Social media, email, smart phones, the cloud—all of these interactive technologies make it a cinch to share information with other people or companies. Although beneficial in many ways, readily accessible modes of communication and technology can make it more difficult to reliably preserve the privacy of protected health information. Think how easy it would be for someone in your practice to tweet about a difficult patient they just treated. Or to accidentally send an unsecured email to an insurance company about a patient’s bill that includes private patient demographic and clinical information.
Technology has certainly made it is easier to communicate with the world—and the world is listening. If you or someone at your practice inadvertently shares private information, the consequences for your practice—both in terms of civil and criminal repercussions—could be severe.
To avoid breaches in data security, your practice needs to be aware of what information you have that needs protecting, where the information is going and who is going to see it. You should spend time analyzing how data is used and shared in your practice so you can develop policies and procedures that ensure data security. Policies should consider things such as internal and external communications, vendor safeguards and security measures, and contractor confidentiality agreements. They should address all forms of communication in which your practice engages, including paper-based, electronic and everything in- between.
Any data security policies should apply to both clinical and administrative data. While the focus of HIPAA was originally pointed at administrative data, the trend toward interoperability has underscored the need to protect clinical data as well.
When it comes to data breaches, the more you know about the kinds of data you need to protect, the better off you are. The risk of these breaches is growing as the vehicles for communication become more plentiful and accessible. Taking time to assess where your practice could be at risk for releasing confidential information and implementing procedures to reduce those risks is time well spent.