Medical Practice Managers have superhuman abilities; in case you didn’t know.
They use their powers of smarts, speed, and determination to keep the medical practice, human resources, IT, financial, and billing departments running smoothly so that their staffs can care for hundreds, sometimes thousands, of patients.
And being the brilliant business folk that they are, many practice managers partner with
C Spire Business - IT experts - allowing us to support clinical systems that collectively serve more than 1 million patients each year. We are often asked what basic steps a practice should take to make their patient data more secure.
The advice we give – and wish ALL practice managers knew - is this: Don’t gamble with HIPAA.
We know you’ve been through HIPAA training and have heard all the facts, but let us walk you through a more realistic scenario. A (very preventable) scenario that can cost upward of $1.5 Million.
No Average Monday
It’s Monday morning, and you’re met at the door by a worried Cathy in billing. She explains that her work laptop was stolen from her car when she stopped for groceries on her way home from work Friday night.
As the practice manager, you have to determine what this means for your business. You visit the Department of Health and Human Services (HHS) website, where you find “Breach Notification Rule.”
It says a breach is defined as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.”
And that’s when you know.
“There is patient data on that laptop that is easily identifiable. It must be a breach,” you tell Cathy.
What Happens Next
You read the Breach Notification Requirements and find that you must notify several parties involved in the breach:
- The individuals whose Protected Health Info was compromised
- The local media, since the data loss likely included over 500 patient records
- The Secretary of HHS
In addition, your practice will be listed on the Department of Health and Human Services - Office for Civil Rights “Wall of Shame.” All because of a single stolen laptop.
You’ll learn that in addition to the notification requirements, the costs of notifying patients, and the damage to the practice’s reputation, the company is also open to several civil penalties, in some cases up to $1.5 Million.
So now you wonder what you could have done, or can do in the future, to prevent this from happening. It’s called encryption.
An Ounce of Encryption …
After some digging, you find something called “Encryption Safe Harbor.” It turns out that if Cathy’s laptop had been encrypted, the data on it would have been “inaccessible to impermissible use or disclosure.” Encryption is the translation of data into a secret code that only the key holder can unscramble.
In short, if Cathy’s stolen laptop had been encrypted, this wouldn’t have been a breach.
You remember a few months back your IT company recommended you encrypt the practice’s computers, but you thought it was an unnecessary expense and highly unlikely that your practice would ever need it.
It was a costly gamble that you lost.
… Is Worth a Pound of Cure.
Encryption is a simple tool that can save you and your practice tremendous time, energy, and money before it even happens. But most importantly, it allows practice managers to do what they do best – continue to be superheroes! Talk to your IT department or company about encrypting your devices.
Learn more about protecting your business with a free download of our Ultimate Guide to Data Security.