Maybe you just want to let them know that you have now associated your practice with an outpatient mental health counseling center. You may think your administrative assistant knows what she is doing, but a recent breach may give you pause. Over 500 patients received a notice from a small specialty clinic telling them that they could now sign up to access the patient portal capability of the clinic’s electronic health records system. This would allow them to make or change appointments, access their record, and leave messages for their provider. When the phone started ringing the next day the clinic learned to its horror that the person who hit “send” didn’t also make sure that “blind carbon copy” was properly activated. Now each patient had 500 other patients’ email addresses and knew they were receiving specialty care, and each patient now also knew that 500 other people had the same information about them! Clearly this was not a sinister or deliberate breach, but it still required costly mitigation in the form of ID theft protection, reporting and notification. And that was just the cost of compliance; fines and penalties, as well as privacy lawsuits, could still be in their future.

Solution: Ensure that all of your staff are trained on the communication tools your office uses. And always send a test email prior to the actual sending of a large multiple-recipient communication to make sure that other actions, for example the use of list-merging tools, have not accidentally disabled the blind carbon copy function.

5. Are you sure that all of your staff understands when it is okay to provide records to third parties? Do they know to check with you before they helpfully copy patient records for a caseworker at the County Housing Authority? How would they respond to a subpoena? Does every member of your staff know what your particular State laws might say about permissive or mandatory disclosures of protected health information to law enforcement, and which law they have to follow? Inadvertently hiring a criminal who would deliberately breach privacy is unlikely, but it IS likely that most of your new hires will not be HIPAA experts. And, a very common “low tech” error involves disclosing protected health information to third parties, for example, to public officials who appear to have a legitimate “need to know,” or to friends, family or neighbors who just want to help. Then, when it’s too late, comes the realization that there was no “legal pathway” that would have permitted the disclosure. The only way to prevent that from happening is through training.

Solution: The HIPAA Privacy Rule is complicated, and if your state law has more stringent privacy provisions, it is not always easy to know what to do. It is therefore essential that staff be trained to know when they must, may and cannot disclose PHI. And, perhaps even more importantly, they need to be reminded to always check with you if they are not sure whether a use, disclosure or access to PHI is allowed or required by law. As the saying goes, “it’s better to be safe than sorry!”

Your staff has no doubt been told to keep paper records securely locked at night, and to never open suspicious emails that might include ransom-ware that could shut down your system or block access to your data. But the more likely cause of a breach in a small professional practice is not a criminal intrusion; rather, it is an inadvertent, careless, or unknowing wrongful disclosure by your own staff. That is why it is essential to provide solid privacy training to new staff, with ongoing training for all staff on a regular basis thereafter. And, if you do experience a breach event, part of your mitigation will necessarily involve retraining. Taking the time to provide training to your staff will reduce the risk of “low tech” breaches, help you demonstrate that you have engaged in “reasonable measures” to protect patient privacy, and save countless hours and dollars in the long run.

Read More Articles

Looking for HIPAA training for your employees? We have three to choose from: HIPAA Essentials, HIPAA for Managers, and HIPAA Breaches.
[1] A case in point is the recent $5.5 million Advocate Health System settlement of three data breaches affecting over 4 million patients in 2013 which is now the largest HIPAA settlement ever.

[2] HIPAA breach compliance requires mitigation, sanctions, patient notification and reporting to DHHS if patient information has been used, accessed or disclosed in violation of the HIPAA Privacy Rule if it results in a compromise of that information.