Preparing For The Challenges Of Moving Medical Records
Contributed by Scott McNelley
Moving a medical facility is no small feat. You’ve got specialized equipment to consider, timing and tracking concerns, security issues and more. Even something as simple as deciding on the order in which to equip and furnish a new facility can involve multiple management teams and months or even years of planning.
But while you’re planning to move equipment, furnishings, incidentals and even staff from one location to another, how carefully are you considering moving one of your most valuable and vital assets of all – your medical records?
Hospitals and medical facilities face special challenges when planning and executing a successful move and one of those challenges lies in the quantity and variety of vital and sensitive information that you’re responsible for safeguarding.
From digital to physical paper copies, your hospital and administration is the gatekeeper between patients and identity theft. Think about what you have within your care: social security numbers, driver’s license information, phone numbers, address and credit card data, medical histories and other highly personal details that make hospitals prime targets for thieves.
Adding to your challenges, you’re likely obliged to follow retention and storage regulations, which means you may indeed have a lot more data than is apparent. The possibility of “low tech” breaches is especially high given that many medical facilities have basements and storage areas full of paper documents that are easily stolen, copied or photographed. The low probability that a thief will be caught makes the temptation that much stronger and leaves your hospital open to serious liability, including loss of reputation, costs and significant PR issues.
During a move it’s essential to take effective measures to protect this data for the very reason that it is so sensitive and so easily stolen. Moreover, HIPPA rules are stringent in protecting patient data, which means your medical facility is responsible for complying with regulations.
With so much at stake, how do you ensure that medical data and records are protected? Let’s take a look at some of the weak spots in the moving chain so you can understand where your risks lie, and then discuss best practices for mitigating risk.
Types Of Risk
Your risk essentially falls into two broad categories: low tech breaches and high tech theft.
Both of these types of risk can come from internal or external sources – meaning data can be stolen by anyone from employees and internists to cleaning and maintenance crews, utility repair crews or even the very moving company you’ve entrusted to safely transport your records and files.
Low tech risk comes into play when your basement or other storage areas are stacked with boxes and filing cabinets full of financial and billing information, old medical records and more. In addition, you’ve probably never considered your trash cans to be a source of liability, but even discarded notes, extra photocopies or other paper trash can contain sensitive data that is easy to lift.
This highly concentrated volume of data is a goldmine for thieves. Using equipment as simple and ordinary as a digital camera, someone can photograph financial information, personal details and more, and have this data transferred to a third party and sold on the open market to identity thieves long before you suspect it’s happened.
Low tech theft can also occur during a move if boxes are left unattended, even for a short period of time, or if your moving company has hired “day labor” without conducting thorough background checks.
High tech theft is less common, simply because thieves can so effortlessly steal information with hardly more than a smart phone, but it’s important to understand your vulnerable spots so you can protect your facility and patients. High tech theft occurs when computers, servers, even copiers and faxes are not secured properly, leaving data and networks open to prying eyes.
Again, thieves can come in the form of internal staff or labor hired for a move who understand and exploit these vulnerabilities.
Given the amount and sensitivity of data you must protect and the ease with which it can be appropriated for criminal activity, it’s important to understand how to mitigate those risks, reduce your liability and keep data protected.
How To Mitigate Low Tech Risk Of Data Theft During A Move
Given the complexities of a medical move, you may be surprised by how some rather simple steps can prevent data theft. All it takes is planning and putting the right systems in place.
It begins with hiring a qualified moving company that you can entrust with your medical records and sensitive data, but we’ll get to that in a moment. First, here are some practices that your moving company must employ, starting with securing boxes and making sure they are never left unattended.
Boxes that are loaded onto trucks and then left while the loading continues are prime targets. It doesn’t take much for a quick snap of a camera or even for a whole box to go missing.
But simply watching boxes is not enough – they must be protected even before leaving your building. That means being aware of unguarded entry points into your building during a move and taking steps to prevent people from simply walking in and out unnoticed.
Additional precautions can be taken, including prohibiting movers or other personnel from bringing personal technology like cameras or smart phones into the building during a move.
And remember to secure those trash cans. It can be especially tempting during a move to discard unneeded paperwork, which may well go on to become a nightmare for your patients and administration.
How To Mitigate Risk Of A Technology Breach During A Move
Again, a qualified moving company will play a large role in standing between you and data theft. But understanding technology vulnerabilities will go a long way to ensuring that you’re not inadvertently leaving loopholes for thieves to slip through.
For example, did you know that every copier, fax or multifunction device in your building is likely to have a large quantity of sensitive data in memory? And did you know that even engaging the “locks” on those devices is insufficient because a thief with a small bit of technical knowledge can easily break them?
That makes it imperative to properly secure technology during a move – from the obvious like desktop computers and servers to the less obvious like copiers and fax machines.
And beware decommissioning. It’s not uncommon for old equipment to be sold, discarded or left behind and new equipment placed in the new facility. If that’s part of your moving plan, be sure to deal with the memory in each decommissioned piece of equipment. It may very well contain a treasure trove of billing records, patient charts and other information just waiting to be swiped.
Finally, be sure to check networks to see whether data is stored elsewhere. Anything you overlook is open to thieves.
Vetting And Hiring A Qualified Moving Company
Long before moving day, you need to find and vet a moving company to trust with your most invaluable assets.
Begin by conducting a background check to ensure that you’re engaging a reputable and reliable company.
Inquire about the company’s employees, specifically whether the company has a qualified team that is trained in handling high-value assets, dealing with privacy issues and mitigating security risk. Avoid companies that simply assign day labor or temps to handle your job, or those unfamiliar with your liability and data protection needs.
A reputable and experienced moving company will be able to educate you about your liabilities for both high and low tech breaches and take specific measures to avoid theft, including handling any of the scenarios mentioned here.
Ask about secure chain of custody. A moving company that understands medical liability will know how to provide proof that data was secured and untouched from first contact through final arrival. And ensure that the company employs a chain of command that avoids leaving individuals alone with sensitive data. In fact, a truly experienced company will prohibit its own employees from entering your building with cameras or even personal cell phones, going so far as to use walkie talkies to communicate.
Finally, the company you choose should provide you with the proper contracts and agreements, including a Confidentiality Agreement and a Business Associates Agreement, the latter of which is required between a hospital and any third party that has access to private data.
Why Trust CRN?
The Commercial Relocation Network (CRN) is a membership organization made up of the largest and most successful office and industrial relocation companies in the country, which makes it an excellent resource if you’re looking to hire a moving company. An executive committee of industry professionals is dedicated to having only “Best in Class” service providers who have built trusted reputations through experience, accountability and service.
When you work with a CRN member, you are assured that the company has already been vetted and brings an advanced skillset to the table. Their employees have also been vetted and are trained in all aspects of security to proactively mitigate your exposure to risk.
Network members collaborate, share experiences, information and knowledge and engage in partnerships to bring the advantage of their unique specialties to your service.
With a commitment to quality and service, the knowledge to put agreements and contracts in place that will protect your organization and a reputation that follows them from one successful project to another, CRN members are prepared to meet your moving needs.
If you have any questions about moving medical records, please contact us and let us know how we can make your move a success. Fill out the form to the right or call (877) 816-3454