Training staff and ensuring quality controls are woven into each
piece of the ROI process are the most important steps HIM
professionals can take to mitigate risk of breach.
forms that were completed during the patient’s visit. If this is
the case, then the ROI staff must implement and perform quality control measures to validate that another patient’s information was not inadvertently imaged or indexed to the original
These individual errors represent the highest volume of
breached records and are within the direct purview of HIM professionals. Training staff and ensuring quality controls are woven into each piece of the ROI process and are the most important steps HIM professionals can take to mitigate risk of breach.
There are two steps in lessening ROI’s vulnerability through
workflow improvement. The first step is to create a tight, stream-
lined ROI process to mitigate risk. The second step is to test that
workflow and conduct a risk assessment. Some of the more
common examples of inadvertent disclosure include:
x Wrong chart sent to a requester
x Wrong information in patient charts with the same medi-
cal record number
x Co-mingled charts: family members, junior and senior
HIM departments should re-assess their ROI processes at
least once a year—more often if regulatory or technology chang-
es warrant a new review. Once assessed, corrective actions must
be taken to close any privacy or security gaps in ROI workflow.
Once workflow is tightened, a thorough risk assessment can be
Action: Risk Assessment and More
Risk assessments are best if they employ a combination of internal and external assessments. External reviewers wear no blinders, and they carry a wider breadth of experience. Both privacy
practice and IT security assessments should be performed. Risk
assessments must include follow-up to address identified risks.
Organizations often fail to adequately implement recommendations resulting from an assessment. This may be a product of
financial or staffing constraints; however, investing minimal effort is no longer acceptable. Covered entities must continually
test their processes and implement additional technical safeguards, such as:
x Semi-annual tested disaster recovery plans
x Internal vulnerability scans
x Third-party audits and measures
x SOC reports (formerly SAS 70)
x Penetration testing
x PCI Data Security Standard
Organizations should also consider obtaining legal counsel’s
advice on regulatory requirements and perhaps pursue cyber
liability insurance, which could extend coverage for damages
resulting from a breach. While purchasing more insurance and
legal help are typically not high on an organization’s compliance list, the old adage of an ounce of prevention being worth a
pound of cure holds here.
Encryption is another critical step. With mobile devices giving
anytime, anywhere access to virtual HIM departments, the traditional physical access controls are no longer adequate. Even
telecommuter policies and procedures must be revisited.
HIM’s technology investment must include data encryption
for mobile devices, as well as audit logs and log management.
Under the federal breach notification law, breach of encrypted
data does not require notification, thereby providing a safe harbor if data loss or theft occurs.
HIM departments should recognize that human tendency is
to take shortcuts when it comes to security. Common but risk-inducing behavior includes deactivating encryption functionality due to performance issues; using weak, old, or shared passwords; writing passwords on notes stuck to the computer; and
failing to log out from computer systems. These behaviors are a
major concern across hospital departments and within employees’ homes.
HIM professionals should work with their IT counterparts to
explore new technologies and methods beyond encryption that
further ensure technical security. For example, tools can shut
down a computer if hacking attempts are detected. Devices can
be set to erase locally stored data after a predetermined number
of failed log-in attempts.
Justifying the Cost
Nothing gets the attention of the executive suite faster than a
series of large unexpected expenses. Freeing up budget to invest
in privacy and security measures requires preparing a business
case in advance.
Governmental and media coverage of the big data breaches
are going a long way toward this goal. No organization wants
to be front-page news for having exposed patient information.
A Ponemon Institute study reported that healthcare costs per
breached record climbed to $301 in 2010 from $294 in 2009.3
This is a good starting point for estimating the potential cost of a
breach, but there is sure to be wide variances in individual experience. Hard costs will be more easily identified and measured
than softer costs such as customer loss or reputational harm.
The hard costs include:
x Potential fines (federal files can reach $1.5 million per incident)