YSK: There is a Live HIPAA Breach Website by the US Department of Health and Human Services – Best Practices for Occupational Therapy Small Businesses

Data breaches are a common and ongoing phenomenon these days. Patient information such as their health records, private information, and associated information make for high-value targets by malicious parties. Here’s what you can do to find out about breaches, what to do if you suspect you or someone such as a patient has been breached, and other resources that can be helpful.

As an occupational therapy practitioner, consumer, and member of society, it is important to become aware of these breaches. First, as a middle-man, you can inform patients of such breaches if you suspect they may be affected. They can then take appropriate action such as freezing their credit, filing a report, and signing up for credit monitoring (which is free after suspected breaches). You don’t have to pay in this case.

“Everyone who was affected by the breach can ask for and get free credit monitoring.” –Equifax

Here is a screenshot from the HHS website as of November 2021:

Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information

This page lists breaches from all types of sources. Notice Walmart is on there. I suspect that as these breaches pertain primarily to HIPAA, most of these companies and sources will be healthcare-related such as hospitals.

Visit this page for up-to-date breaches posted by the U.S. Department of Health and Human Services Office for Civil Rights for cases currently under investigation.

Do you Run a Small OT Practice?

I hope that these examples make you concerned and cautious because this could cost you your business and you could end up being sued if a breach occurred. Now I am not an expert in this space, but anybody can be sued for anything these days it seems.

Here are some suggestions to get you started. Consider consulting with a security or IT professional, especially in the space of healthcare for best practices and an audit of your business to give you peace of mind.

  • Implement the secure use of passwords for employees.
  • Implement a new password change policy periodically.
  • One user per login only.
  • Automatically lockout workstations after an idle period.
  • Update software, operating systems, and hardware.
  • Implement system e-mail spam filtering.
  • Use a professional domain instead of free ones for e-mail, e.g., samantha@otdude.com instead of samanthatherapist@gmail.com.
  • Isolate software and data on separate networks and servers (VLANS).
  • Using virtual operating systems (virtual machines) instead of directly from the machine (e.g., Citrix).
  • Implement strong firewall rules and filtering.
  • Draft a good privacy practice and disclosure document for your website.
  • Don’t forget to follow HIPAA and disclose the requirements to patients and also offer them material (even though 99% of people decline).
  • Back up sensitive data offline (more susceptible to data loss such as a fire) or on the cloud (more vulnerable).
  • Provide continuing education to employees for best-practices with technology – humans are often the weakest link to social engineering and exploits for hacking.
  • Install a security system and camera system where allowed (do not violate privacy or break any laws).
  • Get personal and professional insurance (line item that specifically describes HIPAA).
  • Consult with a professional in the space.

What to Do In Case of a Breach

Here are some resources that may be helpful:

My Thoughts

  • Services such as Lifelock are not really necessary and you are better off spending your money and efforts in other areas: insurance, consulting, freezing credit reports, etc.
  • Consider physical vulnerabilities for your business or office. This includes locks, see-through glass windows, monitors that can be seen by the public, lack of security cameras, laptops left out in the open and unattended, etc. The key phrase to research is ‘social engineering.
  • Change your perspective: It is not a matter of if, but when you or your patients’ information will be breached. If Equifax and Sony have been breached, your company may as well. You may think you are not an attractive target, but bots and programs are looking on the Internet for vulnerabilities 24/7 and are agnostic of the target.
  • If you have sensitive data in your hands, do not compromise on costs for security. At least have a consultant perform an audit of your business practices. That is likely what Equifax did and look what happened to them. Put security and privacy first before profits.

Take steps to avoid this happening to you!