3 tips for proactively protecting PHI

In a recent podcast with Healthcare Informatics, Jared Rhoads, senior research specialist with the Computer Sciences Corporation (CSC) Global Institute for Emerging Healthcare Practices, spoke about emerging technologies to protect personal health information (PHI).

Rhoads talked, in particular, about how the environment is changing for medical identity theft and why hospitals and medical practices need to be more vigilant.

Three tips from Rhoads for better protecting such information included:

  1. Keep the basics in mind--strong passwords, limiting network access, encryption, and firewalls: Rhoads called these steps "really basic stuff" that can go miles to protect PHI. Enforcing them and making sure systems are up to date, he said, is important. "[Organizations] need to be doing this well and consistently--nothing new here, it's fundamental things," he said.

  2. Reduce the amount of data and PHI that sits on devices: Transfer it all back to a central, secure place, Rhoads said.

  3. Keep it efficient and focus on return on investment: Determine whether your organization should do data security in-house or hire an outside firm, Rhoads said. "You could do security all day and not know if you really have it nailed down," he said. "Buy into the notion that you need to do it."

Paying for proactive PHI protection may be expensive up front, but the long-term financial benefits prove to be worth it, Rhoads said.

"You have to ask yourself, 'what is the potential cost of a breach?' Nowadays there are potential fines and monetary penalties, legal fees, with the new Omnibus rules there would be breach notification response costs, lost reputation," Rhoads said. "There are lot of potential downsides that you want to avoid incurring. The problem is what's the probability. No matter what number you put in front of that coefficient, it's somebody's best guess."

In a worst-case scenario of PHI being compromised, Children's Healthcare of Atlanta recently announced it is suing Sharon McCray, former corporate audit advisor, claiming she stole protected health information (PHI) after announcing she was quitting on Oct. 16.

Children's claims in its complaint that on Oct. 18--just two days after McCray announced she was leaving the hospital--it discovered that she had emailed to her personal email account the protected information belonging to the hospital, including "the PHI ... of children, DEA numbers, health provider license numbers for over 500 healthcare providers, confidential and attorney-client privileged communications, financial information, internal and external audits, and additional confidential and proprietary information belonging to Children's Healthcare."

Protecting PHI is ever-important, as data breaches aren't slowing down anywhere. For instance, an unsecured email recently put PHI for 1,310 patients at risk at CaroMont Health in Gastonia, N.C., including patient names, dates of birth, addresses, telephone numbers, medical record numbers, diagnoses, last data of service, medications and insurance company names.

What's more, Allina Health in Minneapolis recently notified 3,000 patients of a security breach when a medical assistant unnecessarily viewed PHI at a clinic.

To learn more:
- listen to the podcast at Healthcare Informatics

Related Articles:
Children's Healthcare of Atlanta sues former employee for return of PHI
Info for 57,000 patients at risk after laptop stolen from Lucile Packard
Hospital appeals $250K data breach penalty
Thefts at Stanford, Oregon hospitals jeopardize patient info for nearly 17k
Lost USB drive compromises info for Medicaid recipients
Health department breach impacts 24K Medicaid patients