The following is a guest article by Mark LaRow, CEO at Verato.
While the federal government has relaxed some patient privacy rules in response to the coronavirus pandemic, there are still avoidable mistakes healthcare professionals make when it comes to protecting patient data. These types of lapses become much more prevalent when staff are suddenly tasked with responding to a public health emergency.
Although the U.S. Department of Health and Human Resources suspended several major HIPAA requirements as hospital and public health officials respond to the coronavirus pandemic, there is still a strong need to step up enforcement of the law’s most basic provisions—specifically:
- Obtaining a patient’s agreement to speak with family members or friends involved in the patient’s care
- Honoring requests to opt out of the facility directory
- Distributing a notice of privacy practices
- Honoring the patient’s right to request privacy restrictions
- Honoring the patient’s right to request confidential communications
In the midst of high-volume, high-intensity periods, such as the rapid response required to triage, test and treat coronavirus patients, it is critical that organizations remain vigilant in protecting patient privacy and data. Here are three areas where hospitals can proactively strengthen privacy in a public health crisis.
Area 1. Protect medical records of notable patients from curiosity-seeking individuals. During a public health crisis, there is a natural inclination to seek information about people of interest and to share this information with colleagues, family or friends. This is true even among some healthcare staff, despite training to the contrary. To help protect patient data from this type of HIPAA breach, it’s important to establish password controls that restrict access of high-profile records to only those employees who need the information to perform their work. Organizations should conduct audits regularly to determine who has reviewed data for these individuals and whether the views were warranted. Some organizations are also exploring the use of artificial intelligence to detect when employees have inappropriately accessed and used information.
Area 2. Stop instances of fraud before they start. Fraud happens when systems are not advanced enough to catch deception in real time. In a pandemic, instances of fraud may also occur when temporary provisions to handle large caseloads—such as field hospitals—have limited access to a patient’s medical and demographic information.
For example, when the information a patient provides at the point of registration doesn’t fully match the data on file, it’s often up to staff to manually resolve the issue. When employees shoulder the enormous workloads of a public health emergency, they have little time to investigate discrepancies, increasing the risk of patient matching errors. It’s an issue that not only heightens the risk of patient harm, but also leaves healthcare organizations and health plans vulnerable to insurance fraud.
Adding referential matching to the patient matching process can reduce manual efforts to verify information by 75 percent. Through referential matching, demographic data can be compared against a reference database of more than 300 million identities. This allows for highly accurate matches—even in the presence of major data differences, time differences, errors and thin data. Referential matching also decreases the risk of claim denials that can result from inaccurate identification or information, costing the average hospital $1.5 million per year.
In addition to referential matching, healthcare providers can use smartphones to pass demographic data to EHRs and verify mobile phone numbers. According to a Pew Trust analysis, some experts believe this tactic has merit, given the high adoption of smartphones among consumers. However, it would require health systems to enter into business associate agreements with third-party software vendors to send information back into EHRs.
Area 3: Ramp up cyberbreach surveillance. During periods of widescale confusion, such as a pandemic, bad actors will exploit holes in a healthcare organization’s cyberdefense mechanisms. For example, as hospitals respond to a pandemic, there is strong potential for confusion among healthcare teams in the face of fast-moving operations, new team members and the need for expediency to help save lives. This leaves organizations vulnerable to efforts by bad actors to steal credential or trick professionals into providing sensitive information. It also creates an environment where a hacker could easily masquerade as a new employee or vendor and convince an employee to provide access to retricted systems and files.
One way healthcare organizations can strengthen privacy protection during a public health crisis is through increased surveillance. Intensify efforts to educate staff not only on their responsibilities under HIPAA, but also on ways to avoid accidental exposure. Train employees on how to spot phishing scams, and teach them methods for safely securing sensitive data in their workspace.
A Matter of Trust
Whether in times of crisis or calm, healthcare organizations must maintain the trust of the communities they serve to fulfill their mission. Taking proactive steps to protect the privacy of those who rely on the organization for care in the midst of a public health crisis is essential to providing a safe environment for care.