The figure is frightening: According to a recent prediction from IDC Health Insights, one out of three individuals will have their healthcare records compromised by cyberattacks in 2016.
That’s a lot of data — names, social security numbers, detailed health records — that could end up in the wrong hands. And while it’s true that most attacks will likely be perpetrated against large systems — think Anthem, Premera, and the other big breaches of 2015 — the prediction should give pause to anyone who works in medicine.
After all, if you experience a breach that involves Protected Health Information (PHI), the release itself may be just the start of your troubles. As recent articles in HIPAA Journal note, there’s been a flurry of enforcement actions that have cost healthcare providers hundreds of thousands of dollars:
- In early November, Hartford Hospital reached a $90,000 HIPAA settlement over the theft of a laptop that contained patient data.
- In late November, Lahey Hospital & Medical Center settled a HIPAA violation for $850,000, also over a stolen laptop.
- In December, University of Washington Medicine agreed to pay a fine of $750,000 after members’ PHI was compromised after an employee fell for a malware-infected email scam.
While all of the above incidents involved intentional malfeasance, the more likely risk for most practices is from accidental violations, such as inappropriate content shared via social media. And since social healthcare is here to stay, now is a great time to ensure that you’re doing everything you can to protect patient privacy in an arena that’s all about sharing.
These suggestions from privacy expert Rebecca Herold (as quoted in a recent article in CSO Online) offer a good place to start:
- Establish documented social media use policies and procedures — and make sure all personnel know and follow them. [Many HIPAA violations, says Herold, have occurred within social media from staff posting photos of patients, making comments about patients, and responding to patients on social media sites.]
- Remember that just because some of a patient’s PHI (e.g., name, photo, phone number, etc.) may be publicly available online, it does not mean that those specific PHI items no longer need to have HIPAA safeguards applied.
- Establish a procedure to let patients know that you will not communicate with them online about their treatment, payment, or specific healthcare operations. [If they’ve provided consent, such discussions may be permissible but the better plan is to take the conversation offline.]
- Establish a policy to not respond personally to negative social media comments.
- When offering insights online, including on social media sites, avoid any detailed examples about specific patients. Posts should be for such things as general recommendations
Clearly, such advice is highly generalized and, as with most things, one size does not fit all. For example, the article advocates not posting patient photos at all, an idea that simply isn’t feasible in a discipline where many potential patients won’t even consider a doctor who doesn’t have a good selection of before and after photos.
And while the author maintains that participating in social media is “strictly optional,” that’s not necessarily so in a field where potential patients overwhelmingly expect doctors to engage with them online. The better approach is to identify the areas that may be prone to violations — a good subject for a subsequent post — and, working with counsel, develop specific rules that will protect both your patients and your practice.