Health IT Outcomes reported that 2016 will mark “the end of EHR/MU’s five-year reign as the top health IT initiative with Protected Health Information (PHI) security taking over the top spot.”
I agree with the article author’s assessment that there are multiple PHI security and privacy concerns as we enter the second month of this new year. The top risks I see include:
- Mobile device protection: Device theft is a major risk, but so is how PHI is exchanged using these devices.
- Data segmentation: Ensuring disclosed PHI includes only the information the patient has authorized providers to share is an emerging challenge in our electronic age.
- Data integrity: Errors, redundancies and gaps in the electronic medical record (EMR) can result in inaccurate Release of Information (ROI)—such as including PHI about the wrong patient due to comingled records—which would qualify as a breach under HIPAA.
- Cybercrime: Hackers are developing new techniques to steal PHI from hospitals.
However, a substantial PHI privacy and security issue that providers have an opportunity to control is the PHI disclosure process occurring within their own organizations. As we will explore in this post, establishing standardized disclosure policies and procedures and partnering with a tech-savvy PHI disclosure management partner can address emerging privacy and security issues and limit breach risk.
Small breach risk escalating
All indicators are pointing toward an increased focus in 2016 on small breaches, defined by the Department of Health and Human Service’s Office for Civil Rights (OCR) as those affecting fewer than 500 individuals. These types of breaches are often the result of an organizational failure to fully implement compliant privacy and security standards around the disclosure of PHI.
Research conducted by news organization ProPublica last year revealed that there were 1,400 large breaches of 500 or more individuals since 2009, but there were also more than 181,000 small breaches. Despite the size, small breaches are just as impactful to providers, carrying similar financial implications. According to a report by the American National Standards Institute, each incident can cost $8,000 to $300,000, not including HIPAA violation civil penalties. These penalties can reach as much as $50,000 per breach with a maximum of $1.5 million annually for repeated occurrences.
While cybercrime or device thefts make for sensational headlines, breaches due to employee or organization errors are also reported in the news and can spread virally in social media, resulting in loss of brand value. As these trends continue, patient awareness of privacy and security concerns will increase, as will their expectations when a privacy and/or security event occurs.
Breach prevention tips
To protect your organization, establish and train a privacy and security incident response team before a breach occurs. Standardizing and enforcing policies and procedures around PHI access, use and disclosure in all departments is also important to mitigate breach risk.
In addition, mitigation includes educating your staff on risks, such as how working too fast could cause careless mistakes resulting in improperly disclosing health information. With PHI disclosure, we are called to strike the right balance between efficient workflows and excellence in accuracy.
Another best practice is to leverage technology to make the process secure, reliable and efficient. For example, MRO’s ROI solution includes the cutting-edge IdentiScan® data integrity application that uses optical character recognition technology to check medical documentation to identify comingled records. Errors are flagged and corrected by MRO’s Quality Assurance (QA) team before PHI is disclosed.
MRO is expanding IdentiScan’s capabilities this year to better ensure the data integrity within a health system’s EMR. There are many points at which patient records can become mixed, and by leveraging IdentiScan in this new way, we help identify and correct comingled records at every stage.
At the upcoming HIMSS16 conference in Las Vegas, my colleague David Borden, MRO’s CTO and inventor of IdentiScan, and I will be showcasing IdentiScan at MRO’s booth #6454. In our presentation, we will focus on how this kind of technology can safeguard healthcare organizations against breach and contribute to your Information Governance goals for data integrity.
For more information about our presentation and all the events at MRO’s booth, view our schedule.