Securing Protected Health Information is not a “one person” job
You have been given the responsibility to protect the Protected Health Information (PHI) within your company to meet the new HIPAA and HITECH requirements.
One of the most important questions to ask yourself is where could a breach happen that you may not expect?
In the healthcare industry, PHI is received daily and evidence shows that it is shared with many departments, employees and portals. Recently, the healthcare industry has been hit hard by attacks and lost or misplaced data. Try searching “healthcare data breach” in Google News and you’ll find a long list of reported incidents from just the past couple of months.
Below are some examples of recent healthcare data breaches that might suggest extra places to check and secure, such as the copy machine.
Cogent Healthcare, Inc., which manages several physician groups throughout the United States, recently began notifying approximately 32,000 patients of physicians in 24 such physician groups that their personal health information (PHI) may have been exposed online.
The company had contracted with the medical transcription company M2ComSys to transcribe patient care notes for some of its physician groups. M2ComSys then stored those notes on a Web site that was supposed to be secure. A security lapse by M2ComSys, however, apparently exposed some of those notes to online access.
The Oregon Health & Science University is notifying more than 3,000 of its patients of a breach of their personally identifiable information after their data were placed by OHSU resident physicians on a pair of Google's cloud-based information-sharing services.
The data—including the patients' names, medical record numbers, dates of service, ages, diagnoses and prognoses and their providers' names—that were posted to either Google's Gmail or Drive were first discovered by a faculty member this past May, according to an OHSU news release.
Affinity Health Plan will pay HHS about $1.2 million for violating HIPAA as part of a patient data breach case, Healthcare IT News reports.
According to Affinity officials, the managed care plan was informed by CBS Evening News that the network had purchased a photocopier previously leased by Affinity as part of an investigatory report and that the copier still contained confidential medical data on its hard drive. Affinity estimated that up to 344,579 individuals might have been affected by the breach.
The important thing is that you’re not alone in the responsibility for protecting health information. Everyone who touches the data has the same responsibility and they can help avoid breaches like the ones above if they know how.
Thanks to the HIPAA Omnibus rule it is required that employees are trained to identify and safely transmit, store, and dispose of PHI. Just in time for the Omnibus deadline of September 23, 2013 Wombat has introduced its PHI training module to not only ensure you are compliant in completing the training but to change employee behavior.
Subscribe to the Proofpoint Blog