Avoiding PHI Breaches

Banner Health, a large medical group based in Arizona, recently reached a settlement in a data breach case that will require them to pay $6 million. Such settlements are growing more common among both small and large companies in the medical industry. For example, Anthem agreed to a $115 settlement two years ago following a large cyberattack that compromised their customers’ data.

Such cases serve as reminders of the importance physician practices place on adhering to HIPAA (Health Insurance Portability and Accountability Act) and securing PHI (Protected Health Information). Such breaches violate patients’ rights and threaten their identity security. Further, they can severely damage company reputations, and as the above settlements attest, be financially devastating.

Most large data breaches occur due to cyberattacks that exploit weaknesses in businesses’ technological security. The best way to fight against such breaches is to always ensure your computers and security software are up-to-date. Other tips include:

- Have a system to ensure all software and computers are logged out when not in use

- Ensure provider and staff passwords are protected and deactivated as needed

- Have staff complete HIPAA and PHI training such as the Dept. of Health and Human Services video modules available on hhs.gov

- Never open links or attachments from unknown email addresses

Providers and staff must also maintain safeguards against “small” PHI breaches that can often occur in the office setting. Such measures include:

- Regularly shredding obsolete paperwork containing PHI

- Properly storing and locking paper charts and other paperwork including PHI

- Keeping face-to-face conversations and phone calls that include PHI private and away from other patients.