Protecting Patient Privacy
Tier3MD prides itself on assisting practices with protecting patient privacy. Below are a few tips for patient privacy.
- Operationalize pre-breach and post-breach processes, including incident assessment and incident response procedures. Embedding breach-related processes into everyday business demonstrates what we call a culture of compliance—something regulators love to see.
- Restructure the information security function to report directly to the board. This move symbolizes a commitment to patient data privacy and security.
- Conduct combined privacy and security compliance assessments annually. A professional risk assessment is less than 1 percent the cost of the average data breach response, a wise investment by any standard. These assessments identify the gaps between an organization’s privacy and security profiles and what the law requires. An accurate assessment forms the basis for successful breach prevention and response measures.
- Update policies and procedures to include mobile devices and BYOD. This is especially critical since, as we discussed, the vast majority of organizations permit employees and medical staff to use their own mobile devices to connect to their networks or enterprise systems such as email.
- Ensure the Incident Response Plan (IRP) covers business associates, partners, and cyber insurance. Third parties can be the weak link in the PHI food chain. In 2011, for instance, a business associate of TRICARE reported a breach affecting nearly 5 million military clinic and hospital patients. In addition, many organizations have sought relief from the high cost of data breach response with cyber insurance. An effective IRP encompasses third-party contingencies and the role of cyber insurance in managing a security or privacy incident.
Perhaps the most disturbing statistic is that 54 percent of organizations have little or no confidence that they can detect all patient data loss or theft. Patient information is at risk, yet healthcare organizations continue to follow the same processes.