This past January, the AAA hosted a webinar presented by EMS/healthcare Attorneys Matthew Streger, Margaret Keavney, and Rebecca Ragkoski, titled Cybersecurity, Top 10 Considerations in Healthcare and How to Address Them. During this very informative webinar, Matt, Margaret, and Rebecca covered one of the biggest issues facing EMS and other healthcare providers today, data security. If you did not get chance to listen in on this program, it is available on-demand at the AAA website.
As highlighted in their webinar, data security and data breach concerns are one of the most frequently encountered issues facing EMS agencies as healthcare providers but also as employers. Ensuring that patient and employee protected health information (PHI) and personally identifiable information (PII) is adequately protected from access or intrusion is critically important.
Alabama becomes the 50th state to enact data breach requirements for all individuals and businesses in the state. The Society for Human Resource Management (SHRM) provides a great summary of the new breach requirements in several article resources published this week. The National Conference on State Legislatures is a great resource for learning the laws that apply to your organization. Of course, it is recommended that all members engage a law firm that is familiar with data security requirements both at the federal and state level.
It is critically important for EMS agencies to perform a risk analysis for all data systems. This analysis should include all third party hosted web platforms that contain or may contain PHI or PII. EMS leaders should inquire with their IT departments and all EMS leadership to identify where PHI or PII might be found. Be sure to include any incident reporting system utilized by the agency. Often these systems include information about response locations, which can include patient addresses or other PHI. Also found in many incident reporting systems is employee incident and injury data which can include PII. Be sure that these often-overlooked systems meet the security requirements detailed in the applicable federal and state data protection laws.