With all of the security breaches in the news recently, many medical practices have taken extra steps to keep their patient records safe. Employee training and awareness, installation of virus and malware protection, regular data back-up, purchase of a cybersecurity insurance policy, and hiring an IT person to help keep systems up to date are examples of ways to make a medical practice more secure. However, no matter what is done to protect sensitive data, sometimes the biggest threat to patient records is located right in your office.
Employees must have access to sensitive data, such as patients’ protected health information (PHI) in order to perform their job duties. However, sometimes employees will access information that is outside the scope of their employment. Employee access of PHI without a job related reason could be considered a criminal violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. In addition, this type of unauthorized access of PHI generally requires the practice to notifiy the patient, government and in some cases the local media under the Breach Notification Rule.
Many times, a breach of PHI is unintentional. A patient’s PHI may be inadvertently mailed to the wrong patient, or a patient’s lab results are accidentally handed to the wrong person. However, in some cases an employee may have less than honorable intentions when accessing sensitive data. In all cases, the SVMIC policyholder should report the incident as soon as it is discovered to the claims department.
The following are examples of actual claims that illustrate circumstances when an employee was the source of a breach. These claims are being responded to by NAS Insurance Services either through the coverage included in the SVMIC professional liability policy or in additional limits purchased through SVMIC’s partnership with NAS:
Disgruntled or dishonest employees are often at the root of cybersecurity claims reported to NAS. In some circumstances, an unhappy employee may decide to take records with them when they leave, as in the following examples:
As mentioned previously, to safeguard patient data, practices may rely on an IT expert. In order to do so, the IT expert is granted access to the entire system. However, if the relationship should ever become hostile and the trusted expert is no longer trustworthy, their access gives them the ability to destroy or otherwise keep data from being accessed by employees. For one medical practice, that is exactly what happened:
Health and Human Services (HHS), the agency that enforces HIPAA rules, requires the practice to have protocols that outline the circumstances in which PHI can be accessed and what to do once unauthorized access is discovered. As a first step, a unique username and password for each employee who has access to sensitive data is one way to ensure that only those employees who are authorized to access patient records are able to do so. However, the responsibility of the practice does not end with a secure login. The HIPAA Security Rule requires certain administrative, physical and technical safeguards to be implemented to protect the confidentiality, integrity and availability of all electronic PHI that the practice creates, receives, transmits and stores. The following technical safeguards are outlined on the HHS website:
In addition to compliance with the HIPAA Security Rule, it is necessary that a practice have a plan in place for when a breach is discovered. For instance, there are steps to take to determine the extent of the breach. Once it is determined how many records are involved, there are rules regarding notification. These rules apply not only to a cyber-attack but also to the examples listed above. The following checklist can be found here:
In the event of a cyber-attack or similar emergency an entity:
For more information regarding these security and response requirements, visit https://www.hhs.gov or https://www.healthit.gov. For additional information regarding the Breach Notification Rule and the steps that must be taken when a breach occurs, visit https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html.
We're always just an email or phone call away.contact us