Health information data breaches are increasing in number and magnitude. But by taking 4 simple, proactive steps, your practice can avoid being a victim of theft.
Over 50% of the 800 major health data breaches on HHS’s "wall of shame" stem from stolen unencrypted computing devices, network servers, storage media and other mobile devices, in addition to good old-fashioned paper records containing protected health information (PHI).
Fraudulent use or sale of PHI is also on the rise. Thieves can break in or be working inside health care organizations so patient privacy and personally identifiable information is always at risk.
Identity theft now tops the list of consumer complaints that are reported to the FTC and other enforcement agencies every year—and it’s spurring the crime of medical identity theft.
Medical identity theft can involve someone stealing or misusing personally identifying information (PII), such as name and Social Security number, credit card numbers, financial account information along with health information and insurance coverage information. The more information a thief can obtain, the more valuable it is.
Risk can be mitigated by using these 4 preventative measures to prevent theft:
- Drive continuous awareness and staff training on this issue. Employees must be trained and reminded that identity theft involves someone stealing or misusing personally identifying information (PII) such as name and Social Security Number, credit card numbers, financial account information, or even health information and insurance coverage. Workforce members must also know that HIPAA offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years. Individuals may be directly criminally liable under HIPAA. And these types of privacy and security crimes are most likely to result in criminal charges.
- Put stringent physical security policies, procedures and safeguards in place as a mandatory part of your organization’s comprehensive security strategy. Physical security measures, like locking cables can work in tandem with technical and administrative safeguards to protect all individually identifiable patient information, including Protected Health Information (PHI). Use of encryption, unique passwords and access controls should be addressed in policy.
- Check that privacy and security risk assessments are up to date and conduct frequent internal compliance audits to ensure that security safeguards, access controls, authentication procedures and transmission security protections are in place and functioning.
- Maintain a rigorous program of security measures and technologies to prevent, detect and mitigate “malware”, short for malicious software. Malware threats include viruses and spyware that can steal personal information, send spam, and commit fraud.
The Steri•SafeSM HIPAA Compliance Program provides a high-quality solution with practical HIPAA training, necessary policy documentation, and HIPAA privacy and security risk assessments that can be implemented to help you prevent costly, damaging breaches. Contact a HIPAA Specialist today to find out more.
Stericycle is sharing the National Consumer Protection Week video
This year, March 2-8 is National Consumer Protection Week—a time to highlight free consumer resources that help people avoid scams, prevent identity theft and make more informed buying decisions. Be sure to check out the video and all the free consumer information from federal agencies, state governments, consumer organizations and local consumer protection authorities available at NCPW.gov.