As identity theft increases so does your responsibility
As identity theft increases so does your responsibility
Laptops and handheld devices require extra attention
Imagine contacting over 350,000 patients to tell them that their private medical and financial data has been stolen. The staff and management of Providence Home Services, a division of Seattle, WA-based Providence Health Systems, doesn't have to imagine it.
After data backup tapes and disks were stolen from the car of an employee who took the information home as part of the agency's protocol for protecting data from fire or other disasters at the office, agency managers found themselves in the midst of investigations and policy reviews.
While there have been no reports of the stolen information being misused, this theft points out some of the weak spots in many agencies' data security plans, says Robert W. Markette Jr., an attorney with Indianapolis, IN-based Gilliland, Markette & Milligan law firm. "I've seen two prevailing models of thefts," he says. In the first typical theft, the employee does something such as leave the laptop or handheld device in the car outside the home overnight. The second theft occurs when the employee carries the device home, then resigns without returning the device, he says.
In both cases, home health agencies may have policies governing the security of information but employees chose to ignore the policies, Markette points out. "It is not enough to develop policies, you have to educate employees and incorporate sanctions that emphasize the importance of the policies," he says. For example, if your policy does prohibit leaving the laptop in the car, make violation of the policy a reason for firing the employee, he suggests. Although you may not discover the policy violation until a laptop is stolen, other employees will think twice before leaving the laptop in their car," he says.
In the case of an employee who quits before returning the laptop or device, you might have two scenarios: the employee may simply not want to take the time to return the equipment or the employee may want to use the information to attract clients to his or her new employer, says Markette. In either case, it is important that the process for retrieving equipment is spelled out in your policies, he says. "The loss of a laptop represents a significant expense to replace the equipment alone, without the threat of exposing patient information," he points out.
Report thefts immediately
If theft by someone other than the employee is the reason for the equipment loss make sure that employees know to report the theft immediately so that steps can be taken to recover the item or warn patients whose information was on the laptop, says Markette.
A quick report from an employee prevented major problems for Nightingale Home Healthcare in Carmel, IN. A nurse who had been with the agency for a few weeks dropped her car at a repair shop then left in another car to make her visits, explains Melinda Jewell, director of human resources for the agency. As soon as she arrived at the first patient's home, she realized that she left her handheld device in her car at the repair shop. "She admitted that she was logged in on the device when she left the shop so we told her to immediately return to the repair shop and recover the device," she explains. Fortunately, the device was exactly where the nurse left it and did not appear to have been accessed.
"We contacted the patients whose charts were accessible by the device to let them know that although it did not appear that anyone accessed their information, they should be aware of the risk, then the nurse repeated our HIPAA training," says Jewell (See story at the end for more information about activities to take after a theft). Luckily, there have been no incidents involving Nightingale patient identities and the risk was minimized because the nurse's device only provided access to information about patients she was scheduled to see for the upcoming week. "Our nurses synchronize their device with our server every morning and every evening to upload the day's documentation and retrieve updated schedule and patient information," she explains. "We only provide access to information that is no more than 45 days old," she says.
The more information that is accessible on the laptop or handheld device, the greater your risk when a security breach occurs, points out Markette. An important aspect of HIPAA is the requirement that employees have access only to information that is necessary to perform their jobs, he says. "A HIPAA security officer needs to consider if it is necessary for a nurse to have access to everything about every patient," he adds. "When nurses were carrying paper files on their visits, they carried the five or six files they needed that day, not dozens or hundreds of files on patients they might not see for two months or might have seen two weeks before," he adds.
Use passwords
Password protection and encryption are excellent ways to protect data if the laptop or device is stolen, says Markette. While encryption software may not be practical for all agencies, he does point out that agencies that encrypt their data are exempt from the disclosure requirement in the states that require contact with the patients after data is stolen.
When evaluating different encryption software, be sure to look at how the software affects the nurse's ability to do his or her job as well as evaluating cost, suggests Markette. Some software is easier to use and less intrusive than other software, he says.
Don't forget that even if a file is deleted from a laptop, the information is still retrievable until it is written over, warns Markette. "Because wiping a hard drive with a wipe utility is time consuming, it is worthwhile to evaluate encryption software that will encrypt information before it is deleted," he adds.
If you decide that encryption is not affordable or workable for your agency, make sure that information can only be accessed with a login name and unique password for each user, says Markette. "Your policy should also state that when the employee is not actively using the laptop or device to document a visit, to review information on upcoming visits, or to download or upload data, the user should log out of the system," he says. This eliminates the risk of quick and easy access to information, he adds.
The best way to protect data is to make sure your policies are clear about employees' responsibilities for protection of the laptops, handheld devices and the information they contain, says Markette. Even though no one would leave their own valuables, such as a laptop, in a car outside the house overnight, employees don't always treat their employer's property as their own, he admits. "Make sure that employees understand how they are supposed to care for the equipment, what the equipment is worth financially, and how important it is to protect the information on the equipment," he says. Holding an employee financially responsible for a lost laptop can be tricky, so Markette believes that firing anyone who loses the equipment emphasizes the importance of protecting the laptop.
