No company is immune to a data breach that could severely compromise your records and your credibility with customers. Every healthcare company should have a data security and privacy plan that identifies potential threats and outlines how to deal with them.
You also should review your plan on a regular basis and have the plan audited by an appropriate agent. Healthcare security consultants, accrediting agencies and others can proactively audit your plans and make suggestions on how to improve.
While it’s highly unlikely that you’ll ever face a federal audit, a significant breach can trigger an investigation that includes your data and security plans. Having a plan may not assuage hefty fines if that plan hasn’t been tested through an audit.
Whether you’re a small provider, large provider, health system, billing company, health plan or healthcare vendor, the advice is the same: you need a plan and you need to audit it.
The eight reasons you need an audit can be divided into two categories: the bad things that can happen if you don’t do an audit, and the good things that can happen if you do.
First off, the bad:
- Think about the literal cost to your business, if your data gets into the wrong hands. In just the first six months of this year, the Office of Civil Rights (OCR) agreed to almost $15 million in settlement payments with covered entities and their business associates. In July alone, the agency compelled two health systems to pay a combined $5.5 million for violations of the Health Insurance Portability and Accountability Act (HIPAA) involving data breaches that affected 13,000 patient records. The fallout from just one corrupted patient data file can be breathtaking; one of the two offending health systems cited in July settled at a cost of $2,000 per record.
On average, it costs a healthcare organization more than $2.2 million and its business associates more than $1 million for a data breach. Is it worth risking that by taking an “it-can’t-happen-to-us” attitude?
- The chance of a data breach is greater than you think. The Ponemon Institute’s latest annual survey on healthcare data privacy and safety found that nine out of 10 healthcare organizations had reported a data breach within the past two years, and 45 percent of the respondents reported more than five such data thefts in that period. And if you’re a private practice or a general hospital, it’s more likely that you’ll sustain HIPAA violations that any other categories of healthcare providers.
- A breach won’t just cost you money. It’ll cost you your reputation and the confidence of the people who do business with you. A breach in excess of 500 records must be reported to the OCR, and appears on its public website. Meanwhile, local media and every patient that potentially could be affected must be notified. That kind of negative publicity could create another kind of breach: one of trust between your business partners and customers.
- Because even the smallest healthcare providers are using electronic health records systems, issuing prescriptions through digital apps and sharing data electronically with other care partners, a data breach can happen at any place where data is handled or transmitted within your organization. That involves every employee and every interface between electronic systems.
On the other hand, there are four compelling reasons why an audit can be a good thing.
- An audit is like life insurance for your business, and it’s not hard to find capable, reputable auditing bodies to perform one. While very small providers can’t afford full-time data security coverage, there are third-party resources available that can help healthcare practices determine the kind of security and privacy plan they need, set up that plan and proactively monitor it to protect those providers in case of a data breach or regulatory audit.
- Your data plan, which you can strengthen and validate by the voluntary audit you commission, can be so comprehensive that nothing is left to chance. It can include step-by-step instructions to undertake if a data breach or attack occurs, specific training for all relevant employees and specific responsibilities for business associates who may access sensitive information.
- Setting your own audit in motion will help you uncover any data system flaws or breaches that exist before they might come to the attention of the OCR, or the public. In fact, most data breaches (58 percent) are uncovered during audits and assessments.
- If you need in-depth auditing and accreditation services to protect your data and attest that it hasn’t been compromised, organizations such as the Electronic Healthcare Network Accreditation Commission (EHNAC) and other third-party organizations can furnish them. The benefits are considerable: in 2012, the Utah Health Information Network (UHIN) was one of just two clearinghouses with zero findings following an OCR audit. UHIN attributed its success to an earlier audit by EHNAC, where UHIN since 2004.
Four carrots and four sticks. Whatever motivation you need, your company must enact a plan for dealing with protected health information. A plan that’s checked regularly, updated periodically and audited occasionally to ensure your data is safe.
Not every provider, clearinghouse, health plan or business associate needs the same type of plan or level of auditing scrutiny, but they all need a data protection plan and an audit to verify it or fill in its coverage gaps. The failure to do so can risk devastating consequences.
What Organizations Are Most at Risk?
According to the OCR, private practices are most likely to be required to take corrective action to achieve voluntary compliance with HIPAA privacy mandates. Compiled from the compliance date (2013 for business associates and 2003 for all other covered entities) the following lists likelihood of a violation, ranked by frequency:
- Private practices
- General hospitals
- Outpatient facilities
- Pharmacies
- Health plans (group health plans and health insurance issuers)
From the compliance date to the present, the compliance issues investigated most are, compiled cumulatively, in order of frequency:
- Impermissible uses and disclosures of protected health information
- Lack of safeguards of protected health information
- Lack of patient access to their protected health information
- Use or disclosure of more than the minimum necessary protected health information
- Lack of administrative safeguards of electronic protected health information
Lee Barrett is executive director of the Electronic Healthcare Network Accreditation Commission (EHNAC). He can be reached at [email protected].