As a practicing psychiatrist, your day is spent with your patients; you listen to them describe their health histories and you administer mental health tests, prescribe medication, engage in therapy, and review patients’ records. When do you have time to think about the best way to protect all of the patient information you gather daily? And in the event your laptop computer, personal digital assistant (PDA), or smart phone is lost or stolen, what do you need to do if any of these devices contained patient information?
My objective is to give the practicing psychiatrist a short primer on how to address these 2 questions:
• How do you protect the patient information you have on your laptop computer, PDA, or smart phone?
• What should you do if any of these devices get lost or stolen and have patient information stored on them?
You are well aware that the psychiatric patient information you hold is some of the most sensitive and personal health information that exists. At a recent conference where I spoke, many of your colleagues told me they refuse to store patient information on a laptop, PDA, or smart phone, and instead maintain confidential and secure paper-based records. While this may reduce the risk of this information being stolen by electronic means (ie, a hacker breaking into your server or identity thief stealing your laptop), in several states, the unauthorized disclosure due to loss or theft of paper-based patient records requires legal notification to the affected patients. In California, notification needs to be made within 5 business days from the day a breach is discovered.
What changed on February 17, 2009? Federal legislation called the Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted as part of the American Recovery and Reinvestment Act. It promotes the adoption and meaningful use of health information technology. It also addresses privacy and security concerns with the electronic transmission of health information by strengthening civil and criminal enforcement of the Health Insurance Portability and Accountability Act (HIPAA). In short, this act requires that all covered entities or business associates protect patient information and promptly notify individuals if their information is disclosed in an unauthorized way (ie, lost or stolen with the potential to create reputational, medical, financial, or other harm, such as identity theft or health care fraud). Within the context of this legislation, you, the psychiatrist, are considered the “covered entity.” An example of a business associate would be the company where you host and manage your e-mail and practice management systems.
Protecting patient information is an essential part of maintaining patient trust. Yet you might ask, does the HITECH Act apply to me and my practice or small clinic? The answer is more than likely “yes”—especially if you use an electronic health record system to bill your patients or for insurance claims. And, remember: the state data breach notification laws also apply to your practice. So where do you start with regard to protecting your patient information? The suggestions I outline here are for solo practitioners.
Protecting patient information
Data encryption. Implement data encryption on your laptop, PDA, or smart phone. Data encryption makes information unreadable on these devices by unauthorized persons (ie, someone who stole your laptop). It also provides safe harbor under the HITECH Act and state breach notification laws. This means that the data are considered secure; as such, the requirement to notify individuals is eliminated. You can buy data encryption software at your local computer store.
Use secure e-mail. E-mail services are available that provide encrypted transmission and other protections to ensure security and regulatory compliance. Free e-mail tools are available that provide adequate privacy and security controls and protect your e-mail from being intercepted and read without your or your patient’s authorization.
Security assessment. Perform a security assessment and determine where your patient information is. The HITECH Act requires an annual security assessment to determine vulnerabilities in your security of patient information. This assessment should also help you understand where your office stores patient information today and how it is shared or transmitted to other providers, payers, and your patients. Many breaches occur because doctors do not know where these data are kept and how the information flows to others in day-to-day practice. There are experts who can help with this assessment (see Sidebar, “Risk Analysis,” by Eric Nelson).
Buy data breach insurance. A new insurance product has emerged over the past few years to mitigate the financial cost of a breach of patient information. It covers the majority of costs associated with responding to a breach—including computer forensics investigation, consumer notification, legal advice, identity theft monitoring, and victim restoration services. Talk to your insurance professional to understand your options and obtain a policy that is right for your practice (see Sidebar, “Data Breach Insurance,” by Mark Camillo).
What to do if you discover a data breach
Now that you have taken reasonable steps to protect patient information, let’s talk about what you do if you discover a data breach. Let me start by highlighting a few examples that might alert you that a data breach has occurred.
• You walk into your office in the morning and your office assistant tells you that someone has stolen all the computers and backup disk drives
• You are sitting on an airplane getting ready to fly home from a conference and suddenly realize you forgot your smart phone in the taxi . . . or was it the restaurant
• You return to your car after attending to several patients at your clinic and realize your car has been broken into and your backpack containing paper-based patient files is missing
• Your home computer with patient records is displaying a flashing message telling you it has been taken over by a virus and all of the files have been forwarded to everyone in your electronic address book
If you find yourself facing any of these scenarios, this doesn’t necessarily mean you have a data breach situation. If your patient information was encrypted and you implemented the suggestions outlined in this article, your patient information is secure and would not trigger federal or state data breach notification laws. However, read on for suggestions if this was not the case.
Determine what the laws are. Call your attorney to determine whether there are federal or state data breach notification laws that apply to the situation. The circumstances of each data breach are unique and the laws that apply are evolving. Your attorney can determine the specific laws that apply and provide legal advice on how to comply.
Determine what data were lost. Engage a computer forensics expert to determine what data were lost or stolen and whether there is a potential for misuse. It is important to first understand whether there was patient information on the affected device. This is easier said than done, because in many cases, you may not know what information was on your device. Patient information may have been in a spreadsheet or document or an insurance claim file. A forensics expert can also determine whether any of the information was accessed and who accessed the information. You may be able to confirm that there was no patient data on the device or that no one accessed it, which reduces the risk of it being misused.
Deploy the breach response team. This is the group of professionals who you designate to manage the response to the data breach. It includes your attorney, forensics expert, office manager, and others who can provide an effective response so you can remain productive in your practice. The response team provides crisis management and manages all of the vendors who help with consumer notification; call center services; and identity protection services that mitigate the regulatory, reputational, legal, and other risks of a data breach. You can engage an organization that manages this process if the available resources are not available to you or your practice. It is best to engage such an organization before a breach and to get an agreement for services.
Notify affected patients and the appropriate regulatory agencies. This step is the foundation for both federal and state compliance with the breach notification provisions of the various laws. It helps the patients affected by a breach take action to protect themselves from identity theft and other forms of health care fraud. If the breach involved 500 or more records, you will be required to notify Health and Human Services and in some cases local media concurrently. Many organizations also notify the state attorneys general and insurance commissioners where affected individuals live. Expect the Office of Civil Rights to initiate an investigation of a breach of more than 500 records and be prepared to show the steps your practice had taken to protect patient information and to close security gaps that caused the breach.