As a Privacy Officer with more than 30 years experience working in both large and small healthcare organizations, I’ve experienced multiple privacy postures, ranging from manual reactive audits to proactive privacy monitoring that allowed us to get ahead of breaches to patient privacy before they became catastrophic for the organization or patients. After three decades of experience, I realized that there are three things that every Privacy Officer should know to ensure they are applying best practices for privacy within their organization.

When Protenus was first building its sales and marketing team, I joined as the Senior Marketing Manager. This meant shaping marketing initiatives to make Protenus more successful, and determining which priorities we should tackle first. As I was a “jack-of-all-trades,” I was working on everything from marketing strategy to trade show logistics to content that would elevate our brand within the healthcare industry.  

A recent report has stated that patient records affected by health data breaches have hit a four-year low in 2017.  Unfortunately, while these findings are promising, the number of breach incidents remains steady and continues to represent a constant threat to patient data security.  There also seems to be a continuing trend in which health data breaches that have affected the most patient records in a given month are the result of hacking while breaches that have taken the longest to detect are the result of insiders. February continues this trend, with a ransomware attack responsible for the largest single incident of the month and an insider-error incident that continued for over four years before it was detected by the healthcare organization. There was also one incident that was the result of insider-wrongdoing, and this particular case highlights just how insidious insider-wrongdoing breaches can be.

Last month, Matt Fisher, a partner at Mirick O’Connell and chair of the firm’s health law group, joined Robert Lord, Co-Founder and President of Protenus, for a webinar to discuss best practices healthcare organizations can employ when migrating from reactive to proactive privacy postures, and how to integrate guidance from regulatory bodies into these practices.

Listen to the full webinar to learn about key recommendations Robert and Matt shared when moving from a reactive to proactive privacy posture.

The health data breach landscape remained tumultuous in January, with almost an equal number of hacking and insider-related incidents. Of note, hacking incidents affected significantly more patient records, due largely to one particular breach that affected 59% of the total number of breached patient records this past month. Additionally, in a recent ruling, the HHS Office for Civil Rights (OCR) levied a $3.5 million fine to a healthcare provider after five separate breach incidents at various locations. OCR found that the organization had failed to conduct a risk analysis of possible threats and vulnerabilities to patient data as well as failed to implement policy and procedures to address security incidents and govern how electronic PHI should be moved in and out of the facilities. OCR and the healthcare organization have agreed to a corrective plan to overhaul the organization’s security measures and risk management plan. This ruling highlights, once again, the necessity for healthcare organizations to educate their employees on proper protocols for handling patient data and to gain full visibility into every access into their EHR in order to mitigate and even prevent these incidents from occurring.