DRJ Spring 2020

Conference & Exhibit

Attend The #1 BC/DR Event!

Fall Journal

Volume 32, Issue 3

Full Contents Now Available!

Tuesday, 17 September 2019 15:23

How Digital Cloud Fax Technology Can Eliminate Potential PHI Breach Pitfalls

Written by  BRENDA HOPKINS

Hopkins2Amid a bustling medical practice, billing office, surgery center or health system, security may be the farthest thing on the minds of employees. But one critical mistake that breaches security protocols can cost a healthcare provider millions.

With the constant queue of patients, insurance preauthorizations, ringing telephones and other distractions, it’s no wonder mistakes happen. The legacy fax machine is a prime example. An employee making just one mistake keying in a number can send protected health information (PHI) to the wrong recipient—a HIPAA violation. Failure to include a cover sheet can leave patient information exposed on the recipient’s machine. An incoming fax left on a machine in an open area can be picked up by an employee who’s not authorized to view PHI.

If you believe the legacy fax machine has been replaced with the EHR and electronic forms of communication, think again: 75 percent of all medical communication in the United States still occurs by fax. There are much safer and more efficient ways to communicate than via the physical fax machine.

Cloud faxing eliminates many of the risks physical faxing presents, including stray paper copies being lost or misappropriated, faxes sent to the wrong number and copies left on the recipient’s fax in a public place. A fully HIPAA-compliant, cloud-based, fax-by-email solution will encrypt transmissions in transit and in storage, protecting medical offices and health systems from a breach, as well as patient PHI.

Real costs can be exorbitant

A New York City hospital was fined $387,000 in 2015 for faxing PHI to the wrong recipient in just two instances. In levying the heavy fine, the Office for Civil Rights, which administers the federal healthcare breach report, pointed to the egregious nature of the disclosures because the hospital cares for patients dealing with AIDS, HIV and chronic conditions. Protected health information PHI was sent to a patient’s employer in one case and to an office where a second patient volunteered.

Regardless of the reason, experiencing a data breach can create a catastrophic hardship for a healthcare provider—both in terms of real costs and a loss in brand value and patient trust.

It is well-known that healthcare has the highest industry average per-record costs for a data breach, data borne out by a 2019 data breach report. The average total cost for a breach now tops $8 million. The typical breach hits more than 25,000 records, for a cost per lost record of $242. Interestingly, it takes an organization more than eight months to discover a breach has occurred.

The survey also showed that smaller companies pay 17 times as much per employee for a breach, underlining the extreme hardship a breach can bring. The largest companies pay $204 per employee for each breach, compared with $3,500 per employee for organizations with between 500 and 1,000 workers. Finally, the five most costly contributing factors for a breach are third-party involvement, compliance failures, extensive cloud migration, system complexity and operational technology.

Expect long-lasting reputational hit

Hopkins1When most people think about a breach, they ponder the actual costs that can occur, including fines, legal fees, lost sales and costs associated with investigating and mitigating the incident. Lost in the discussion, but still a critical consideration, is the potential hit a company can take in terms of reputation. And a reputational hit can last for years.

When one thinks about Anthem or Equifax, the first thing that might come to mind is data breaches; 78 million records for Anthem in 2015 and 145 million for Equifax two years later. Both have paid steep fines, but the reputational costs linger.

Add Capital One to that infamous list. The financial institution announced a breach of 106 million records in July. While the actual and reputational costs have yet to be determined, it definitely will influence people’s financial choices for the next several years or longer.

A study of brand-related costs associated with a data breach of fewer than 1,000 records shows the potential for devastating losses. A loss in sales and/or a loss of customers can hurt, but losses in brand confidence or a loss in brand value can harm sales and a company’s reputation forever.

Most healthcare violations caused by employees

According to a 2019 breach investigations report, “Healthcare stands out due to the majority of breaches being associated with internal actors.”

