Mr. Wernick

In November, prescription giant Express Scripts reported that extortionists had gotten their hands on the company's data files and were threatening to expose millions of consumer records, including social security numbers and prescription data, if the company didn't pay an undisclosed amount.

Dr. Hurwitz

"A day doesn't go by when I don't receive notice of yet another data breach, and a large number of breaches involve medical information," Mr. Wernick tells Cosmetic Surgery Times. "All medical practices need to be proactive in preventing breaches because taking a head-in-the-sand approach, or thinking they're too small a fish in the pond to have problems, is really a bad idea."

PRIVATE PRACTICES LEAD The U.S. Department of Health and Human Services reports that, since enforcement of HIPAA patient privacy rules began in 2003, the most common type of "covered entities" that have been required to take corrective actions for compliance have been private practices, followed by general hospitals, outpatient facilities and health plans.

The compliance issues investigated most, meanwhile, were impermissible uses and disclosures of protected health information, followed by lack of safeguards of protected health information. Patient information security breaches can result from anything from the accidental failure to secure patient information, to the malicious intentions of out-of-system hackers or in-house disgruntled employees.

BEWARE HACKERS In terms of risk from the outside, peer-to-peer file-sharing networks have proven vulnerable. Though highly efficient in transmitting patient information, they have been susceptible to hackers in the past. And even if a practice doesn't have such programs, there have been reports of hackers loading peer-to-peer software onto computers and moving sensitive files to shared folders. Security programs are available to prevent those types of installations, but problems can still occur if employees take work home on laptops or store files in vulnerable places.

PATIENT PIX Physicians' Web sites are perhaps the least secure places to put any kind of patient information, and, as plastic surgeon Dennis J. Hurwitz, M.D., learned the hard way, even when the patient identity is concealed, there's no guarantee the photo won't turn up on someone else's Web site.

"I recently had the experience in which photographs of one of my body contouring patients was taken off of my Web site and placed on someone's Facebook page, and the page identified the patient by name," says Dr. Hurwitz, F.A.C.S., clinical professor of plastic surgery, University of Pittsburgh, and director of the Hurwitz Center for Plastic Surgery.

Dr. Hurwitz says that while he had the proper consent to use the photos, neither he, nor the patient expected the photos to appear elsewhere and the patient was, understandably, extremely upset.

"Simply obtaining permission to use a patient's images in marketing material, including on your Web site, may not fully protect you from the patient's hostility and potential legal action," he says. He adds a warning that doctors should use extreme caution in sending patient images to their Web designer for publication and make sure that identifying information isn't contained anywhere in the file.

SECURITY S.O.P. To prevent security problems of a broader scale, practices may benefit from having a full-fledged security breach drill of sorts, Mr. Wernick advises. "We recommend clients do a disaster planning in which we work with outside IT to help set up disaster scenarios. By simulating a data breach event, you can examine how people respond without having a real problem, because that's probably the worst time to be addressing these issues."

SAFETY BY THE NUMBERS In a recent article in the Journal of the American Health Information Management Association, Mr. Wernick recommended that medical professionals put the following steps in place to manage their liability in potential security breaches:

1. Have a legal audit performed, preferably by someone with a technology background and a familiarity with data privacy, security and compliance. The audit should include a review of practices and procedures, including vendor contracts, and should identify potential data privacy risks.

2. Have a security audit performed by a security professional.

3. Use encryption to secure data at all times.

4. Require users to use at least two security elements, such as passwords that change periodically, for interconnectivity access.

5. Obtain appropriate insurance for data breach losses.

6. Educate users about data security and data quality.

HIPAA PLUS Most medical practices are, of course, already required to be compliant with HIPAA regulations on patient privacy, but new federal regulations will put added pressure on physicians to stay diligent in protecting data security. Among the regulations is an expansion of HIPAA recently signed into law by President Barack Obama.

Under the law, called the Health Information Technology for Economic and Clinical Health Act (HITECH Act), HIPAA enforcement is being expanded to apply not just to "covered entities," but also directly to business associates. This means that individuals can face enforcement actions — including civil and even criminal penalties for breaches of patient health information — even if they are not employees of the covered entity.

The act also sets down new notification guidelines, including the requirement that individuals affected by data breaches be notified in writing and the local news media be alerted in cases where more than 500 people are believed to be affected.

The law is intended to ensure that those who could have been impacted by a data security breach are notified, but it clearly adds insult to injury for organizations hoping to somehow salvage their reputation in the midst of a data security breach.

"The cost of civil penalties or remediation resulting from a data breach may add up to significant dollars, but the more significant loss is the loss of public trust," Mr. Wernick says. "How likely would you be to go back to a physician's office if you knew your electronic health records were breached as a result of an error at the practice?"

Preventive action is the best defense against such a scenario, and when it comes to physicians, that's one thing that should come as a second nature.

"With doctors trained to practice preventive medicine, one would think that the practice of preventive legal measures would be a very acceptable concept," Mr. Wernick says. "Yet physicians often aren't even aware of all of the requirements for protecting their patients' records, and if they wind up in a courtroom, ignorance is no defense."