This page contains a Flash digital edition of a book.
breaches and notifying the US Depart- ment of Health and Human Services (HHS) when those breaches occur. For the first time, they applied significant monetary penalties to breaches.” On January 17, 2013, HHS issued a


rule implementing changes in current regulations under HIPAA, pursuant to the HITECH Act. While an ASC with proper security practices will probably not need to change them as a result of the new regulations, Habte says, the analysis that goes into determining if a breach has occurred and whether the ASC must notify patients and HHS has been revised. “Recently HHS has clari- fied that an impermissible disclosure is presumed to be a breach unless the covered entity can really document that it falls within an exception or it doesn’t compromise the privacy or the security of the information.”


According to Habte, the new rule also changed the approach ASCs need to take to risk analysis. “In the past, there was a harm threshold. In other words, if an impermissible disclosure didn’t harm anyone, it wasn’t necessarily considered a breach. That’s a very simplistic way of saying that. But now there’s a ‘four- factor’ analysis based on the probability that the privacy or security of the infor- mation was compromised. Covered enti- ties have to use this analysis process to evaluate and come to a conclusion about an incident, and they must document that conclusion. What this suggests is that there may be more impermissible disclosures that would be reportable. As organizations are moving into meaning- ful use, use of electronic medical and health record systems, etc., implemen- tation of these systems may sometimes create new challenges. ASCs need to be aware of these strict reporting require- ments and the potential liabilities associ- ated with them.”


How Breaches Happen


A majority of data breaches are asso- ciated with the use of portable media


send text messages with other doctors to share PHI. Text messaging is also usually not a secure method of sharing information.” ASCs are particularly vulnerable to breaches in other ways, Scarano says. “An ASC is kind of a workshop where a lot of different providers, who are not in a common practice, work with each other.” Since many ASCs have a centralized medical records system, he says, you may encounter a situation where the system does not properly segregate information about patients by their associated physician. “So one physician may get into the system and


Email is really susceptible to being intercepted en route. There’s definitely the potential for PHI leakage that way.


—Todd Clark, Surgical Management Professionals


devices such as a laptop or USB drive, says Marion K. Jenkins, PhD, execu- tive vice president of 3t Systems, a healthcare information technology (IT) and cloud services company based in Greenwood Village, Colorado. “These portable devices are some- times stolen but often lost,” Jenkins says. “Someone drops it, it falls out of their briefcase, it gets left on the secu- rity scanner at the airport. Usually, the reason why data is put on these devices in the first place is someone wants to run a report or look at data at home or while traveling. It’s usually someone who has access to a lot of the ASC’s data, such as someone in management.” PHI transmittal through unencrypt- ed email and text messaging also pres- ents opportunities for breaches, says Todd Clark, director of IT for Surgical Management Professionals. “Email is really susceptible to be- ing intercepted en route,” Clark says. “There’s definitely the potential for PHI leakage that way. Some physicians


either intentionally or inadvertently be- come exposed to information about an- other physician’s patient.” Jenkins adds, “ASCs usually have a


large and diverse ownership group. So you have owners in the center, and you have affiliated physicians and some- times independent contractors such as anesthesiologists. It’s different than a practice where it’s a corporate structure. In a hospital, everyone is typically an employee. In an ASC, you also have so much more mobility—doctors are com- ing in and out—so it can be more dif- ficult to control what’s happening with your ASC’s patient data.”


Security Mechanisms An effective way to understand how to keep data secure and protect PHI is to take the time to look at and learn the rules, Jenkins says. “If you’re worried about how to avoid these issues, it’s all contained in HIPAA. HIPAA security is a really good thing.”


ASC FOCUS MAY 2013 13


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38