"Our policy is that the nurse must have the handheld device in his or her possession at all times," says Jewell. In addition to always having the device with them, employees are warned to be aware of who else might have access to the device, she adds. "An employee who has the device in her home, might have a grandchild who thinks it's a game to play," she explains. Password protection will keep someone from accessing the information but a child that picks up the device and wanders through the house with it might place it where the employee can't find it when needed, she adds.
Employees also need to be aware of who can see the information when they are using the laptop or device, points out Markette. HIPAA requires that workstations be designed so that other people can't see information displayed on a screen, so laptop users who stop at a Starbucks to finish their documentation, or use a place other than home to upload information, need to look around and be sure that no one else can see their screen, he adds. Even when working in their homes, employees need to make sure that visiting neighbors, friends, or family members cannot access or see what is on the computer, he says.
The other big issue that home health agencies face is protection of backup data. In the Providence Home Services' incident, the health system's corporate policy was that employees did not take backup data home, but the home services division did not adhere to that policy, says Markette. "It is important to store backup data away from the main server in case of a disaster such as a fire in the agency office, but having an employee carry it home is not a way to protect it," he says. Markette knows of organizations that store their backup data in a safe in the office but the safe is designed to protect contents from extreme heat or water so the data is protected.
The other consideration for backup data is the need to delete old files, Markette adds. "When we had to pay for space to store paper files, we were diligent about throwing out files that no longer had to be kept," he says. "Now that electronic storage is cheap, agencies hold onto old files longer than necessary," he explains. Not only are these files not necessary, but also they increase an agency's exposure if the data is stolen because there are thousands of patients who information did not need to be in the database, he adds.
Once you make sure your policies address the special precautions that laptop users must take, be sure you educate your staff, says Jewell. "Our education includes examples of how and where information might be accessed so that employees recognize situations, such as the neighbor wandering in while the employee was completing her documentation, so that they realize how easy it is for others to access patient information if we don't logout."
"Unfortunately, the risk of losing data through stolen laptops and handheld devices will only increase," says Markette. He adds, "It is best if agencies review their policies now, and make sure that they are prepared for the future."
Sources
For more information about laptop security, contact:
- Robert W. Markette Jr., Attorney at Law, Gilliland Markette & Milligan, 3905 Vincennes Road, Suite 204, Indianapolis, IN 46268. Telephone: (800) 894-1243 or (317) 704-2410. Fax: (317) 704-2410. E-mail: [email protected].
- Melinda Jewell, Director of Human Resources, Nightingale Home Healthcare, 12766 Hamilton Crossing Boulevard, Carmel, IN 46032. Telephone: (866) 334-7776 or (317) 334-7777. Fax: (317) 569-1403. E-mail: [email protected].
The laptop is gone What do you do now?
Investigate, communicate and educate to cut risk
It is very unlikely that many home health agencies will be faced with the theft of data on more than 350,000 patients at one time, but Seattle, WA-based Providence Home Services' experience in 2006 and the actions taken by the agency after the theft of data backup tapes from an employee's car may be a clue as to the standard for follow up in the future, says Robert W. Markette Jr., an attorney with Indianapolis, IN-based Gilliland, Markette & Milligan law firm.
After investigating the theft, evaluating employee actions, and reviewing home care's policies, Providence notified patients of the data security breach. "Providence set up a toll free hotline number for families and offered free credit monitoring service to patients whose information was included in the data," says Markette. Most agencies will not have to handle a breach that involves this many patients but it is important to study the actions Providence took following the theft, he says.
The HIPAA security officer should be in charge of the theft investigation within the agency, says Markette. "Find out how it happened, what policies were followed or not followed, and identify what changes can be made to improve security," he says.
Contacting patients involved in a breach after your investigation into the cause of the breach is a good move, recommends Markette. "HIPAA requires mitigation but does not specify that patients must be contacted. However, 34 states require disclosure," he says.
"Even if you live in a state that does not require disclosure, it is good public relations to notify patients whose information might have been accessed, explain what happened, and provide directions on how to place a fraud alert on their credit reports or other steps to prevent identity theft," suggests Markette. Be sure to describe the level of threat as well, he says. "If your information is password protected or encrypted, you can explain that to patients and say that, while they should take steps to protect themselves, the risk is minimal," he adds.
Have an attorney review the letter, says Markette. "There is always the risk of lawsuits following a breach in data security so an attorney can reduce that risk by making sure the letter does not create any additional exposure."
Imagine contacting over 350,000 patients to tell them that their private medical and financial data has been stolen. The staff and management of Providence Home Services, a division of Seattle, WA-based Providence Health Systems, doesn't have to imagine it.Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.