The ultimate goal of HIPAA is to keep protected health information – which you may be responsible for taking care of – both secure and confidential, but also maintain ease of access when the time presents itself. While it’s a large piece of legislation encompassing one of the biggest industries in the nation, a fairly straight-forward set of practices can be implemented to make sure that the staff you’re either employing, or working alongside in the range of enterprise that has privileged access to protected health information (PHI) are compliant. So, join us as we go through a brief list of things you can implement to maintain your compliance with HIPAA.
Just for clarity, we’re defining protected health information as: names, addresses, phone numbers, email addresses, social security numbers, medical record numbers, dates of birth, death, admission, discharge, as well as photos or data relating to that patient’s illness or medical condition.
We’ll start off with some basics; you’d be surprised the number of businesses that underestimate their importance. Using strong passwords and updating these passwords frequently is an absolute must. Sophisticated keyboard trackers have become commonplace in regard to hackers with nefarious intentions. These keyloggers can install themselves on your computer and smartphone through the opening of a link or attachment – otherwise known as phishing – and can snatch up all the data you type out. In particular, they’re looking for passwords, so try to stay one step ahead of the game with the updating of your passwords on a regular basis. Consider the benefits of having two-or-three-stage logins, which require in addition to a password, biometric proof of identity like voice-recognition, or fingerprint scanners to maintain the security of your system.
The best example of this we’ve seen in our interactions with clients are businesses that change passwords on a weekly basis; this better ensures the integrity of your log ins and password details, which is particularly important for log-in details that provide access to personal and private data like PHI. On that note, make sure your staff know to never share passwords with other staff, regardless of how long they’ve been with the business, or someone is asking for favours on their sick day. In terms of your tangible, physical PHI documents on paper, use shredder bins to dispose of documents, and never recycle documents that contain confidential information.
As part of the compliance with HIPAA, businesses must provide an up-to-date training program on the handling of personal health information. Regardless of their position, or their access to the database, employees are required to be trained by a member of your staff in the existing practices you’ve established to assure HIPAA compliance. These could include rules established by the business to never use a patient’s whole name out loud, within ear-shot of other employees, avoiding accessing a patient’s record unless absolutely required or written permission from the client has been obtained. Covering charts so a patient’s name is never visible, and avoiding leaving a client’s record on your desk unattended have both become common-place in many workplaces that deal with PHI.
In terms of the more nitty-gritty side of information management, backing-up all your servers to a HIPAA-compliant cloud server is an absolute must in the 21st century. Certain cloud storage services have been approved by HIPAA legislation, and often prove a more secure option of storage and backing-up of your disks; the US Department of Health and Human Services specifies that approved cloud storage sites are actually a safer means of storing PHI than using an in-house server, or maintaining paper documents. On a similar note, assign different security clearances to staff members purely reflective of their position, and their need to access certain information. Role-based security measures will ensure that someone that doesn’t require access to an entire database for their role isn’t able to access it in entirety; maintaining the integrity of those who access your system is a pivotal role in minimising the things that could go wrong, or could be exploited by those looking to intercept your PHI.
Make sure you’ve got up-to-date anti-virus software installed in your system, and also that you’re using a system that will automatically log a user off after a certain amount of time. In a similar vein, ensure that you’ve got a system purring in the background that takes note of precisely which user has logged in, what files they accessed, for how long, and what time they logged off.
Now, moving away from your workplace, make sure that the businesses and vendors or contractors you come in contact with are HIPAA-compliant themselves. All the hard work you’ve put in to getting your security systems up to date could ultimately be undermined if you work with a contractor that isn’t taking security seriously. It’s a HIPAA requirement that all the vendors and contractors you come in contact with are compliant, so don’t risk a large-sum fine through a lack of due diligence.
In summing up our list of tips, you’ll need to know exactly what constitutes a breach, as some of your staff may underestimate what does indeed constitute a damaging privacy breach. If we take HHS’ definition, a breach is the unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of the information. Those who violate the privacy laws and regulations stipulated in the HIPAA legislation and commit a breach can face discipline – up to and including termination – as well as possible criminal prosecution, and civil penalties up to $250,000. Common examples of breaches include the viewing of patient records without a prior ‘need to know’, disposing of PHI in a trash or recycling bin rather than a shredder, posting patient information to social media or blogs, and the sending of both faxes or discharge summaries with confidential information to the wrong recipient.
In many cases, the aforementioned tips and practices both we here at Best Practice and the HIPAA Act are encouraging you to take and implement in your workplace are both encouraged, and required with a system like ISO 27001: Information Security Management. ISO 27001 is an international standard that has been designed to maintain the integrity of your IT systems, and are worth their weight in gold if you’re dealing with data like protected health information. While implementing ISO 27001 might not be a requirement of HIPAA legislation, it will impress regulators of the level of attention you as an enterprise are paying to the integrity of your systems, and will significantly lower your chance of a breach, or trouble ensuing from malpractice of your staff. It’s a system that believes that no system is perfect, and encourages you to both take steps to strengthen up your security measures, as well as embed a more conscientious working ethos in your staff. Best of all, it’s a standard that doesn’t settle for anything less than your best, encouraging a cycle of continual improvement, so why not get in touch and find out how ISO 27001 can benefit the means by which you’re protecting data that could ultimately prove fatal if compromised.
When we’re talking about the realm of protected health information, it’s too costly to wait until it’s too late.