A breach of HIPAA’s Security and Privacy Rules can cost an organization serious money. The penalties are largest when the Office of Civil Rights concludes that an organization hasn’t made an substantial effort to protect confidential patient information. While breaches can occur in spite of the best of intentions, here are five tips that your organization can implement today to help lower these risks:
1. Encrypt all devices and drives. The worst breaches of protected health information happen when a device with patient records goes lost or stolen and wasn’t encrypted. Fines in these cases have gone into the millions. The remedy is full-device encryption, paired with the usage of strong passwords. This applies especially to laptops, tablets, and phones, as well as with any USB drives or memory cards that could leave the office. In contrast, while desktop computers can appear less urgent—they can also be stolen. So best practice encourages encryption for all device.
On these devices, encourage the use of strong passwords. A good password is a long one (at least ten characters) which can’t easily be guessed. Pair with two factor authentication when possible, such as retina scanning, iris recogntition, or thumbprint recognition. A password without encryption isn’t sufficient protection; a thief can take the drive out of a computer and read it without difficulty on another machine.
2. Only use encrypted email. Email travels as unprotected text from the sender to the receiver. Someone with a router along the path can read the mail without difficulty. Rogue public Wi-Fi hotspots are hard to tell from the legitimate ones, and they can grab a copy of anything that goes through them. Sending PHI through regular email is a dangerous practice.
An alternative is to send communication through secure email, which ensure that the email is encrypted when transmitted and received securely by the recipient.
3. Keep PHI away from unauthorized staff. Only staff who have a reason to access confidential patient information should have the opportunity or access to PHI. The more people are able to get their hands on a device or record, the greater the chance of theft. Children’s Medical Center of Dallas had to pay $3.2 million for breaches that resulted partly from leaving an unencrypted laptop where the cleaning crew had access to it.
Any information which can’t be encrypted should be kept in a locked area where only essential personnel can access it. A hospital or large clinic should maintain an accurate access log or enable security access enhancements, such as badge access, to the area.
4. Restrict use of personal devices. Copying PHI onto a personal device puts it beyond the control of the organization, but not outside its legal responsibility. Employees shouldn’t be allowed to copy restricted information onto their personal devices, unless they’re encrypted and certified as suitable for work.
Personal devices not only tend to lack encryption, they’re likely to have security weaknesses from outdated system software and indiscriminately downloaded applications. Whether the healthcare organization has adpopted a “BYOD” (Bring Your Own Device) policy or distributes approved devices to staff or physicians, the organization should consider Mobile Device Management (MDM) to ensure that these devices can be wiped should they become lost or stolen.
5. Don’t leave paper PHI exposed. Paper records, carelessly handled, can get into the wrong hands. A radiology center in Florida experienced a serious breach when it sent a batch of old records on a county truck for disposal. The gate fell open, and papers with personal information scattered all over the streets. Staff members, including doctors, scrambled to recover the records and got nearly all of them, but they couldn’t guarantee that no one had seen them and copied information from them.
Paper is bulky compared with electronic records and anyone who gets close enough can read it. It’s a low-tech way to suffer a data breach, but no less dangerous. Consider using are reputable EHR software, such as athenahealth®, to not only consolidate revenue & billing management, but to also keep ePHI secure.
As an official athenahealth® partner, SecureNetMD can help you make this transition easy and seamless.Get in Touch
Healthcare organizations that follow these tips have gone a long way toward keeping a clean HIPAA compliance record. They avoid painful attention from OCR, and they earn their patients’ trust.