HIPAA security guidelines can be perplexing for most. However, there are simple and inexpensive tips you can use to secure your patients’ electronic Protected Health Information (ePHI).
The first thing to know is that HIPAA security is a process – it takes time to implement. Your healthcare organization won’t become “HIPAA compliant” overnight. There’s no one IT solution that ensures HIPAA compliance.
At the core of HIPAA compliance is a process called Risk Management. It sounds much more confusing than it truly is.
What is Risk Management?
This is an oversimplification of the Risk Management Process, but it illustrates how it should be repeated over and over.
Read on, and we’ll tell you what you can do to accomplish Step B. First, let’s look more closely at Step A.
The HIPAA Security Rule and Meaningful Use act require that you perform a HIPAA Risk Assessment. Below is a simple explanation of what a Risk Assessment involves.
How likely is it that a fire or flood will destroy your EHRs? The probability that these things will happen is low in most cases.
What impact would fire or flood have on your EHRs? Let’s look at this more closely.
You could purchase new furniture and hardware, then have your IT provider reinstall your EHRs from the secure cloud backup. Your IT staff could set up a new server. Once your EMR vendor reinstalls the EMR software and your ePHI, your practice is back up and running again.
The impact of Scenario 2 is much less severe than Scenario 1 where your ePHI is lost forever.
Although these five steps are an oversimplified description of a Risk Assessment, they should provide what you need to know about the process. It’s very important to identify significant risks to your ePHI and ways to lower them.
A majority of HIPAA-related breaches to ePHI occur when portable computer devices are lost or stolen. These include laptops, USB drives, CDs, DVDs, backup tapes, smartphones, tablets, etc. Portable computer devices provide access to thousands of patient records, so losing one can be critical.
Four of the tips below pertain to portable computing devices, and tip 5 discusses how developing good password habits can help.
Tip #1 – Encrypt All Portable Computer Devices.
The HIPAA Security Rule states that as long as your patient data is encrypted, and the data is lost or stolen, you won’t need to notify patients or report the breach.
What Is Encryption?
The official description of encryption is that it is the process of converting data into code that prevents unauthorized access. And according to the HIPAA Rules, if you lose ePHI and it’s encrypted, there are no penalties to face.
How Much Does Encryption Cost?
It costs less than $100 per year to encrypt a laptop. It won’t affect the performance of your laptop. You just need to enter your password when you first begin working.
Even if you don’t think you have patient information on a laptop, encrypt it anyway. Although you didn’t intend to store EHR data on a portable computing device, it could have been emailed to you.
ePHI can be located in documents, PDFs, spreadsheets or reports that were downloaded from an EMR. If you encrypt all of your laptops and portable computing devices, you won’t have to worry about HIPAA violations if they are lost or stolen.
Note: Don’t forget to encrypt smartphones, USB drives, portable hard drives and backup tapes as well – anything that might contain ePHI.
Tip # 2 – Minimize The Use Of Portable Computer Devices.
If you want to reduce your risk exposure to a data breach, limit your reliance on portable computing devices. Educate your employees about the risks of using portable computing devices. Develop a policy to enforce this and have each employee sign that they’ve read it. Minimize the amount of patient data that’s sent via email.
Note: Ask your IT provider to implement a Mobile Device Management solution. If a smartphone, tablet or laptop is stolen, they can delete the data from it remotely.
Tip #3 – Encrypt All Backup Tapes & External Hard Drives.
If you are still using tapes and external hard drives to back up your data, make sure you encrypt them. Backup devices store all of your data. If one is lost or stolen, you can face a HIPAA violation if data is breached.
Don’t assume that your IT provider uses encryption. Make sure they are. Most backup software provides for data encryption, but you must enable it. Encryption isn’t automatic.
Tip #4 – Implement A Startup Password & Inactivity Timeout On All Business Smartphones.
Smartphones (iPhones, Androids, Windows Phones and Blackberries) may contain ePHI. Today, healthcare providers use smartphones to access EMRs, PACs and protected health information. They send this data in emails to other healthcare providers, physicians, allied health professionals and billing departments, etc. Smartphones can easily be lost or stolen. This presents a risk to the sensitive patient information that they may contain.
How can you protect electronic health information when a smartphone is lost or stolen?
This will reduce the likelihood that patient information will be compromised if a smartphone is lost or stolen.
Tip #5 –Use Proper Password Controls.
The stronger the passwords you and your employees use, the less risk to your ePHI. There are inexpensive ways to implement proper password controls.
Encourage your staff to create complex passwords that have upper and lower case letters, number and symbols such as @ ! $ % &. Don’t use names, places or any commonly used words. The more complex the password, the harder it is for an intruder to guess.
Ensure that your employees understand the importance of protecting patient information by using complex passwords.
No more sticky notes with passwords on computer monitors, under desks or inside drawers. If your employees can’t remember their passwords, talk to your IT provider about using one of the many password managers.
Passwords, just like credit card and social security numbers should never be shared.
Automatically lock accounts after five incorrect attempts. If an employee can’t enter their password correctly after five tries, lock the account and have them contact your IT administrator to open it. At that point, they can reset their password. This will protect your ePHI from unauthorized access.
With these simple and cost-effective tips, you can easily protect ePHI and remain HIPAA compliant.
If you’re looking for a service provider with expertise in HIPAA Compliance and IT protection for healthcare organizations, contact Hitstech. We serve all of North Carolina with a full suite of professional managed IT services. Our specialists can help your healthcare organization remain compliant with industry regulations and protect your patients’ valuable healthcare information. Phone HitsTech at: (828) 695-9440 or email: firstname.lastname@example.org
HitsTech is focused on bringing the right information technology solutions to organizations throughout North Carolina.
We welcome you the read some of our latest blog posts and technology articles.