Apparently, last week’s blog post on security struck a sore spot with many readers who have experienced security problems, challenges and employee issues within their office.

Interestingly enough, the comments and questions I received were not focused on firewall breaches, corporate bank data comprises or any “high level” security threats that created a cascade of financial and stress-related nightmares for chiropractic offices.  Instead, most of your comments could be summarized with two warnings:

1)      Beware the low-tech hacks

2)      Employees can be incredible liabilities if not managed properly

While most would probably agree that any security issue should be approached with sufficient planning and preventative measures, the stories of just how much trouble these two items caused for your fellow chiropractors was both surprising and seemed to warrant additional attention on the matter.

Let’s deal with the first topic:

Beware Employee Stupidity and Low Tech Hacks

While the thought of some financial terrorist attempting a transfer from an entire bank’s portfolio of accounts to a mysterious bank in Liberia or the possibility of a band of Bulgarian mobsters launching a viral shutdown of your town’s financial institutions is certainly upsetting, apparently it’s the not-so-flashy stuff on which we should focus our preventative measures.  Similarly, while some of you may lose sleep at night for fear of violating the umpteen HIPAA regulations you didn’t know about, it’s the stuff that just makes plain common sense that you can easily prevent.

An apparently, these common, everyday issues are thwarting your fellow DC’s.

For example:

Last year about this time, big trouble broke out in Tennessee when thousands of medical records – including patient photos, files and social security numbers – were found in a Chattanooga recycling center bin.  You need not be an expert in all matters HIPAA to determine that dumping your records (old, new or even patients that you do not like) into a recycling bin is not the proper way to dispose of medical files.  Yet, it happened and the news was all over the story.  And I am sure the fines weren’t pretty.

What’s worse is that the guy caught dumpster diving for those files (who likely thought he hit the mother lode of his career) took those files to make 1000 fake ID’s in which he ripped off other people, stores and banks.  And he committed similar crimes throughout California.

I am sure you can also see several problems here:

• This fella was not just looking to be the most popular guy in his high school and make fake ID’s for all his friends to get into the local bars.  He is stealing your patient’s data as the starting point for his criminal sprees.
• Apparently, banks have poor protective mechanisms for detecting fake id’s
• Unlike banks, YOU as the chiropractor are dealing with Personal Health Information which means when someone like this steals your patient’s info, YOU are now required to report the breach
• The process of reporting to Mrs. Melba Johnson that one of your employees (I am assuming it wasn’t you who dumped the files) used poor judgment and put her file in a recycling bin and some thief came and stole her social security number and other personal information and by now, has applied for an Abercrombie credit card, a home mortgage and was approved for a $1500 credit line to purchase some new wheels for their new/used Mazda (also purchased via the kind donation of Mrs. Johnson) – this is a conversation that will not go smoothly.
• This conversation will need to be repeated with all of your patients whose records were breached

Silence is Golden

Sometimes privacy or security takes the simple form of silence.  Unfortunately, according to my mail bag (actually e-mail inbox, but I always thought it would be fun to open a bag full of fan mail) silence is not so simple.  Employees routinely assist you in violating HIPAA privacy policies by openly discussing patient information with…well, anyone!

And while this too may seem like common sense, again, see above.  It’s not usually the stuff out of The Matrix that is going to foil you.  But when your employee casually mentions in the grocery store that she has seen Mr. Weasly in your office, not knowing  that Mrs. Weasly has been trying to chase him down for 7 months worth of alimony, suddenly you are amidst a family squabble AND your employee’s loose lips have sunk your HIPAA ship.  Mr. Weasley may be forced to pony up on his alimony but you will be footing the bill once he turns you in for violating his privacy.

Similarly, it may seem like you can safely assume that the 16 year-old your tech is about to x-ray is not-pregnant, has their parents permission or even has parents that are paying, none of this is safe.  And when your staff member e-mails the x-ray results to her parents, questions abound that you do not want to answer.

Silence is golden, if you can get it.

Some Employees are Smart, Lazy and Vindictive

Judging from the responses I received in regards to employee security threats, not all employees are dumb enough to dump data in dumpsters.  In fact, some employees are too smart for their own (or our) good.

They play endless rounds of computer solitaire while claiming they don’t have enough time to do their job.  They surf the internet on your time and your dime.  Literally – you pay them and some of them shop for personal items using your credit card. Others make money by selling your patient list to direct mail marketing companies. And when they leave or you fire them (associates or other independent contractors), they attempt to take your patients (and sometimes your records too) with you. Then, they try and sit on unemployment for a year and half (despite the fact they only worked for you for a week and a half!).  

Learn from the multitude of chiropractors who wrote in asking how to prevent these exact situations that occurred at the hands of wasteful or rogue employees. Protect yourself from unanticipated emergencies (let’s face it, no one’s smart enough to predict this type of behavior predictably).

Here are Three Protective Agreements I think can prevent a multitude of the problems many of you are facing or have faced in the past:

1)      Establish an Employee Confidentiality Agreement: While might seem basic to have your employees sign something that states they can’t blab info or dump data, but if it occurs, you have at least protected your end from needless additional punishments or penalties via HIPAA or the consumers. Also, you need to demonstrate ongoing training in these matters, so having employees sign such an agreement (along with actual training) provides a paper trail of your compliance in this regard.

