The EMS environment and the risks posed by the widespread use of portable electronic devices formed the backdrop of the EMS Today session, “Breaches are Bad: Protecting the Security of Patient Information.” Nationally-known EMS attorney Doug Wolfberg—who literally “wrote the book” as one of the co-authors of the widely-used Ambulance Service Guide to HIPAA Compliance—told the audience that “there are countless ways in which the security and privacy of patient information can be breached,” noting that this can include “both external threats such as ransomware and malware and from internal threats, such as lack of crew member education, inappropriate use of social media, and lack of basic controls over portable electronic devices.”
Because the penalties and other consequences of a patient information breach can be costly, Wolfberg presented strategies to reduce the likelihood of a breach occurring in the first place. Chief among these strategies is performing a privacy and security risk analysis. Wolfberg noted that this isn’t simply a good business practice, it’s a legal requirement. “Your documented risk analysis is literally the first thing the federal HIPAA police will ask for when they walk in your door to investigate a breach complaint,” Wolfberg said. Even if the feds find that no breach occurred, the failure to have the documented privacy and security risk analysis in place can itself lead to a HIPAA penalty.
The session also focused on personnel strategies to prevent patient information breaches from happening. Ensuring that your agency has proper social media policies and training in place, as well as policies governing the use of both employer and personnel electronic devices, can go a long way toward preventing breaches. The importance of scenario-based personnel training in preventing and reporting breaches was an important part of this message.
Wolfberg also instructed the attendees on the proper procedures for managing and reporting a breach when it does occur. He noted that “Federal law requires you to take certain steps and to make certain notifications when a breach of patient information occurs.” In some cases, he added, large-scale breaches (which involve more than 500 patients) require reporting to the local news media. All breaches must be reported to the Federal government, and those breaches are publicly disclosed on a searchable database. Notification of a breach must also be made to the individuals affected. The bottom line is that a breach cannot simply be managed internally—there are numerous external notifications that must take be done as well.