Recent stories highlight the need for providers to be diligent in preventing unintended release of protected health information (PHI). Tragic losses of PHI occur through theft, accident or malfunctioning equipment. To protect the privacy of PHI, providers must be alert to behaviors of their employees, patients, and even individuals who have no relationship to the facility.
A Miami practice suffered a devastating loss when victims of an organized crime ring used women trained as medical receptionists to steal PHI. The PHI was used to submit false claims and cash checks from patient accounts. This breach might have been avoided if the provider required periodic employee criminal background checks.
The most common type of theft of PHI occurs when unencrypted company laptops are stolen. PHI on laptops should be encrypted and employees should to lock their laptops whenever they are removed from the office.
PHI can also simply be removed from a provider’s office. A janitor who worked for a contracted cleaning service simply picked up PHI from a Chicago clinic that had been left out overnight by clinic staff. This breach could have been avoided by “reasonably securing” all PHI at the end of each day.
A more difficult security issue arises when PHI is stolen during business hours by a person with no relationship to a provider’s practice. For example, PHI was stolen from a medical center in Alabama by a friend who accompanied a patient to his doctor visit. The friend picked up the Clinic’s surgery schedules that was left in a closed patient registration area.
Finally, equipment can be the cause of a breach of privacy. Malfunctioning automatic envelope stuffing machines can lead release of PHI to the wrong people. In one case, the machine mismatched the documents and the envelopes, which led to patients receiving other patients information. In another case, the machine improperly stuffed envelopes such that the PHI appeared in the windowpane of the envelope. The information accessible from the outside of the envelope included patients’ social security numbers.
The costs to providers as a result of breach notification, patient harm, and loss of trust can be significant. It is critical that providers implement security measures to prevent these breaches.