Submitted by Bob Larrivee - AIIM
Not unexpectedly, the Department of Health and Human Services (HHS) has officially posted, as required by Section 13402(e)(4) of the HITECH Act, a list of breaches of unsecured health information that affects more than 500 individuals. In all the current listing presents 36 entities where breaches have been reported. These range in size from major hospitals to private practices. The information presented shows the following data on the breaches:
· State
· Approximate number of Individuals Affected
· Date of the Breach
· Type of Breach
· Location of Breached Information
While theft and/or Unauthorized Access dominate the list of breach types, there are a few entries indicating loss or misdirected email as the cause. The location of the information varies from paper and films to computers of all types to USB devices. The more dominant appears to be laptop computers. One of the questions that come to mind is accountability of such devices as laptops. What are the policies around their use and security? When in the office, are these tethered to a desk? One of the things we do not see in this list is prevention methods that were used, if any. Were the laptops with someone outside of the office and perhaps stolen from their car at the local Starbucks?
In my opinion, the fact that HHS is now listing breaches is a good thing and I for one will visit regularly to see if any of my care providers show up there. (I would hope notification would be sent to me if I were among those affected.) I also think that as content and record stewards, it is up to the organization to put into place a strong governance policy on the proper use of the various tools provided, like laptops and USB drives, that include internal and external use and access. For example, never leave your laptop unattended in public places. This is something I see often while traveling. Someone working on a project gets up to refill coffee and leaves their laptop open and unattended while doing so. In some cases, leaving sight of the device and available for someone to read or take.
As a client/patient it might be in your best interest to ask your practitioner how they manage your information and what precautions they take in securing your private information. As a medical practitioner, or the content/records steward for said practitioner, it is time to assess your current information management practices and processes. What governance do you have in place to secure information and how do you audit the environment to monitor and track activity? If a breach should occur, what steps can you take to identify the source of the breach and what actions will you take to correct the breach and prevent it from happening in the future? The time to act is now, before you are listed.
What say you? How do you address information security and breach prevention? Do you have a story to tell? I want to hear from you.
Looking to learn more about intelligent information and process management?
Join us for the BPM Certificate course in:
San Francisco 05/25/10 - 05/28/10
Join us for the ECM Certificate course in:
Toronto 03/23/10 - 03/26/10
Kirkland 04/13/10 - 04/16/10
Dallas 04/27/10 - 04/30/10
San Diego 05/04/10 - 05/07/10
Denver 05/18/10 - 05/21/10
Calgary 05/25/10 - 05/28/10
Silver Spring 06/08/10 - 06/11/10
Houston 06/15/10 - 06/18/10
We look forward to seeing you there. Do you have several individuals who need training? Contact us to find out how a private class can save you on registration costs.
Bob Larrivee – AIIM blarrivee@aiim.org
Follow me on twitter – BobLarrivee and remember to visit www.aiim.org/training and www.informationzen.org, AIIM’s free social network created just for you.
Posted by: |