The security of Protected Health Information (PHI) is a primary concern for healthcare institutions. PHI management is important not just for patient care and privacy, but also to meet strict regulatory compliance mandates. In the third installment of a bi-annual survey of healthcare providers, a report published in April details the current state of patient data security. The report was commissioned by Kroll Advisory Solutions, a leading risk consulting firm, and published by HIMSS Analytics, a world leader in healthcare IT reporting.
The reason for the report stems from concern over patient data security in light of increased adoption of mobile technology for the exchange of electronic health records (EHR) and, more specifically PHI. By moving PHI to mobile devices, it becomes more vulnerable to breaches. In fact, 31 percent of survey respondents indicated that “information available on a portable device was among the factors most likely to contribute to the risk of a breach.”
An earlier report by the Department of Health and Human Services (HHS) found that 207 data breaches in 2010 affected 500 people or more and were caused by:
- Unauthorized access/disclosure
- Human/technological error
- Improper disposal
Theft accounted for almost half of all breaches that year and affected an estimated 2,979,121 individuals. In the HIMSS survey, more than half of all breaches were internal, but third-party sources were also recorded. Almost all respondents require third parties to sign a business agreement before handling EHR, but only about half indicated they ensure that their third-party vendors conduct regular risk analysis to identify vulnerabilities.
The HIMSS Analytics report found that on top of security issues, healthcare institutions are being torn in two directions. On the one hand, they are tasked with protecting PHI, but on the other they are expected to comply with a multitude of strict regulatory mandates like HIPAA and HITECH. “While organizations are actively taking steps to ensure that patient data is secure, they are so focused on meeting compliance requirements that they have little awareness of the efficacy of their security programs.”
Debate also remains over who exactly oversees which elements of EHR: “As organizations struggle to address data and privacy breaches, a lack of ownership for the issue across the industry remains. Various titles hold responsibility for pieces of the compliance puzzle, ensuring that their organizations meet the mandates and regulations set forth, but the overall security picture continues to elude most.”
The keys then are:
- Controlled document access
- Confidence in third-party vendors
- Clearly defined security and privacy roles
The good news, according to the report, is that the priority of compliance has raised awareness about the gaps in patient data security. Respondents ranked their preparedness at an average of 6.40 on a scale of one to seven in 2012, compared to 6.06 in 2010 and 5.88 in 2008.
While mobile devices remain a concern, technology isn’t always to blame for data breaches, and can in fact be the solution. Such is the case for the thousands of healthcare institutions using fax and document delivery solutions to manage their EHR. Fax is still the preferred method of secure document delivery for healthcare institutions worldwide, and new fax technologies are changing the way we interact with fax.
No longer are workers sending and receiving paper documents at a fax machine in a public area. Instead, they can fax securely via encrypted email, or securely over IP from private, password-protected workstations. Other technologies include archiving tools that can capture, file, distribute and manage millions of documents from a single repository, and can control exactly which users can see a particular record. This allows only the appropriate healthcare professionals easy and immediate access to EHR not only to provide faster, better care for patients, but also to respond quickly to external requests for information.
Tasked with both patient data security and regulatory compliance, digital fax technology can solve problems for the smallest clinic to the largest healthcare network. In light of the HIMSS report’s findings, implementing a secure document management system is good for patients and good for business.