Neurosurgery Coding Alert

Choose trusted partners and report any suspected PHI breaches.

With growing cyberattacks, there is an increased potential threat to the security of Protected Health Information (PHI) that your surgeons gather and store electronically.

Read on to learn about some recent, serious PHI breaches, and to garner some tips from Medicare and other experts about how to protect your practice.

Shocking Reports of Security Breaches

The Cyber Health Working Group has detected an unethical sale of six databases. There are also other reports of hacking with databases being sold for $400,000.

CMS Cautions: CMS issued a Special Edition MLN Matters release reminding providers to engage with business partners who understand and utilize the best practices compliant with the Health Insurance Portability and Accountability Act (HIPAA). You can access the MLN Matters article at www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNMattersArticles/Downloads/SE1616.pdf).

The security scare: “Any practice’s computer network attached to the internet has real vulnerability to illegal and/or inappropriate access and it is critical that practices take all reasonable measures to maintain secure system,” says Gregory Przybylski, MD, director of neurosurgery at the New Jersey Neuroscience Institute, JFK Medical Center in Edison. “This becomes particularly challenging for small practices who don’t have the resources and scale of large institutions to maintain the highest levels of protection.”

That’s not all:  The Office of the National Coordinator for Health Information Technology (ONC) recently reported that criminal cyberattacks are on the upswing, with an increase of 125 percent over the past five years, “replacing employee negligence and lost or stolen laptops as the top cause of health care data breaches,” said Karen B. DeSalvo, MD, MPH, MSc, national coordinator for health IT and HHS assistant secretary for Health, and Nicole Lurie, MD, MSPH, assistant secretary for preparedness and response, in a joint ONC press release on July 25, 2016. “The average consolidated total cost of a data breach was $3.8 million, a 23 percent increase from 2013 to 2015,” they continued.

Read more on: http://www.hhs.gov/about/news/2016/10/04/hhs-awards-funding-help-protect-health-sector-against-cyber-threats.html.

Why this matters: “HIPAA’s Breach Notification Rule requires reporting of a breach of unsecured PHI to the individuals and the secretary of HHS and, if a breach affects more than 500 individuals, to the media,” explains Michael D. Bossenbroek, Esqof Wachler & Associates, PC in Royal Oak, Mich. “This rule also requires business associates to notify the covered entity as well if they are responsible for a breach. Breaches can lead to HHS investigations and compliance reviews.”

Here’s What You Can Do to Protect Your Surgery Practice

• Protect the PHI in your care against healthcare cyberattacks, ransomware, and other digital warfare using the following tips:
• Thoroughly research the background of any and all business partners you associate with and insist upon arranging a HIPAA-compliant business associate agreement (BAA).
• Keep abreast of cyberattack news through the ONC, OIG, and HHS updates.
• Familiarize yourself with the modus operandi of hackers to ensure you can recognize if your patients’ PHI has been compromised.
• Immediately report any HIPAA violation of lost or stolen PHI to the authorities. This early outreach may reduce any civil or criminal liability on your behalf.

Final note: Although monetary and criminal penalties await a mishandling of PHI breach, that’s not all you have to fear. You also need to “take into consideration the reputational harm to the institution, the loss of public trust, and the potential embarrassment, inconvenience, and harm to patients and their families,” Bossenbroek points out.