Data breaches are no longer abnormal – we hear about them daily across all industries. It certainly seems like no company, provider of services, or industry is safe, and that’s definitely the case with healthcare. In fact, a joint report published in March from Protenus and Databreach.net indicated that healthcare is the most afflicted sector with the highest majority of breaches. With healthcare so heavily targeted for nefarious attacks, it’s no secret that practice administrators and providers are scared that they will be the next headline, doing what they can to prevent any such incident from happening. But while focusing on the big, scary, external attacks, have we lost sight of incidents that occur within our own staff and facility? It’s not a matter of “if” for these smaller incidents, but rather, “when”, and having a rock-solid remediation plan is key to separating good organizations from great ones.
Breaches, frequently called unauthorized or wrongful disclosures in healthcare, occur when protected health information (PHI) ends up in the possession of a person or place where it’s not authorized to be. In healthcare, we hear about these situations when there’s a large breach – over 500 patients. This is because when more than 500 patients in a state are impacted by a healthcare breach, it must be reported to the Office of Civil Rights in a short time frame. But most healthcare organizations, including ScanSTAT, have never had a breach impacting more than 500 patients. Does that mean all healthcare organizations are free and clear? Not so fast.
As an industry, we’re not used to discussing the small unauthorized disclosures – the ones that impact one or two patients. That’s why a list of 12 healthcare privacy events that happened during the month of May caught my attention – number 12 was a single-patient incident. A patient made national news after she received the incorrect medical records in the mail. If you’ve worked in a healthcare setting, you are likely not surprised by a story of a patient receiving the incorrect records. While we focus our time and energy on preventing the nefarious attacks and breaches, small unassuming unauthorized disclosures happen within healthcare every day, multiple times a day. A fax number is entered incorrectly, a document is misfiled in the wrong chart and not caught in audit, and like in this case, envelopes to mail out records get accidentally switched – the patient gets the wrong records.
Because smaller healthcare breaches are not reported publicly, it’s difficult to say just how many occur in a calendar year. From our experience in health information management, a practice of five providers will experience at least one breach a year. At ScanSTAT, even with an industry leading 99.97% accuracy rate, we’ve still experienced breaches too – mistakes occasionally happen.
Knowing that employees are human, and they will err, what separates good healthcare organizations from great ones is not the experience of an unauthorized disclosure (it happens to everyone!), but rather, the response to it. While the organization is required to conduct a breach risk assessment to assess the level of compromise to the PHI, consider expanding your Policies and Procedures to go above and beyond the basic standard – what else can you learn from a breach?
For instance, we don’t just take a breach at surface level. We dive deeper into why a situation occurred, if a policy was followed and failed, or if it was circumvented. This helps us see if we need a new policy, or if certain team members need to be trained on what the policy is. Additionally, analysis of these situations beyond the risk assessment has taught us where errors and unauthorized disclosures are more likely to occur. As a result, we’ve implemented additional quality assurance measures like when records go to a third party instead of a covered entity, they aren’t audited just once, they’re audited three times by three separate teams. There’s proof in the pudding of learning from your breaches! While the industry averaged over one breach per day, implementing these lessons learned resulted in a total of only 11 breaches for the year. If you’d like more guidance on handling unauthorized disclosures, we’re happy to help – check out our FAQ for more guidance.
Breaches, single-patient and otherwise, are a reality of the healthcare industry. But implementing strong remediation policies can help organizations move from the bare bones requirements to actually improving delivery of health information and preventing future incidents. If you’d rather get it off your plate to focus on patient care, we’re here and ready to help! Schedule a time with us today to learn more about how we not only have industry leading compliance rates, but unparalleled 24-hour turnaround times too.