Incident at Sutter Health Emphasizes Email Risks
Sutter Health’s revelation that a
former employee inappropriately sent patient information to a personal email
account in violation of the organization’s policy is yet another reminder of
the privacy risks posed by email communication.
In a Sept. 11 statement, the
California healthcare delivery system says the billing documents for 2,582
patients that were inappropriately emailed included names, dates of birth, insurance
identification numbers, dates of services and billing codes. For one patient,
compromised information also included a driver’s license number. For another,
the a driver’s license number and Social Security number were included.
The organization says it discovered
the email-related incident during a review of the former employee’s email
activity and computer access. Sutter launched an investigation on Aug. 27 after
the organization learned of possible “improper conduct” by the former employee,
who worked at Sutter Physician Services, which handles billing for Sutter
Health’s physician medical foundations.
Most of the patients whose data was
involved in the April 26, 2013, incident reside in the greater Sacramento
region and are patients of Sacramento-based Sutter Medical Foundation, Sutter
Health says. The California healthcare provider says it has no evidence that
any of the patient information was misused or disclosed to others. But it’s
offering affected patients are being offered free credit monitoring services
for one year.
“Sending any confidential
information to a personal email account is strictly prohibited,” Sutter Health
says in a statement. “Sutter Health now has sophisticated software that helps
block confidential information from leaving the organization unless appropriate
safeguards are in place to securely send the information. Employees are also
required to annually acknowledge and sign Sutter Health’s confidentiality
agreement, which states that the employees agree to abide by and protect Sutter
Health’s confidential data.”
A Sutter Health spokeswoman says
that the former employee emailed copies of the information without
authorization before more technology safeguards were installed and that Sutter
Health now uses encrypted email. “Sutter works hard at protecting patient
information, including implementing new technologies to enhance protection. I
cannot provide specific details of those technologies - that’s among our safety
efforts,” she says.
Unfortunately, privacy breaches
involving unsecured email, as well as text messages, are a common problem in
the healthcare arena, security experts say.
“My experience is that doctors and
medical practice employees send PHI through unsecure e-mail all the time,” says
security and privacy expert Mike Semel, founder of Semel Consulting. “During
our assessments, we often hear that doctors and nurses text each other all day
with no concern that the information is PHI,” he says. “When we explain that
PHI is any communication that includes a patient identifier and information
about their treatment, diagnosis or payment for healthcare, and not just the
information in the chart, we are often met with surprise.”
Besides implementing encrypted email
communication, such as by using the “Direct Exchange” protocol, healthcare
entities can take other steps to safeguard patient information. For example,
they can use data loss prevention programs that scan emails and documents
containing sensitive data, such as Social Security numbers, before they’re
transmitted, security experts say. Depending on the technology, the sensitive
data can either be blocked from transmission or automatically encrypted.
Organizations also need to be wary
of employees who work around measures that have been put in place to prevent
breaches involving email, Semel stresses.
“When doctors have privileges in
multiple hospitals, it is easy to use free webmail for communications wherever
they are,” he says. “Even if you have a secure e-mail server in your practice
that allows for secure messaging within your organization, sending a message to
someone else, like a specialist, [using webmail] is not secure.”
Employees and clinicians need to be
educated on the secure methods for sending communication involving PHI, Semel
says.
Independent HIPAA attorney Susan
Miller says many breaches involving unsecured communication likely aren’t being
reported to the Department of Health and Human Services’ Office for Civil
Rights, which tracks healthcare data breaches.
“I think they are as under-reported as sending a
fax the wrong way,” she says. Tips on the do’s and don’ts related to email
encryption are “not part of any training that most staff get,” she says. “I
have been talking to my clients about just use WinZip for some protection,” she
notes, referring to the zip utility web application, which encrypts email.
For more information on this and other topics related to HIPAA, HR, OSHA, and Medicare, please emailsupport@hcsiinc.com or visit our website at http://www.hcsiinc.com
No comments:
Post a Comment