News reports of security risks, hackings and breaches caused by individuals, terror groups or even countries around the world certainly are important and can be unsettling. But, for many organizations, including healthcare providers and business associates, a significant and perhaps more immediate area of data risk rests with an organization’s workforce members. An organization’s information technology (IT) department can do a tremendous job securing the systems from outside intruders, however, relying too heavily on external risks at the expense of internal risks can be problematic for any healthcare practice or healthcare industry vendor. Whether inadvertently or intentionally, employees are frequently the cause of improper uses or disclosures of patient data, putting the company at risk for a data breach, reputational harm, investigation by federal and state agencies, and litigation.
It is true that no system or set of safeguards is infallible; breaches are going to happen. However, here are some steps providers and business associates can take to reduce the risk that those breaches will be caused by members of the company’s workforce:
- In-person Training. Many covered entities and business associates use on-line, “in-the-can” training products. These could be a valuable part of any training and awareness program, particularly for conveying general HIPAA privacy and security concepts. But there is no substitute for in-person training about the provider’s own policies as applied to the day-to-day circumstances of that practice or business. Employees need to ask questions and hear how policies interact with their particular job responsibilities to best understand some of the nuances in applying HIPAA and applicable state laws and privileges. The Texas Medical Records Privacy Act (the state’s “mini-HIPAA” law), for example, does not mandate in-person training, but it does require at Section 181.101 that training address “state and federal law concerning protected health information as necessary and appropriate for the employees to carry out the employees’ duties for the covered entity.” It is important to make training real, practical and regular. In many cases, it is the more senior employees, physicians and nurses, who could benefit most from such training.
- Enhance Monitoring. All the training in the world will not protect an organization from an employee who is intent on taking information or improperly accessing information. For example, the employee might be trying to find out information about the diagnosis or drug use of a family member, or the employee may be in fear of losing his or her job and want to collect evidence for subsequent litigation. Other employees may want to steal patient/customer information for a new business, or commit medical identity theft which is reported to be growing rapidly. Implemented carefully and responsibly, monitoring systems activity can be an excellent tool for helping the organization to mitigate and in some cases stop data loss.
- Manage Devices. The flood of new and more powerful devices carried by employees is a headache for any Privacy Officer. But some of the risks could be relieved through careful planning and policies. Consider the following: (i) should all devices be permitted, (ii) if so, what mobile device management solution, if any, should be used; (iii) which employees should be permitted to use devices at the workplace, and what should they be permitted to access; (iv) what happens to the device when the employee is terminated or purchases a new device; (v) do employees have to be reimbursed for the cost of the device or the data service; and (vi) do we have any labor law considerations, whether or not the workforce is unionized.
- Plan for a Breach. As noted above, breaches are going to happen, so plan and run drills. Even if on a single page, have a checklist for responding that addresses such things as – who should be involved in the response process, who will coordinate the investigation and ensure systems are secure, what vendors can the organization call upon (legal, forensic, etc.), insurance contacts and requirements, and who makes decisions on such things, as whether to notify, who to notify, and what to say in the notice. Employees hear about these incidents, but many do not have a feel for what a breach is, how to report internally, the steps involved, and how quickly the organization must respond.
- Assess Confidence in IT Staff. For many practices, it likely is easier to assess a surgeon’s competence than the competence of the practice’s IT director. Often the owners of a healthcare practice do not find this out until it is too late. The business should take steps to ensure it has the right team in this critical department. In some cases, it may need to have an outside vendor assess the performance of its internal team.
Could your healthcare practice or business become the target of an external attacker? Yes. Is it likely? Probably not as likely as an internal incident. The steps outlined above are not exhaustive, and do not promise HIPAA compliance. They are, however, sensible best practices to help avoid inadvertent and intentional activities inside the organization that can cause a data privacy or security incident.