Privacy and security officers have to comply with more rules than ever. The Federal Trade Commission's Red Flags rule, existing HIPAA laws, and the new Health Information Technology for Economic and Clinical Health (HITECH) Act require that covered entities:
How should your facility handle these added regulations? Implement a three-step process to protect all patient information that includes plans for what to do before, during, and after a security incident, says Andrew E. Blustein, Esq., partner and cochair of Garfunkel Wild & Travis, PC's Health Information and Technology Group, in Great Neck, NY, Hackensack, NJ, and Stamford, CT.
"A medical record is chock-full of information that an identity thief can use to its advantage," says Blustein. "It's basically a treasure chest of credit card numbers, Social Security card numbers, and everything else someone needs to steal an identity."
Before the breach
Mitigate harm resulting from identity theft by preventing breaches from occurring, says David A. Mebane, Esq., senior vice president for legal affairs at Saint Barnabas Health Care System in West Orange, NJ.
"You want to create the right amount of technical safeguards so your patients are protected," says Mebane.
HHS also provides specific guidance for securing portable devices.
Establish policies and educate employees and vendors about their responsibility to protect information and report incidents, says Mebane.
"You'll also want to perform regular audits so you have a way of detecting breaches," says Mebane. "Once the information has been stolen and is in the wrong hands, a lot of the damage will already have been done."
Create an incident response program, advises Blustein. Form teams and designate leaders responsible for responding to and investigating any breaches. Ensure that your policies specify: