Apparently, last week’s blog post on security struck a sore spot with many readers who have experienced security problems, challenges and employee issues within their office.

Interestingly enough, the comments and questions I received were not focused on firewall breaches, corporate bank data comprises or any “high level” security threats that created a cascade of financial and stress-related nightmares for chiropractic offices.  Instead, most of your comments could be summarized with two warnings:

1)      Beware the low-tech hacks

2)      Employees can be incredible liabilities if not managed properly

While most would probably agree that any security issue should be approached with sufficient planning and preventative measures, the stories of just how much trouble these two items caused for your fellow chiropractors was both surprising and seemed to warrant additional attention on the matter.

Let’s deal with the first topic:

Beware Employee Stupidity and Low Tech Hacks

While the thought of some financial terrorist attempting a transfer from an entire bank’s portfolio of accounts to a mysterious bank in Liberia or the possibility of a band of Bulgarian mobsters launching a viral shutdown of your town’s financial institutions is certainly upsetting, apparently it’s the not-so-flashy stuff on which we should focus our preventative measures.  Similarly, while some of you may lose sleep at night for fear of violating the umpteen HIPAA regulations you didn’t know about, it’s the stuff that just makes plain common sense that you can easily prevent.

An apparently, these common, everyday issues are thwarting your fellow DC’s.

For example:

Last year about this time, big trouble broke out in Tennessee when thousands of medical records – including patient photos, files and social security numbers – were found in a Chattanooga recycling center bin.  You need not be an expert in all matters HIPAA to determine that dumping your records (old, new or even patients that you do not like) into a recycling bin is not the proper way to dispose of medical files.  Yet, it happened and the news was all over the story.  And I am sure the fines weren’t pretty.

What’s worse is that the guy caught dumpster diving for those files (who likely thought he hit the mother lode of his career) took those files to make 1000 fake ID’s in which he ripped off other people, stores and banks.  And he committed similar crimes throughout California.

I am sure you can also see several problems here:

• This fella was not just looking to be the most popular guy in his high school and make fake ID’s for all his friends to get into the local bars.  He is stealing your patient’s data as the starting point for his criminal sprees.
• Apparently, banks have poor protective mechanisms for detecting fake id’s
• Unlike banks, YOU as the chiropractor are dealing with Personal Health Information which means when someone like this steals your patient’s info, YOU are now required to report the breach
• The process of reporting to Mrs. Melba Johnson that one of your employees (I am assuming it wasn’t you who dumped the files) used poor judgment and put her file in a recycling bin and some thief came and stole her social security number and other personal information and by now, has applied for an Abercrombie credit card, a home mortgage and was approved for a $1500 credit line to purchase some new wheels for their new/used Mazda (also purchased via the kind donation of Mrs. Johnson) – this is a conversation that will not go smoothly.
• This conversation will need to be repeated with all of your patients whose records were breached

Silence is Golden

Sometimes privacy or security takes the simple form of silence.  Unfortunately, according to my mail bag (actually e-mail inbox, but I always thought it would be fun to open a bag full of fan mail) silence is not so simple.  Employees routinely assist you in violating HIPAA privacy policies by openly discussing patient information with…well, anyone!

And while this too may seem like common sense, again, see above.  It’s not usually the stuff out of The Matrix that is going to foil you.  But when your employee casually mentions in the grocery store that she has seen Mr. Weasly in your office, not knowing  that Mrs. Weasly has been trying to chase him down for 7 months worth of alimony, suddenly you are amidst a family squabble AND your employee’s loose lips have sunk your HIPAA ship.  Mr. Weasley may be forced to pony up on his alimony but you will be footing the bill once he turns you in for violating his privacy.

Similarly, it may seem like you can safely assume that the 16 year-old your tech is about to x-ray is not-pregnant, has their parents permission or even has parents that are paying, none of this is safe.  And when your staff member e-mails the x-ray results to her parents, questions abound that you do not want to answer.

Silence is golden, if you can get it.

Some Employees are Smart, Lazy and Vindictive

Judging from the responses I received in regards to employee security threats, not all employees are dumb enough to dump data in dumpsters.  In fact, some employees are too smart for their own (or our) good.

They play endless rounds of computer solitaire while claiming they don’t have enough time to do their job.  They surf the internet on your time and your dime.  Literally – you pay them and some of them shop for personal items using your credit card. Others make money by selling your patient list to direct mail marketing companies. And when they leave or you fire them (associates or other independent contractors), they attempt to take your patients (and sometimes your records too) with you. Then, they try and sit on unemployment for a year and half (despite the fact they only worked for you for a week and a half!).  

Learn from the multitude of chiropractors who wrote in asking how to prevent these exact situations that occurred at the hands of wasteful or rogue employees. Protect yourself from unanticipated emergencies (let’s face it, no one’s smart enough to predict this type of behavior predictably).

Here are Three Protective Agreements I think can prevent a multitude of the problems many of you are facing or have faced in the past:

1)      Establish an Employee Confidentiality Agreement: While might seem basic to have your employees sign something that states they can’t blab info or dump data, but if it occurs, you have at least protected your end from needless additional punishments or penalties via HIPAA or the consumers. Also, you need to demonstrate ongoing training in these matters, so having employees sign such an agreement (along with actual training) provides a paper trail of your compliance in this regard.

2)      Utilize a Non-Compete Clause for All Associate Doctors: Sure, it may work out.  You may even be partially at fault if it doesn’t work well. But protect your practice and livelihood if it does not.  Some states limit the usage of these agreements, but in general, something is better than nothing. And I have witnessed the successful enforcement of non-competes which served their legally binding purpose along with stiff financial consequences for their violation.

3)      Establish Appropriate Technology Policies: I use the word “technology” because really you have to have written guidelines for proper usage of the internet, of computers (and passwords), of cell phones, voice mail, email, downloads, instant messaging, etc.  The least of your troubles (but the most common) is employees wasting time while surfing or emailing for personal reasons.  As above, it can get a whole lot uglier than that, so to prevent this, put a policy in place!

Hindsight is 20/20 Wisdom

According to every chiropractor who e-vented (vented via email) their security and/or employee problems, you will undoubtedly and repeatedly kick yourself for future fiascos in this department – especially after reading this blog and being warned!  Skip e-mailing me about how ridiculous it is that we have to do this and how deplorable society has become. I agree and the entities that make these rules don’t care. You just need to protect your asset numero uno.

Here are your options:

Have your attorney draft the Three Protective Agreements for you and sleep soundly knowing you’ve done your part.

Search the internet for these agreements – make sure they are up-to-date!  Most technology agreements, for example, that I have seen online are outdated either have no reference to what we do as chiropractors (translated HIPAA!) or do not contain clauses for relatively new “social media” provisions, online downloads policies or even instant messaging.

For those who’d like to save time and searching, you can obtain a copy of my Three Protective Agreements that I use with my clients, updated and ready-to-go.  Simply, open the Word Document, change the names and any relevant info to your clinic and you are on your way!  For those who would like to have an attorney review your document, this will save you time and money from having them draft one from scratch.

Anyway you slice it, be sure to act on this promptly. While both crime and stupidity are unpredictable, the price of planning is not nearly as painful as the headaches and hassles that will occur as a result of your neglect on this!

To Your Success!

Tom Necela, DC, CPC, CPMA

Legal Disclaimer: Every reasonable effort has been made to ensure the accuracy of the information and recommendations provided in respect to these Three Protective Agreements. However, due to the nature of changing payer requirements and state regulations, you may wish to seek advice from a local health care attorney to ensure that the use of these agreements are legally valid and compliant with your state laws.

Related posts:

1. Is Your Chiropractic Office Secure? Today’s post is a back-to-basics reminder of something that we...
2. Mandatory HIPAA Update Required by 2/17/2010 for Chiropractors! The good news is that the new HIPAA requirements aren’t...
3. Chiropractic Compliance Concerns, HIPAA Hassles and Practitioner Paranoia Just in case you were actually focusing on your practice...