“Internal actors,” of course, are employees. Physical faxes can be irresistible to prying eyes, especially when left on a fax machine in a public place.

HIPAA guidelines require a tight chain of custody at all times, a standard which paper faxes would have difficulty meeting. It might pass muster should the fax machine be in a locked closet with tight key control, but most fax machines are in the front office or registration office where unauthorized personnel and the public are always around.

Encryption is not technically required under HIPAA, with the Department of Health and Human Services referring to it as an “addressable” issue. However, encryption “must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI.”

A better way forward, especially when the cost of healthcare data breaches keeps rising, is to encrypt communications whenever possible.

Patient privacy especially critical

For any medical staffer, third-party biller, clearinghouse, insurer or provider, a patient’s medical information should be sacrosanct. The medical experience is deeply personal for every patient, with intimate details on file.

Hackers especially value medical records because of the wealth of information they contain. The medical record is seen as the holy grail for bad actors, because Social Security information and demographic information can be used to build fake profiles which sell for $1,500 or more. Children’s medical records can be used to defraud insurers, and even medical information from deceased patients is useful, because dead people don’t know their information has been compromised.

HIPAA compliance is the main reason to take the protection of PHI seriously but maintaining patient privacy as a way to preserve brand equity ranks a close second.

Why digital cloud fax technology presents a clear way forward

Faxes aren’t going away anytime soon, but the physical fax machine’s days are numbered—or should be. Cloud faxing combines the convenience of faxing with the security protocols that HIPAA regulations and common sense demand.

A fully HIPAA-compliant, cloud-based, fax-by-mail solution will encrypt transmissions in transit and while at rest. Rather than faxes arriving at a physical machine—even if it is in a locked closet—faxes arrive directly in the inbox of the intended recipient, where they wait for the recipient to log in and view them.

Such a solution allows administrators to view and manage fax usage through a web-based administrative portal. HIPAA compliance is maintained through the secure transmittal of messages, combined with full audit trails of all faxes sent and received.

And in the event of a data breach, companies would be covered by the “safe harbor” provision of the Breach Notification Rule because the encrypted data had been rendered unusable, unreadable, or indecipherable to unauthorized individuals. “If protected health information is encrypted pursuant to this guidance, then no breach notification is required following an impermissible use or disclosure of the information.”

Conclusion

Last year was not record-setting in terms of total fines collected by the Office for Civil Rights, the arm of the U.S. Department of Health and Human Services charged with investigating data breaches. Settlements with 11 organizations brought nearly $27 million to OCR, a mean of $2.67 million—a hefty haul nonetheless. But 2018 did bring the largest fine ever—$16 million paid by Anthem for the 2015 breach of 78 million records.

The federal government remains committed to safeguarding protected healthcare data, investigating and fining those companies that allow breaches to occur. The potential damage to a healthcare organization’s finances, future revenues and reputation is too steep to ignore, so every step should be taken to safeguard healthcare data.

Often overlooked while securing PHI is the fax machine, a continued weak spot since it remains a communications workhorse for the healthcare industry. An enterprise-caliber digital cloud faxing solution can eliminate the physical fax machine and its inherent dangers, transmitting patient data using sophisticated encryption that protects this critical information.

Hopkins BrendaBrenda Hopkins, eFax Corporate chief health information officer, specializes in the area of healthcare interoperability where she is focused on open data exchange of healthcare information inside and outside of the EHR and using open platforms and tools such as APIs as a means of sharing. She started her career as a pediatric/neonatal transport nurse and brings a patient/user centered team-oriented approach to technology build and enablement for leading software solutions. Prior to joining eFax Corporate, Hopkins held leadership positions at GE Healthcare, Kaiser Permanente, and Adventist Health purchasing, building, implementing and scaling large enterprise EHRs and ancillary solutions with a strong focus on meeting clinical, revenue, safety and quality goals in value-based payment models and care delivery programs.