By Rita Bowen, MA, RHIA, CHPS, SSGB, and Scott Ruthe
As health care data breaches continue to put patient information at risk, organizations must make disclosure management practices top priority—a vital part of policies and procedures. For HIM professionals, this means balancing a growing list of stewardship responsibilities: privacy and security, transparency and availability, compliance, and overall information integrity to support quality of care.
The Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data sponsored by ID Experts shows 91% of health care organizations had at least one data breach and 40% had more than five data breaches over the past two years. Criminal attacks are cited as the new leading cause of data breach in health care, with more breaches being attributed to trusted insiders.
Most respondents said they believe a data breach increases the risk that a patient’s personal health information will be disclosed, noting this as the biggest threat. In addition, patients whose records are lost or stolen are more vulnerable to both medical and financial identity theft. The threat of medical identity theft to breached individuals is on the rise—up by 22% from last year—yet harms are not being addressed. According to the Ponemon/Medical Identity Fraud Alliance study, 2014 Fifth Annual Study on Medical Identity Theft, medical identity theft nearly doubled in five years, from 1.4 million adult victims to more than 2.3 million in 2014.
Faced with these compelling findings, most health care organizations are unprepared to address evolving privacy and security threats. Building strong disclosure management practices to protect patient information is paramount.
Managing the Disclosure Process — Why Protection Is Important
The complexity of managing the challenges of disclosure or release of information (ROI) is steadily growing along with vast volumes of requests. Some organizations handle ROI internally while others outsource the process to vendors that specialize in handling protected health information (PHI). Either way, organizations will benefit from technology solutions combined with information governance practices to make PHI available only to parties that have a legitimate need for the information as defined by HIPAA.
Despite the potential risks to patients who have had their records lost or stolen, Ponemon reports that nearly two-thirds of both health care organizations and business associates (BAs) do not offer protection services. Only 19% offer credit monitoring and 10% offer other identity monitoring. As a result, many victims of identity theft are footing the bill—spending thousands of dollars to cover the cost of false claims, correct their health records, and restore their credit.
The harm from health care identity theft is more complex than that associated with a stolen credit card or a hacked bank account. If someone steals your credit card, the holding company can cancel the account and assign a new number. For health care, patient information can be sold repeatedly to different people who continue to use it at various locations. A single piece of information has the potential for multiple years in the making. The value of credit monitoring to the patient is peace of mind. From a business perspective, it’s the right thing to do. It shows that your facility is an ethical, value-based organization.
What to Do If a Breach Occurs
Health care facilities that have implemented a proactive approach for managing identity theft are well ahead of the game. Some organizations have designated response teams charged with developing prevention practices focused on multidisciplinary training to mitigate medical identity theft. With prevention measures in place, providers should define an investigation and recovery process, including a plan for notification and protection of affected patients.
When a breach occurs, the first step involves a thorough investigation and risk assessment to determine the nature and extent of the PHI disclosure and the potential harm. Patients whose information was disclosed must be notified as quickly as possible, no later than 60 days from the date of discovery. Your organization or BA can provide an individual notice in written form by first-class mail, or by e-mail if the affected person has agreed to electronic notification.
If you have insufficient or out-of-date contact information for 10 or more individuals, you must post a notice on the home page of your website or in other print or broadcast media for at least 90 days. Breach notification requirements vary based on whether the breach affects more than 500 individuals. You may have to notify Health and Human Services according to instructions provided on their website.
Organizations that have invested in cyber insurance can offer identity theft protection for their patients. If a breach occurs, patients typically have access to a centralized call center to help ease concerns and receive guidance following the incident.
Seven Strategies to Mitigate ROI Risks
While the disclosure process is top priority for IT, protecting the patient record also requires standard policies and practices supported by information governance. The following are seven strategies to strengthen disclosure management:
Education Remains Paramount
Education is the foundation for successful disclosure management. Without standardized policies and procedures enforced by ROI training and expertise, organizations face serious challenges to achieving compliance, quality of care, patient safety, operational efficiency, and reduced costs. HIM and all other staff across the enterprise must understand federal and state rules and regulations in addition to their own organizational processes, source systems, EHR record requirements, and ROI documentation and workflow.
While many health care organizations are taking measures to increase the focus on privacy and security, rapidly changing cyber threats continue to outpace investments in technologies and processes to protect health care information. Recent research confirms the need for a proactive, enterprisewide approach. Ensuring trust in information is everyone’s responsibility.
— Rita Bowen, MA, RHIA, CHPS, SSGB, is senior vice president of HIM and privacy officer at HealthPort.— Scott Ruthe is vice president of network and security at HealthPort.