The privacy of patient data is protected by the Health Insurance Portability and Accountability Act (HIPAA) and the 2009 Health Information Technology for Economic and Clinical Health Act.1 But the complexities of today’s high-tech methods of communication, data sharing, and data storage lay practices open to unforeseen and constantly changing threats, requiring vigilance and training of medical staff.
This second article devoted to cybersecurity takes a closer look at protecting patients’ privacy. To gain further insight into this complex subject, MPR interviewed Michael J Sacopulos, JD, CEO of Medical Risk Institute (MRI), a firm that provides “proactive counsel” to the healthcare community to identify where liability risks originate and to reduce or remove those risks. He is also General Counsel to Medical Justice Services. Mr Sacopulos is the coauthor of Tweets, Likes, and Liabilities: Online and Electronic Risks to the Healthcare Professional (Phoenix, MD; Greenbranch Publishing: 2018).
What do you think the greatest threat is to HIPAA in physicians’ practices?
Some of the issues I discussed in our previous interview are central in potential HIPAA violations. In particular, I’m talking about lack of cyber-hygiene, by which I mean the numerous human errors that can compromise patient privacy, even with the best software and firewalls. We already discussed the importance of training staff not to click into unknown e-mails often called “phishing” e-mails, which are cyber attacks that open the door to hackers to access your system or install malware on your computers. Teaching your staff to recognize these scams and malware e-mails is critical.
What other potential concerns might compromise privacy?
An important area of concern is the location where you and your staff access any practice-related Internet. If you have an employee, consultant, or contractor who works remotely – for example, a bookkeeper or someone who does medical billing – you need to be sure that several important things are in place.
Neither you nor your employee should be using the free Wi-Fi at Starbucks or the library or the airport, for example, to do any e-mailing or work on patient records, since those are not secure connections and can easily be hacked. Additionally, in a public place, a person sitting near you, or a passerby can catch a glimpse of a patient’s name or some other information or might even use their own cellphone to photograph it.
Employees who work from home should have a dedicated work space, such as a home office, with a door that closes and file cabinets that can be locked and secured from others. The office shouldn’t double as the guest room or children’s bedroom. And the employee should dedicate specific time and space to working on practice-related matters and not multitask. I’ve seen situations in which the person who does billing was working on generating electronic bills while trying to cook dinner for her family and having the computer or paperwork on the table.
Any conversations about patients, whether you are returning a patient’s call or whether your staff member is talking to an insurance company, should be conducted in private where no family members or others can hear you. One doctor was discussing a child’s bedwetting problem with a parent within earshot of his own children. It was a small town and the doctor’s children went to school with the child who had the bedwetting issue. Soon, it was public knowledge in the classroom and the other children teased the boy with the problem. This took place in the days before HIPAA was put into place, but the issue could just as easily take place today if patient-related conversations could be overheard.
Equally important is making sure there is a dedicated computer used for nothing other than practice-related matters. The computer should have a secure password and should not be shared by others, such as one’s children who are using it to do their homework or play video games.
Are there any software-related issues to be concerned about?
You should have good firewalls proper encryption for patient portals and modes of communication. It is extremely important to keep software supported and up to date. If the manufacturer recommends updates, they must be installed promptly so that your software remains secure. Updates are “patches,” which the manufacturer recommends if they find vulnerabilities. Older versions of software eventually are no longer supported by the platform, such as Microsoft. Beyond being unreliable, outdated software is vulnerable to cyber breaches. The government’s position is that if the software is not supported, this constitutes a per se violation.
How can a practice increase its security?
I cannot emphasize enough what I mentioned in the previous interview, which is to engage a professional IT expert to conduct and troubleshoot software issues or handle phishing e-mails and potential breaches. A professional IT expert should also conduct an annual risk analysis and advise on what needs improvement.
You should regularly review who in your practice has access to which type of information. Staff members who do not need to access patients’ electronic health records (EHRs), meaning they are not involved with the care of a given patient, should be prevented from accessing that patient’s records. The e-mail accounts and passwords of former employees should be immediately deactivated so they can no longer access your network. This is equally true if you have a storage area of paper files. The ex-employee’s key or swipe card should be returned and if there is a combination lock, the combination should be changed.
Lastly, make sure you have policies in place regarding your employees’ use of social media and e-mails and access.
What about the use of mobile devices?
Any cellphone used for your practice has to be password protected, so that if it gets lost or stolen, any information is secure. Most standard Androids and iPhones today have passwords that are encrypted and therefore secure.
Another concern relates to texts. Are your texts secure or not? And, equally important from a patient safety perspective, does the content of the text ever make its way into the patient’s chart? Conversations between physicians over text, or between the physician and the patient, need to be entered into the chart for continuity of care and so that if the phone is lost or stolen, no important patient information is lost.
If a physician or other practitioner uses a cellphone to photograph a patient — for example, a dermatologist has photographed a patient’s rash — this should also be entered into the patient’s chart as soon as possible.
Are there any other concerns related to photographs and patient privacy?
There are some obvious concerns. No photographs of a patient should appear anywhere outside of his or her chart — for example, nothing should ever be posted on the practice’s Website or newsletter, or on an employee’s social media.
I know that physicians sometimes use close-up photographs of de-identified patients at medical meetings for demonstration or to discuss a particular disease or condition — perhaps a rash or surgical incision. But the law is very clear that the picture can’t be identifiable as any particular person to anyone else, even a spouse.
I had a case in which a woman had a breast augmentation and the surgeon took a before/after picture of her torso, which was later used in a medical presentation — without identifying information, of course, and without revealing any other body parts such as face, head, arms or legs. But the patient brought a suit claiming that she had a unique freckle pattern on her chest that could be identifiable to some people. The case was settled.
My advice is to obtain a patient’s permission if you want to use any images in a conference or a journal article. This can be done quite easily with a one-page document that should remain in the patient’s chart. In my experience, very few patients will refuse to allow their de-identified photograph to be used if they understand that it is for the purpose of medical education of other healthcare professionals.
As cumbersome as it can be to set up appropriate protocols and adequately train staff, it is essential, not only to protect you from potential litigation or disciplinary action but also to protect patient privacy and enhance patient safety.
McCoy TH, Perlis RH. Temporal trends and characteristics of reportable health data breaches, 2010-2017. JAMA. 2018;320(12):1282-1283.