Examples of Breaches and Preventions
Brenda J. Hurley, CMT, AHDI-F

Often compliance is directly linked to knowledge and understanding. Education and experience provide an important link to gaining the needed knowledge and understanding. For example, as a parent I am sure you warned your children to not touch the burner on the stove because it may be hot. But yet a child still feels compelled to try touching it, and from the lesson taught from that experience resulted in knowledge and understanding as to why you should not touch the burner on the stove.

Without an adequate knowledge and understanding of HIPAA, you can also get burned. But with education and experience, you can definitely avoid errors and problems that others have had when they did not adequately prepare themselves for HIPAA compliance. I have prepared below a short list of just a few of the most common breaches that have occurred in the medical transcription domain, and some ways to potentially reduce your risk related to them. This is not intended to be an all-inclusive list.

Faxing: This is often the most common form of breach because of the multiple reports delivered daily in this unprotected manner. This can happen several ways.

· A wrong number entered or edited in the fax database.
· A fax number has changed, but transcription was not notified of that change, thus causing the fax to go to the same number which is now the wrong place.
· Misunderstanding the correct name of the physician or facility that was to receive a copy of the report (sent via fax).
· Inadvertently pushing the wrong speed-dial number on the fax machine, thus sending the report to the wrong stored fax number.

Since a faxed report is unprotected, because the report is unencrypted, these examples will often lead to a breach that will trigger serious consequences for all involved.

Suggestions to reduce the potential risks related to faxing include:
· Double check numbers being entered in the fax database. This is a tedious task that is often done in a rush or while trying to do other things at the same time, thus not giving full concentration to the importance of accurately entering each number correctly.
· Perform a periodic audit of the fax database with a test document (not a report) to have the recipient call to verify receipt that their number is correct. Depending on the size of your database, this may not be reasonable to do all at once because of a large amount of numbers to verify. If this is the case, do portions at a time so that the complete database will be done in increments over a period of time. Keep a record of audits performed to include what was done and when.
· Confirm a process with your clients to receive fax number updates as soon as available. If individual MTs need this information, establish a process to provide that information to them as well.
· Remind all involved about the importance of accurately capturing new or revised fax numbers. Often these are dictated, provided by email or via telephone. Have a procedure in place to verify the number before it is ever used for PHI (protected health information). This can be done by faxing a test document (non-PHI) to the number before using it for a document with PHI. Keep a record of your test faxes to include what was done and when.
· When in doubt as to the name of the physician or the facility to be copied on a report, flag it for further review (or seek clarification from your client). It is better to have another set of ears to listen to it, or delay it for clarification, than to send an unprotected report to an unauthorized recipient.
· Staff members who use fax machine speed-dial functions should be reminded of the double-check rule before sending any PHI outside of the organization. This is to double-check that the right facility or office is the target for the fax that is to be sent. Also, be sure that only healthcare facilities are stored in the speed dial function on the fax machine, then if a report does goes to a wrong stored fax number by hitting the wrong button, it would be another healthcare facility receiving it rather than a public place of business (i.e., Pizza Hut, a florist, Delta Airlines, etc.), thus controlling the potential for significant breach.

Email: If you do not use encrypted email, you should not share any PHI within an email. To do otherwise, you are risking a breach of that unprotected PHI. Here are a few suggestions related to this.

· When inquiring about a report internally within the organization or externally with a client, consider using dictation job numbers.
· Often clients are the guilty party when it comes to putting PHI in emails. They seem to be oblivious to the fact that you are not in their facility’s secured network. Delete the sections of PHI within your email reply and use dictation job numbers to avoid repeating the entire PHI they had been sent to you. If you use encrypted email, good for you because then this would not be an issue.

Printing/Sample Reports: If you print a report or any material with PHI, it needs to be secured. This includes within your home-based office. Do not leave printed materials with PHI available for unauthorized individuals to see (this includes your family members and friends).

· If you have a report that you wish to use for a sample report be sure to de-identify it before printing it. Once all individually identifiable elements have been removed from the report, it is no longer PHI and then does not require any special protection.
· Consider keeping your sample reports electronically as they would be easier to search for by using key word or partial words. It would again be necessary to de-identify them so that they would not be considered PHI and thus would not require encryption when stored.
· If you print out a patient list or daily log sheet, even if it only has the patient’s name on it, you need to protect it, and when you are completed with it, shred it with a cross-cut shredder so that it is completely destroyed. If you must store these documents for a limited time, protect them under lock and key within a file cabinet.
· Do not store any hard-copy PHI any longer than absolutely necessary as it puts you at risk for a potential breach.

Portable Media: Backing up computer system is an important practice for all those who use and depend on computers. If the media used for backup contains any PHI, they must be protected with encryption to avoid a breach. Small hard drives and flash drives can easily be lost or stolen, so maintaining these items in a secured manner (with encryption) not only protects the PHI, but also your own personal data that exists on your them.

Unprofessional Behavior: Those who participate in snooping either on company systems or your client’s system, share PHI with friends or family members, or leak patient information to the media, will lose their job and risk their reputation and potential future employability within an industry that prides itself as strong protectors of confidentiality. Do not do this, and do not think that you will not get caught because audit trials and sophisticated computerized tracking will catch you and prove your guilt if you try. I am clear on that!

Use of your Computer: Whether you use your own computer or have been provided a computer by the company, you should restrict others from using it at any time. The computer is a critical tool that allows access to privately maintained systems and to PHI. Do not risk anyone inadvertently making changes to it that could risk your ability to work or the security of the information you access.

When something just does not add up: There are times when you can sense that something just does not add up, when this occurs, send such reports for a secondary review or hold for clarification by your client. An example of this would be an unfamiliar dictating physician that does not show up on the roster for the facility. The assumption could be that this is a new physician that has not yet been added to the database, but it could instead be a physician who entered the wrong identifying numbers at the time of dictation which matched the dictation in error to the wrong facility. All staff members, especially MTs who are on the front line for these types of problems, need to be sensitive to “getting it right” when it comes to critical identifying data matched to a report.

Realize that taking a moment to prevent a potential breach is the best medicine for keeping PHI protected. Truly, compliance is everyone’s responsibility – so don’t get burned!