Indiana-based Cancer Care Group, P.C. (CCG) did the right thing when it came to encrypting sensitive patient data on its mobile devices. However, the group practice failed to encrypt or otherwise protect backup tapes that were left unattended in a laptop bag and stolen, according to JD Supra Business Advisor. Unfortunately, the tapes contained the protected health information (PHI) of approximately 55,000 individuals. Compounding the security lapse, CCG did not conduct an incident assessment following the breach, nor did it implement procedures to address the incident. HHS' Office for Civil Rights (OCR) fined the group $750,000 and required it to develop a three-year corrective action plan.
If medical practices take away just one lesson from this cautionary tale, it should be that the OCR is serious about enforcing the HIPAA Security Rule. Stephen McCallister, a California-based healthcare IT consultant, says that in order for practices to protect themselves against a data breach, the first step must be to conduct a security risk assessment, which is also required by HIPAA as part of meaningful use. "Small to medium practices, they need to … conduct that risk assessment and both address any shortcomings that are identified in it, and continuously update that on at least an annual basis," McCallister says.
A practice should also have a formalized incident response plan as part of a disaster recovery/business continuity strategy, to address any type of potential security breach within the practice, he adds.
Mary Igo, chief executive officer for Digestive Health Specialists, a 35-provider specialty practice based in Tacoma, Wash., has been working in physician practices for more than 20 years and is well-acquainted with data security. Her practice spans seven offices and five endoscopy centers; all are connected on a network that includes two redundant servers. Digestive Health is fortunate to have a robust health IT team onsite, but Igo says data security starts with staff awareness. "[When an incident is reported] it can either be a patient calling and saying, 'I got someone else's paperwork,' … or it comes from an employee who knows that it is an issue," she says.
BASIC ELEMENTS OF A RESPONSE PLAN
The specifics of an incident response plan will vary according to practice size and resources, says McCallister. At its simplest, a plan should establish pre-breach preparation "which includes not only planning for how you are going to respond to [the breach], but … if you'll need assistance with elements of the response," he advises.
The document should spell out who will help the practice respond to a data breach — internal staff, external consultants, IT vendors, legal counsel, etc. — and each person's role and contact information.
Even though Digestive Health has a dedicated communications staff member, Igo says she would prefer to spearhead an initial breach response herself so that she could control what is communicated to patients and the community. In fact, she notes, for small practices, the administrator may be responsible for implementing the majority of the response plan. In that case, it is important to know what outside resources are available to the practice, she says.
"[Our practice administrator networking group] was looking at six different practices, they varied in size from eight to 25 [staff members], and three of those six practices use outside vendors to support their IT environment," Igo says. Relying on an IT vendor for security assessments, software updates, and even technical support in the event of a security breach may be the best way to go for small practices, she notes. Not only do they have the technical knowledge about a practice's network, but they have an objectivity that an internal staff member may not.
That is a philosophy that Karena Wu, owner of Manhattan-based Active Care Physical Therapy, has adopted. The three-provider physical therapy practice uses a cloud-based EHR designed for physical therapists. All sensitive patient data resides on a cloud-based server, she says, which is HIPAA compliant. "I think if someone is using a reputable EHR system, all of that compliance stuff is going to be taken care of for them. Because at the end of the day, we are all paying for a service," says Wu.