Sutter Health's revelation that a former employee
inappropriately sent patient information to a personal email account in
violation of the organization's policy is yet another reminder of the privacy
risks posed by email communication.
In a Sept. 11 statement, the California healthcare
delivery system says the billing documents for 2,582 patients that were
inappropriately emailed included names, dates of birth, insurance
identification numbers, dates of services and billing codes. For one patient,
compromised information also included a driver's license number. For another,
the a driver's license number and Social Security number were included.
Sutter Health includes 24 hospitals, 27 ambulatory care
facilities and a network of more than 5,000 physicians in Northern California.
Previously, the organization reported three other breaches, including a 2011
breach involving the theft of an unencrypted desktop computer containing
information on 4.1 million patients.
The organization says it discovered the email-related
incident during a review of the former employee's email activity and computer
access. Sutter launched an investigation on Aug. 27 after the organization
learned of possible "improper conduct" by the former employee, who
worked at Sutter Physician Services, which handles billing for Sutter Health's
physician medical foundations.
Most of the patients whose data was involved in the April
26, 2013, incident reside in the greater Sacramento region and are patients of
Sacramento-based Sutter Medical Foundation, Sutter Health says. The California
healthcare provider says it has no evidence that any of the patient information
was misused or disclosed to others. But it's offering affected patients are
being offered free credit monitoring services for one year.
Taking Precautions
Sending any confidential information to a personal email
account is strictly prohibited. Sutter Health now has sophisticated software
that helps block confidential information from leaving the organization unless
appropriate safeguards are in place to securely send the information. Employees
are also required to annually acknowledge and sign Sutter Health's
confidentiality agreement, which states that the employees agree to abide by and
protect Sutter Health's confidential data.
You must work hard at protecting patient information, including
implementing new technologies to enhance protection. I cannot provide specific
details of those technologies - that's among your safety efforts.
Common Problem
Unfortunately, privacy breaches involving
unsecured email - as well as text messages - are a common problem in the
healthcare arena, security experts say. My
experience is that doctors and medical practice employees send PHI through
unsecure e-mail all the time.
Besides implementing encrypted email communication healthcare
entities can take other steps to safeguard patient information. For example,
they can use data loss prevention programs that scan emails and
documents containing sensitive data, such as Social Security numbers, before
they're transmitted, security experts say. Depending on the technology, the
sensitive data can either be blocked from transmission or automatically
encrypted.
When doctors have privileges in multiple hospitals, it is
easy to use free webmail for communications wherever they are. Even if you have
a secure e-mail server in your practice that allows for secure messaging within
your organization, sending a message to someone else using webmail is not
secure.
Employees and clinicians need to be educated on the
secure methods for sending communication involving PHI.
More Guidance Needed?
At a recent annual HIPAA security conference
hosted by OCR and the National Institute of Standards and Technology, OCR
officials acknowledged that incidents involving unsecure email are likely
underreported to the agency. We are
seeing a lot of different problems with the transmission of electronic PHI, OCR
director said during a question-and-answer session with attendees.
No comments:
Post a Comment