A $1.2 million settlement with HHS for failing to erase photocopier hard drives containing electronic protected health information (ePHI). A $50,000 settlement with HHS after a laptop containing unencrypted ePHI is stolen. A $100,000 settlement with HHS after posting surgery and appointment schedules on a publicly accessible Internet calendar. Immeasurable reputation damage after a USB flash drive containing ePHI is lost and patients and the local media are notified.
These are just a few real-world examples of the consequences practices, health systems, and health plans have faced due to technology missteps. If you're not careful, such a breach — and the consequences associated with it — could happen to your practice. Medical practice technology consultant Marion Jenkins estimates that more than 80 percent of practices are using technology that could put them at risk of a HIPAA violation. He attributes that to lack of understanding, lack of skill, poor system setup, and user error.
To ensure your practice is using the right technology, in the right way, we asked Jenkins and other privacy/security experts to weigh in. Here are some of the biggest technology mistakes they said practices make, and some of the technology alternatives and additional security measures they said practices should consider.
So you're working in your EHR or sorting through your practice management system and you decide to copy some data to your local device. Don't do it! This is one of the most common technology errors practices make that could lead to a HIPAA breach, says Jenkins, adding that it often occurs when leadership is using data to compile documents such as patient lists, board reports, and profit-by-patient analyses. "Those are things that typically a very senior person in a practice is doing so they have access to all the data," says Jenkins, who is executive vice president of 3t Systems, a healthcare IT services company in Greenwood Village, Colo. "They'll pull all the data out of the [EHR] into another file, usually it's an Excel spreadsheet, and then they'll work on that or manipulate that, and then they'll keep it for a long time. The problem is they store all that stuff locally."
Storing unencrypted ePHI locally, of course, is not secure. If a device containing the data is stolen or misplaced, or hacked, all of that information is breached. While such breaches often occur when mobile devices such as laptops are stolen or misplaced, if the computers within your practice contain unencrypted patient information they are a high risk as well. In one of the largest breach reports to date, the theft of four unencrypted desktop computers from a Chicago-area physician group practice may have exposed the personal information of more than four million patients.
While requiring staff and physicians to encrypt ePHI before saving it to local devices will help secure it, Jenkins says such information should never be stored on local devices in the first place. "I'm not aware of a single breach that's occurred inside of a practice management or EHR system — they've all occurred outside," he says.
For that reason, Jenkins recommends practices forgo traditional client-server systems that allow users to store data locally. Instead, practices should implement newer systems using thin clients and/or desktop virtualization that create the user environment on a server farm in a secure data center. That way the data is stored in a secure data center, on servers with redundant hard drives, backed up by data replication systems, and protected by a secure firewall, he says.
As noted, many breaches occur when mobile devices containing unencrypted ePHI are stolen or misplaced. While practices sometimes supply their physicians and staff with mobile tools — such as smartphones, tablets, or laptops — many practices allow physicians and staff to use their personal mobile devices for clinical or business purposes.