Lost or stolen laptops, hackers, identity theft, malfunctioning computers. If your organization handles electronically protected health information (ePHI), these are just a few of the risk factors that could impact the security of your operations. In fact, the HIPAA Security Rule requires organizations that qualify as covered entities to establish security measures that reduce risks to a reasonable or appropriate level.
While this can mean different things to different organizations, there are 3 common – and effective – strategies healthcare leaders employ to safeguard patient privacy:
1. Conduct a security assessment
Under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, all healthcare providers, health plans or healthcare clearinghouses that meet the criteria of a “covered entity” are required to conduct a periodic risk analysis to examine all the ePHI their organization creates, receives, maintains or transmits. It’s important to conduct a risk assessment at least once a year, as changes in IT infrastructure, organizational hierarchies and staff turnover can all introduce new vulnerabilities. Going through this process will help your company take stock of where ePHI is being stored and how it is being shared between providers, payers and patients. Once the flow of information has been outlined, it will be easier to identify risks that would result in compromised confidentiality, inappropriate alteration or deletion of ePHI or the chance that ePHI might not be available when you need it. Not sure how to get started? The Department of Human & Health Services now offers a tool to assist in security risk assessment.
2. Encrypt your data and use secure platforms
Although not explicitly required by HIPAA, data and email encryption is an industry standard for protecting ePHI. By using enterprise-grade 256-bit SSL encryption on your live chat and other electronic communication platforms, your organization can mitigate unauthorized access to information, both when it is stored and when it is transmitted. And because encrypted ePHI cannot be read or used without a decryption key, per HIPAA’s Breach Notification Rule, encrypted ePHI that is stolen, lost, or unintentionally sent to the wrong recipient is not considered a “breach.” This removes the requirement to provide notifications to: (1) affected patients; (2) the Secretary of HHS (i.e., the federal government); and/or (3) prominent local/state media outlets. It also eliminates the resulting fines, investigations, lawsuits and/or negative media attention that could occur as a result of an actual data breach.
3. Cultivate a culture that respects patient privacy
Not all tactics to protect ePHI can be managed by software. A critical component of protecting patient privacy is creating a culture in which ePHI is respected and data security is seen as an organizational responsibility. For starters, establish a privacy policy to not accept patient information over unsecured web or email channels. Although this can’t totally prevent your patients from sending protected information to you, it does communicate to both employees and patients that this is not a desired form of ePHI transmission.
Beyond this, dedicate the time and resources needed to educate your employees on patient privacy laws and guidelines. This includes situational training and visual workplace cues, such as screensaver reminders, posters or hotlines. Uninformed employees are one of your biggest sources of risk, and, as such, require constant consideration.
