As doctors continue to implement electronic medical records, it is important to ensure that a breach of privacy does not occur. The Health Insurance Portability and Accountability Act (HIPAA) encourages practices to safeguard medical records with passwords, encryption, business associate agreements, staff in-services, and policies and procedures. These safeguards are worth their weight in gold when records are lost or stolen.
This real life example illustrates the importance: A physician negotiates a contract with an EMR vendor. The business associate agreement is signed. The contract specifies that the data is backed up daily by the vendor. The office also backs up data weekly. The office manager is very diligent about the process and ensures that data is maintained. Staff members are trained and aware of how to handle any situation. Due to the fear of an office break-in, the manager stores the EMR discs at home in her garage.
Is this environment safe? Do you take the same precautions at home as in the office? If the discs are stolen, is it considered a HIPAA violation and do patients need be notified accordingly? In this case, the discs were stolen from the garage of the office manager. As with any breach of data, in any environment, patients should be notified.
The practice called the CAP Hotline at 800-252-0555. CAP staff provided guidance, support, and referral to CAP's Cyber Risk provider for assistance with investigation and notification of patients. Never take a possible violation lightly. Call us if you have any questions.
Authored by
Joseph Wager
Senior Risk Management & Patient Safety Specialist
If you have questions about this article, please contact us. This information should not be considered legal advice applicable to a specific situation. Legal guidance for individual matters should be obtained from a retained attorney.