6 privacy landmines and how to avoid stepping on them
While the healthcare industry grapples with data breaches and privacy and security regulations, there are common pitfalls that are easy to run into without proper planning.
Erin Whaley, a partner at the law firm Troutman Sanders, outlined what those are and shared half-a-dozen tips for avoiding them.
Here is Whaley’s advice:
- As long as I have cybersecurity insurance I’ll be covered in the event of a breach. It’s not that simple. Whaley said that even healthcare organizations that stack policies to get to $50 million in coverage may not have enough – though she’s not espousing that everyone simply plunk down for more insurance. Providers, instead, need to deploy solid security practices. “Having good security is a prerequisite to good coverage.”
- Our team can handle any incident internally. We don’t need outside help. Even providers who really have the best professionals in the country should seek outside help. Here’s why: Those top-notch professionals already have a full-time job and when a breach occurs, you don’t want them distracted working to resolve that all day for weeks or months because that can create entirely new vulnerabilities. “Get outside experts to supplement your expertise and bandwidth,” Whaley urged, including crisis communicators, public relations professionals, and even standing up a separate call center to respond to the breach. That last one, in fact, could help prevent a civil suit by assuaging angry patients before they come together to sue your health system.
- Social media isn’t a big concern for us. “Do not think social media is not a problem for you,” Whaley contended. She pointed to two facets of social media: internal staff that could release PHI via networks and human resources. Even employees who think they understand the rules can be dangerous, she said. For HR, Whaley warned that even non-unionized employers are subject to rules that prevent you from taking action against prospective hires or employers based on what you learn from social media.
- Business associate agreements are just a form agreement. Our lawyers don’t need to review them. Whaley explained that more BA’s fall into this trap than healthcare providers, there are some hospitals that do as well and for a variety of reasons, most notably that they think BA agreements are similar and they don’t want things held up in legal review. “Do not fall into this pitfall. It can be tremendous. You can dig yourself a huge hole thinking this way. They’re not a form agreement anymore,” Whaley said. Rather, providers need to inspect those contracts, understand the changes, how HIPAA and other regulations figure in, and ensure they make sense from a business and legal perspective.
- As long as I’m HIPAA compliant, I don’t have to worry about other privacy laws.“That is not true,” Whaley said. “There are other privacy laws.” Those include: State privacy laws, state medical records laws, Part 2 regulations for substance abuse treatment information, the Telephone Consumer Protection Act (TCPA) applies to all auto-dialer technology and treats landlines and cell phones differently, among others.
- We do a fine job responding to requests from individuals for their records. Updating this process is not a priority. “You should go ahead and look at the process for responding to individual requests for records,” Whaley said. She explained that the Office for Civil Rights offers guidance for providers to address and recommended comparing your own policy to that, which doesn’t take long. “This is clearly an issue for OCR so I would expect to see greater enforcement.”