2)      Utilize a Non-Compete Clause for All Associate Doctors: Sure, it may work out.  You may even be partially at fault if it doesn’t work well. But protect your practice and livelihood if it does not.  Some states limit the usage of these agreements, but in general, something is better than nothing. And I have witnessed the successful enforcement of non-competes which served their legally binding purpose along with stiff financial consequences for their violation.

3)      Establish Appropriate Technology Policies: I use the word “technology” because really you have to have written guidelines for proper usage of the internet, of computers (and passwords), of cell phones, voice mail, email, downloads, instant messaging, etc.  The least of your troubles (but the most common) is employees wasting time while surfing or emailing for personal reasons.  As above, it can get a whole lot uglier than that, so to prevent this, put a policy in place!

Hindsight is 20/20 Wisdom

According to every chiropractor who e-vented (vented via email) their security and/or employee problems, you will undoubtedly and repeatedly kick yourself for future fiascos in this department – especially after reading this blog and being warned!  Skip e-mailing me about how ridiculous it is that we have to do this and how deplorable society has become. I agree and the entities that make these rules don’t care. You just need to protect your asset numero uno.

Here are your options:

Have your attorney draft the Three Protective Agreements for you and sleep soundly knowing you’ve done your part.

Search the internet for these agreements – make sure they are up-to-date!  Most technology agreements, for example, that I have seen online are outdated either have no reference to what we do as chiropractors (translated HIPAA!) or do not contain clauses for relatively new “social media” provisions, online downloads policies or even instant messaging.

For those who’d like to save time and searching, you can obtain a copy of my Three Protective Agreements that I use with my clients, updated and ready-to-go.  Simply, open the Word Document, change the names and any relevant info to your clinic and you are on your way!  For those who would like to have an attorney review your document, this will save you time and money from having them draft one from scratch.

Anyway you slice it, be sure to act on this promptly. While both crime and stupidity are unpredictable, the price of planning is not nearly as painful as the headaches and hassles that will occur as a result of your neglect on this!

To Your Success!

Tom Necela, DC, CPC, CPMA

Legal Disclaimer: Every reasonable effort has been made to ensure the accuracy of the information and recommendations provided in respect to these Three Protective Agreements. However, due to the nature of changing payer requirements and state regulations, you may wish to seek advice from a local health care attorney to ensure that the use of these agreements are legally valid and compliant with your state laws.

Today’s post is a back-to-basics reminder of something that we all should not need to be reminded of, but….it is likely than most chiropractors could use improvement in this area.

The topic: security.

Specifically, I’d like to say a few words about the security of information, finances and records in your office.  Some of this pertains to HIPAA; some of this pertains to good old fashioned common sense.  Both are needed.

In case you were not aware, business accounts are the most vulnerable to hacker attacks and the least protected by the law. This is bad news for all chiropractors who do not hold their money under their mattress, which I suspect is most of us.  Here’s why:

Hackers are much more inclined to break into a six-figure business account than a consumer account with a few thousand dollars, according to the article “Could Online Hackers Steal Your Cash” published on the financial website Bankrate.com.  And there’s more bad news: if your bank determines that your money vanished because of something you did, they may not be liable for your disappearing cash!  Sound a bit subjective and risky to you?

With online transactions and banking opportunities increasing daily, chiropractors need to be especially vigilant of protecting their accounts not only to protect their money, but need to take extra steps towards data security in general.  A breach in a health care office may not only be financially damaging, but also has potential to cross lines and expose patient’s personal health information, which could lead to HIPAA privacy violations and fines as well.

While all of this may sound like the plot line to a new conspiracy theory thriller, a quick reality check in your own office may reveal that you are either well protected or unnecessarily exposed so such dangers.

Here are a few items that I would recommend for your to-do list so you can sleep a little more soundly:

• Make sure all patient files (and x-rays) are kept in locked storage.  This is not only required via HIPAA regulations, but is a good idea to prevent theft.

• Utilize tougher passwords online.  “1234” just won’t cut it.  Use multiple passwords – not the same one for every site to avoid a widespread breach.  Mix upper and lower case numbers, letters, symbols, etc.

• Protect yourself against malware (viruses, spyware and other online threats).  While most computers come with a free trial, many chiropractors let them lapse and/or never upgrade to the full version.  Check out the June 2010 issue of Consumer Reports magazine for the latest ratings on effective free and paid security software.  The most expensive fee of any of their recommended options is $70 – hardly a matter for debate when you consider the amount of time, money and effort that will be expended if something bad happens.

• Pay to have a security system with monitoring installed in your office.  In terms of banking, your greatest theft threat may be online.  But fire, break-ins and other hassles can effectively be monitored via a security system.  I know several DC’s whose offices were destroyed by the elements and many more who suffered break-ins.  Even small town DC’s are not immune to crime and certainly not safe from the elements.

• Don’t Let Employees Take Laptops Home.  One of the biggest data breaches in health care history occurred when a Blue Cross employee took a laptop to do some work from home.  Unfortunately, the laptop was stolen in a parking lot while the employee was busy running errands.  So not only did the employee NOT get any work done at home, the employee inadvertently caused a data breach that involved over 100,000 physician records – including Social Security numbers and EINs.  Certainly, an accident like that would not be of the same magnitude for your office. But how many patients do you want to notify and inform them that your employee’s conduct caused their personal information to be stolen? Although that would certainly not be fun, it would be required per HIPAA regulations and failure to do so would result in major fines!

Lock up. Protect your business. Sleep well.

Tom Necela, DC, CPC, CPMA