It can happen so quickly. A laptop goes missing. A thumb drive gets lost. Hard drives or tapes meant for recycling disappear on their way to processing. And then perhaps the most seemingly innocuous of all, your employees or members of your medical staff are storing patient information using a consumer public cloud service without a Business Associate Agreement in place. It happens, and when it does, your organization will face huge fines, business disruption, and perhaps worst of all, loss of patient trust.
Looking over the largest HIPAA breaches of 2012, nearly all fit into one of the scenarios outlined above. One of the most recent examples as reported by Healthcare IT News, involved a large academic teaching hospital. Several residents and other physicians there were inappropriately using Google cloud services to maintain departmental spreadsheets of patient data. It was the organization’s fourth HIPAA breach since 2009. The data being stored in Google’s cloud included patient names, medical record numbers, ages, provider names, diagnosis and dates of service. Some files also contained patient addresses.
It’s easy to understand how HIPAA breaches happen. I’m sure the clinicians storing patient information in Google’s cloud had no ill will. They were just trying to come up with an easy way to store and share information with each other. Perhaps they weren’t even aware that such an activity could put patient information in jeopardy or that their organization is required to have signed Business Associate Agreement documents in place with any service provider who handles or stores such information.
There are ways to avoid all this, and it doesn’t always have to be complicated. Your organization’s IT policy should dictate that all desktop computers, laptops, tablets and other devices used to store patient information are encrypted by default. For devices running Microsoft Windows this can be as simple as making sure that every device on your network has BitLocker turned on. BitLocker should also be used to encrypt any peripheral drives, and even thumb drives being used. This will ensure if any device gets stolen or goes missing, the information on it won’t end up in the wrong hands. Organizations should also make sure they have Business Associate Agreements in place with business partners providing cloud services or storage. One reason why more than two million health workers are set up to use Microsoft Office 365 is because the company signs BAA documents with health customers to comply with HIPAA privacy and security rules. Had those physicians at the university teaching hospital been using Excel spreadsheets in Office 365 to store patient information, and had a BAA for the cloud service been in place, the outcome would have been quite different. No breach, no public report, and certainly no fine.
Bill Crounse, MD Senior Director, Worldwide Health Microsoft