The HIPPA Privacy Rule addresses Protected Health Information (PHI), and the HIPAA Security Rule directly addresses Electronic Protected Health Information (ePHI). In both cases, a HIPAA breach can be a serious occurrence for all parties involved. So what are some best practices for avoiding such occurrences?
HIPAA breach of protected health information – a disturbing new report
A new report entitled “The Financial Impact of Breached Protected Health Information” has emerged, and naturally, it is disturbing. The report reminds us of the scale and scope of HIPAA breaches of PHI that have occurred over the past few years, and reinforces the theorem that the general public is very skeptical of the ability of providers, health plans and other organizations that use or process ePHI to maintain it securely.
The litany of causes of these HIPAA breaches is depressingly familiar:
- Lost or stolen patient records – many times lost or stolen as part of the loss or theft of a piece of hardware or storage media containing the records.
- Malicious and non-malicious breachers – inside and outside the organization, who seek patient records for identity theft or who simply don’t follow protocols and leave information vulnerable.
- Use of mobile devices that do not have adequate security protections but are becoming widely used to capture PHI.
Thankfully, up to now, reported direct effects on the health of patients as a result of HIPAA breach of PHI have been few, but it may not take many before the population gets out its torches and pitchforks and demands even more draconian remedies and punishment for those that are careless or who have evil intent.
Best practices for keeping a HIPAA breach of PHI or ePHI out of your future
So what does the average medical practice with some computers in the office do to protect the PHI of its patients and its own viability? And how would it fare in a HIPAA audit?
Here are 6 simple steps a medical practice can take to safeguard its ePHI and avoid a HIPAA breach:
- Have solid procedures for granting access to the office computers or network. Control who can give access and to what levels, and document what is set up for each user.
- Establish procedures for use of logins and passwords. At one of our clients, we recently observed that all employees were using the same login and password for access to the EHR system. So much for accountability among users!
- Enforce workstation security, with automatic logoffs and screen savers for periods of inactivity. And don’t forget the physical security of workstations. Simple tethering devices can defeat a hardware thief, or at least make him or her look for easier pickings somewhere else. And laptops left in place as part of a workstation can also be locked down to deter the casual thief.
- Back up your data nightly. Traditional tape backups are giving way to cloud backup services that can be set to operate automatically during off-hours. But if you still use media for backup, take the backup media off-site. Don’t leave it next to the server or computer that is being backed up!
- Make sure you don’t leave records with PHI unprotected on workstation computers. Electronic medical records may be well protected when the information stays within the EHR application and database. But what about when you create a report containing PHI, dump it into a spreadsheet, and save it on your desktop? If your desktop computer is stolen despite your reasonable physical lock-down device, you may have a reportable HIPAA breach on your hands.
- If you must keep reports with PHI on your computer, and especially if you copy files onto movable media such as CDs or flash drives, encrypt the file. There are several free encryption programs that encrypt using 256-bit encryption levels. Even if the media or your computer is stolen, if the files with PHI are encrypted, you do not have a HIPAA breach on your hands.
So kudos to the many healthcare organizations and individuals who contributed to the latest report on the financial impact of HIPAA breaches of PHI. Their report also contains a method of calculating the potential dollar cost of a breach, just in case the “soft cost” idea of damage to your reputation is not enough to convince you to take steps to avoid a HIPAA breach.
All providers maintaining ePHI and/or those planning to claim EHR Meaningful Use incentive payments are required to perform a HIPAA Risk Assessment periodically. Such an assessment is a good way to make sure you are using “best practices” related to HIPAA Security and Privacy Rules.
Privacy of information is of paramount importance to all of us. So do your part to keep it safe!