Unfortunately, medical data security breaches are a larger part of practicing medicine than they should be. In the 2013 HIMSS Leadership Survey, 19% of health IT professionals from provider organizations indicated their organization faced a security breach within the past year.
Implementing practices to avoid a medical data breach greatly reduces the risk of encountering one. In the event that you do, however, you need to be prepared to take action that lessens the repercussions from patients, the public, and of course, HIPAA.
Today we look at the fictional security breach of Dr. Pepper’s practice and what he did to minimize the damage.
One sunny Friday morning, Dr. Pepper is on the way to his practice when he receives a call from his office manager. She tells him the practice was broken into, and a computer holding unencrypted patient data is missing. Dr. Pepper is shaken and about to blow his cap.
He knows about the maximum fine of $50,000 for HIPAA security violations, so he’s feeling the pressure. Fortunately, he remembers his practice’s procedure manual contains a quick checklist of what to do in case of a security breach. It reads:
- If data is stolen, notify the local police and file a report
- Attempt to isolate and take down the data so the compromised information can’t be used
- Follow the HIPAA Breach Notification Rule:
- Individual Notice
- Notify all individuals affected by the security breach via first class mail, or if agreed upon before the breach, through email
- Media Notice
- If more than 500 patients are affected, provide notice to prominent local media outlets
- Notice to the Secretary
- Submit a breach report form to the Health and Human Services (HHS) Secretary of breaches
- Notification by Business Associate
- If a business associate is the cause of the breach, gather the identity of each affected individual from the associate for notification purposes
- Individual Notice
- Find and plug the hole that caused the security breach
Dr. Pepper followed the checklist precisely, but one of his patients still filed a complaint with the Office of Civil Rights (OCR). Yet, because he covered his bases, he was only hit with a relatively small penalty of $1,000, the minimum for a HIPAA violation due to reasonable cause.
In the end, Dr. Pepper was down $1,000 and a computer, but things could’ve been far worse.
And in the end, minimizing the damage to both your image and pocketbook is all you can ask for when managing a security breach. Handling the situation like our fictional Dr. Pepper should help you do that, but hopefully, you’ll never be in the same position.