You may have heard of healthcare organizations struggling to comply with HIPAA. The Health Insurance Portability Accountability Act of 1996 (HIPAA) is a policy that provides security and data privacy requirements for protecting medical records. According to the breach portal or "Wall of Shame" on the Department of Health and Human Services (HHS) website, there were at least 359 healthcare data breaches reported in 2017. These indicate breaches of over 500 patient health records each. From these, HHS has already imposed fines of a total of just under $20 million dollars - and several of these 2017 reported breaches are still under investigation!
Here are 10 helpful tips on how your healthcare office can protect PHI (protected health information) from unauthorized disclosure.
- Conduct an annual HIPAA security risk analysis - Also known as a HIPAA Security Risk Assessment, this will allow you to know where PHI is located, and who has access to it. Make sure to go through mobile devices and wireless security among many other areas that could potentially store PHI. This will allow you to identify areas of weakness and provide a baseline for developing steps and procedures to protect PHI.
- Build a culture of privacy in your office - You may do this by frequently having privacy awareness trainings and daily reminders. Your policies and procedures are only effective when your staff is familiar and actively utilizing them daily. Be sure to never discuss patient information in open areas or hallways.
- Protect paper files - Breaches may easily happen through paper files. Remind your employees to dispose of files correctly when needed, using a cross cut or micro cut shredder or a secure shredding service. Ensure that your vendors and their staff are aware of HIPAA security and privacy requirements and follow the appropriate policies and procedures to properly safeguard patient information.
- Alert your employees to be careful with their belongings - Most breaches are result of stolen belongings, including laptops, cell phones, thumb drives, and other types of electronics. All such devices with storage should be encrypted, especially personal devices if they are being used for work purposes. Breaches can occur in your home, vehicle, office, where these electronic devices may be stolen or simply misplaced.
- Be aware of your emails, texts, and social media posts - It is very easy to grab your phone and send an email or text or to respond to an email or text, or tweet out something that may have occurred at work. Be mindful of what you're sharing, and remember, never share any of your patients' information with others unless you have the explicit signed approval from the patient to do so. If you share any patient information on social media, be sure that you have a signed form from the patient in your possession, authorizing you to share his or her information on social media.
- Implement physical safeguards - Install security alarms, locks, and privacy screens for monitors. This will make it harder for people to access your physical locations containing PHI, or even accidentally see data on the screens.
- Provide annual HIPAA Training for all employees - This will ensure your employees are trained on what HIPAA law is and what they need to do or not do, to be compliant with the law. HIPAA training is mandatory by law for all covered entities and business associates and their staff who come into contact with PHI. A useful resource is the free HIPAA Regulations and Checklist available below - a 3-page poster that you can print and put up on your office wall as a continuous reference.
- Display the Notice of Privacy practices in your office - Display the HIPAA Notice of Privacy Practices prominently in your lobby in a clear location where patients are able to see it. Post it in a prominent location on your website and provide copies to patients when requested.
- Encrypt your data and hardware - Although HIPAA doesn't require you to encrypt your data, it does not consider loss of encrypted data a breach. This will help you to avoid potential penalties and fines and of course, the reputation risk of having your name appear on the infamous HHS Wall of Shame!
- Have a lawyer ready just in case of a breach - You should have policies and procedures to follow in the event of a data breach. If you experience a data breach, be sure to follow your breach related procedures, contact your lawyer and determine what breach notification procedures you may be required to follow. Breaches of 500 unencrypted patient records or more must be reported to HHS.
It's a headache when your own personal information gets stolen, but it becomes an even bigger headache when the same exact thing happens to your patients' protected health information. Protecting PHI managed by your firm is not one person’s job, it takes an entire organization! Ongoing training and long-term commitment will make a big difference when it comes to securing your patients' protected health information (PHI). So don’t forget these useful tips, establish your organization's culture of privacy and get protecting!