Rules of Engagement: Patient Privacy

Understanding the most likely threats to patient privacy can help protect your practice against breaches and HIPAA violations.
MedEsthetics Nov/Dec 2018

When healthcare attorney Bradford E. Adatto, Esq. of Dallas-based firm ByrdAdatto opened the email, “My eyes almost fell out of my head,” he says. There was a message time stamped 11:00 p.m. from one of his clients, a plastic surgeon, asking him to call immediately. The doctor had been in surgery since 5:00 a.m. and when he checked his email that evening, a patient had sent a link to a review she had posted. “The patient had posted a negative review complaining about the poor outcome she’d experienced and stating that the doctor’s license should be pulled,” explains Adatto.

Eager to protect his name, the surgeon had pounded out a response with the reasons the patient didn’t get her desired result, citing her high BMI and alcoholism. “This is a perfect example of what happens when you allow your emotions to take over,” says Adatto. His client’s problems were compounded by the fact that he practiced in one of the many states, including California, Illinois and Texas, that has its own patient privacy laws, which are far more stringent than the Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) patient privacy rules.

The patient filed a civil lawsuit that was eventually settled out of court, and the plastic surgeon was slapped with heavy fines at the federal level.

While the moral of this particular story is to take a breath—and perhaps speak with your attorney—before responding to negative reviews, the increased use of technology—including electronic medical records, social media and email in aesthetic practices coupled with the proliferation of cyber-security concerns worldwide, means that medical practices must familiarize themselves with state and federal patient privacy rules and regulations.

Basic Requirements

Since 2003 HIPPA has required practices to have a privacy officer on staff. A HIPAA privacy officer oversees the development, implementation, adherence to and maintenance of privacy policies and procedures to ensure the safe use and handling of protected health information (PHI) in compliance with both HIPAA and state regulations. Practices must also have a written patient privacy compliance plan that spells out all the policies and procedures the practice follows to protect its patients’ healthcare information and conduct periodic risk assessments.

“Many practices either never complied with HIPAA, in that they have not conducted a risk analysis or established the required compliance plans. Or they did so some years ago, but have never updated either the risk analysis nor the compliance plan,” says Joseph E. Guimera of Los Angeles-based Guimeralaw Cybersecurity. “Periodic risk analyses and evaluation and modification of the compliance plans are both required by HIPAA, not to mention they are good security measures that help practices keep up with new threats that arise each day.”

For most small practices, an annual risk analysis is reasonable and meets HIPAA requirements, says Jen Stone, MSCIS, CISSP, QSA, a security analyst with Security Metrics in Salt Lake City.

“A lot of practice managers look at risk analysis as burdensome,” says Guimera. “HIPAA laws and regulations and recommendations may be burdensome, but they serve a purpose. You can never guard against everything, but you can minimize your exposure by taking the time to formulate a written plan regarding how to deal with threats and breaches, appoint a privacy officer and create written procedures and policies for the entire staff.”

In addition, you need to provide initial and ongoing staff training. “You need to know if your employees actually follow the rules, and every time you get a new team member, you need to make sure they are aware of the compliance protocols,” says Alex Thiersch, director of the American Med Spa Association (AmSpa) in Chicago.

Biggest Threats to Patient Privacy

Despite fears about external hackers, the biggest privacy risks come from within, says Guimera. “Health care is the only industry where internal threats are greater than external threats. Employee training is often lacking, and you have employees who make mistakes or, in some cases, act maliciously because they’ve been terminated or they are disgruntled about something,” he says. “You also have to consider the people who come through your office: sales reps, vendors, business associates and the patients themselves.”

Guimera recounts some of the things he has seen when visiting practices, including desks with computer screens or tablets open with patient information on them and Post-It notes with passwords written on them stuck to computers. He also recalls a recent site visit to a client’s office where someone failed to double-check a fax number and sent a patient’s records to an unknown fax machine.

Federal government records show a surprising number of cases that are a result of “that careless moment when your office manager leaves an iPad on the table while getting that latte at Starbucks,” says Adatto. “People don’t think about the fact that their laptop or tablet may have the medical history and personal information of 500 to 1,000 patients on it.”

Sometimes violations occur as a result of a mistake, but as any doctor knows, mistakes can be expensive. “Aesthetic surgeons love before-and-after photos,” says Guimera. “In one plastic surgery center, the web designer uploaded a whole bunch of before-and-afters to the practice website. Due to a coding error, you could see all the meta data for the 15 or so patients involved when you Googled their names. The entire cost was about $5 million to that practice.”

Adatto agrees that failure to obscure a patient’s identity by Photoshopping out a tattoo or a scar and scrubbing an image for any personal information that would tie that patient to the image, is an easy mistake to make. And it happens more frequently now that before-and-after photos have become such important marketing tools. “Recently, a plastic surgeon had a patient who was really happy with her results and signed off on all the consent forms to allow him to show the before-and-afters of her breast surgery,” he says. “The images were sent to the website team, and a few weeks later, a family member happened to Google her name and those photos popped right up. The website team had not scrubbed her name. The case was settled out of court.”

As for external threats, Guimera points to ransomware as a growing problem, particularly for aesthetic practices because they are perceived as successful and more likely to have prominent, famous or celebrity clientele. “The demands are usually smaller—$750 to $5,000—and they typically demand payment in Bitcoin,” he says. “They choose an amount they believe will be easier to pay in order to make the problem go away.”

How To Mitigate Your Risk

Guimera’s best advice for practices: Adopt a practice-wide culture of cyber security. First, use good passwords and do not post them in plain view. “You need to show your staff what good passwords are by giving them specific examples,” he says. “Training must be meaningful to be effective. Train your people to log off their computers or tablets every single time they step away from their desk even for a moment.”

He also encourages providers and staff to be much more cautious with their mobile devices. If you must store patient information on your mobile device, make sure it is encrypted and your device is password protected. “Aesthetic physicians love having their portfolios on their iPads or on their phones,” says Guimera. “But this is a risk.”

Another risk that is unique to the medical aesthetic industry is paparazzi. Employees, patients and outside contractors may be tempted to leak information about celebrities and other public figures treated at your practice.

“If you are an employee, leaking information to TMZ may seem like an easy way to make $2,000,” says Adatto. “You need to make it crystal clear that you have zero tolerance for privacy violations.”

Keep in mind that the practice is held liable for the mistakes of business associates, so you must have a written, HIPAA-compliant Business Associate Agreement for all third-party vendors who have access to patient information as well.
“Risk analysis is your strategy and operations is your tactics,” says Stone. “We recommend no remote access, secure servers and no PHI ever on a laptop. Patient information should all be internally held. Opening up ports to your data is like having more gates in your fence.”

Taking the time to complete a risk analysis and working with security experts to create protocols, train your staff and secure your networks is well worth the effort and expense for both your patients’ and your practice’s sake.

Echo Montgomery Garrett is a freelance writer based in Marietta, Georgia.

Image copyright Getty Images