By: Keith Crownover

A laptop or other mobile device is stolen. A coder inadvertently shares patient information outside his or her organization. Data is lost when moving from server to server. Whether it involves hospitals, home health agencies, or the federal government itself, privacy and security breaches are in the news. At worst, breaches can expose patients' names, Social Security numbers, and other sensitive protected health information (PHI).

A few recent incidents call to mind the importance of having policies and safeguards in place: An employee with a large home health agency had a laptop containing unencrypted PHI stolen from her car. A hospital employee lost a laptop during a conference in South America, exposing the PHI of more than 2,000 patients, while yet another printed out unauthorized copies of medical records for an offsite medical coding and billing class.

Whether caused by employees, outsourcers, cloud providers, or business partners, breaches also have serious financial consequences. The most recent Ponemon Institute Cost of Data Breach Study  considered the gold standard  reports that regardless of cause, the average cost is $5.5 million per breach, or $194 in direct and indirect costs per record compromised. Now, the federal government is stepping in and cracking down on privacy breaches  even those affecting fewer than 500 patients (a hospice was fined $50,000 for a breach that affected the PHI of around 450 patients when an unencrypted laptop was stolen). Don't forget the ancillary losses, including damaged reputation and brand, as well as the costs associated with in-house investigation, and internal and external communications.

To help manage data and reputation, contain costs, minimize business disruption, and stay within the law, it's essential to develop an environment where patient privacy and data security are top-of-mind. It's especially critical for care-at-home agencies dealing with scheduling, care coordination, billing, and reporting. Some of those may have between 300 and 400 caregivers in the field on any given day, all armed with mobile devices.

Taking steps to protect privacy can go a long way. Although no method or technology is failsafe, here are a few pointers:

• Prepare. Develop a series of possible scenarios and have a workable strategy in place. Although you may never need to use it, you'll have an "insurance policy" that can restore credibility and dramatically soften any financial or legal blows, as well as mitigate negative press.
• Decide which, if any, mobile devices will be used in the field or base location(s), and whether or not they'll be used to carry PHI. If so, make it a policy that those devices are kept with their owners at all times.
• Assess how data is used and stored. Although required by HIPAA, risk evaluations can identify and fix potential leaks.
• Strengthen user IDs, passwords, and other security controls. Change them frequently.
• Confirm that you have HIPAA-compliant business associate agreements (BAAs) in place for any third parties that will access your "live data" that lives on the cloud and "data at rest" that includes documents digitally converted from paper and stored on file servers. Ideally, those servers should be on physical lockdown.
• Encrypt not only transmitted data, but files and anything else that contain PHI.
• Embrace compliancy with all HIPAA, HITECH, and Meaningful Use 2 regulations.
• Inventory all systems and devices your clinicians or coders may use. With each new device, add an encryption product.
• Contain any breaches with adequate security controls. Take full responsibility, be transparent, understand the severity of the situation, and do whatever it takes to keep the trust of your various publics.
• Notify victims of breaches in a timely, but responsible manner. Federal statutes, including HIPAA, HITECH, and GLBA require notification under certain circumstances; 46 states currently have breach notification laws in place.
• Train all new and current employees on proper PHI protocols, including how it should or should not be used and shared with clients and co-workers.
• Identify a crisis team. It should include management, legal counsel, electronic forensics consultants, public relations, law enforcement, and backup support. All relevant contact information should be available for team members, and all C-suite executives should be "on call."
• Encourage workplace morality and ethics. Clinicians working with multiple home health patients, as well as coding specialists working with integrated EMRs have access to huge amounts of private patient data, so these should be required job skills.

Compromises in privacy and security breaches events can occur anywhere, at any time. How a healthcare organization prepares for, and ultimately handles a situation is what determines whether it's perceived as a success or failure.

Keith Crownover is President & CEO of Delta Health Technologies, LLC www.deltahealthtech.com