HIPAA security guidelines can be perplexing for most. However, there are simple and inexpensive tips you can use to secure your patients’ electronic Protected Health Information (ePHI).

The first thing to know is that HIPAA security is a process – it takes time to implement. Your healthcare organization won’t become “HIPAA compliant” overnight. There’s no one IT solution that ensures HIPAA compliance.

At the core of HIPAA compliance is a process called Risk Management. It sounds much more confusing than it truly is.

Risk Management

  • Step B – Implement additional security safeguards
  • Step C – Go back to Step A
  • Step A – Identify current safeguards and weaknesses

What is Risk Management?

  • Step A – Determine how you are currently protecting ePHI and identify the weaknesses in your protection.
  • Step B – Implement additional security safeguards to improve the protection your patient information.
  • Step C – Return to Step A.

This is an oversimplification of the Risk Management Process, but it illustrates how it should be repeated over and over.

Read on, and we’ll tell you what you can do to accomplish Step B. First, let’s look more closely at Step A.

How Are You Protecting ePHI And Identifying Weaknesses?

The HIPAA Security Rule and Meaningful Use act require that you perform a HIPAA Risk Assessment. Below is a simple explanation of what a Risk Assessment involves.

  • Step 1 – Identify where electronic patient information (ePHI) is stored such as in EHRs (Electronic Health Records), PACS (Picture Archiving and Communications Systems), documents, reports, and email, among others.
  • Step 2 – Identify the threats to your patient information (lost laptops, fires, floods, computer viruses, email scams, disgruntled employees, etc.).
  • Step 3 – Assess how you are currently protecting ePHI. Some examples include backing up your EMRs every night, using secure email and encryption to send patient information, and implementing antivirus protection.
  • Step 4 – Determine your risk for the threats in Step 2. Risk is identified by how likely these things are to occur.
  • Step 5 – Determine additional ways to lower the risks. Using the previous example, if you determined the risk of a fire would be high because of the age of your building, then implementing a nightly data backup would be a way to mitigate this risk.

How Do You Identify Risks?

How likely is it that a fire or flood will destroy your EHRs? The probability that these things will happen is low in most cases.

What impact would fire or flood have on your EHRs? Let’s look at this more closely.

  • Scenario 1: If a flood destroyed your EHRs and you didn’t have recent backups, some patient information would be lost. Recovery would be hard or even impossible. If you were to lose years of ePHI data, you might even have to close your practice. This could impact the health of your patients as well.
  • Scenario 2: In this scenario, your EHR data was backed up on a nightly basis and stored offsite in a secure cloud location. Therefore, the flood would not have the same impact. Yes, you would lose some furnishings and computer equipment but your data would be retrievable from wherever you had an internet connection.

You could purchase new furniture and hardware, then have your IT provider reinstall your EHRs from the secure cloud backup. Your IT staff could set up a new server. Once your EMR vendor reinstalls the EMR software and your ePHI, your practice is back up and running again.

The impact of Scenario 2 is much less severe than Scenario 1 where your ePHI is lost forever.

Although these five steps are an oversimplified description of a Risk Assessment, they should provide what you need to know about the process. It’s very important to identify significant risks to your ePHI and ways to lower them.

What Are The Simple & Cost-Effective Tips To Secure Patient Information?

A majority of HIPAA-related breaches to ePHI occur when portable computer devices are lost or stolen. These include laptops, USB drives, CDs, DVDs, backup tapes, smartphones, tablets, etc. Portable computer devices provide access to thousands of patient records, so losing one can be critical.

Four of the tips below pertain to portable computing devices, and tip 5 discusses how developing good password habits can help.

Tip #1 – Encrypt All Portable Computer Devices.

The HIPAA Security Rule states that as long as your patient data is encrypted, and the data is lost or stolen, you won’t need to notify patients or report the breach.

What Is Encryption?

The official description of encryption is that it is the process of converting data into code that prevents unauthorized access. And according to the HIPAA Rules, if you lose ePHI and it’s encrypted, there are no penalties to face.

How Much Does Encryption Cost?

It costs less than $100 per year to encrypt a laptop. It won’t affect the performance of your laptop. You just need to enter your password when you first begin working.

Even if you don’t think you have patient information on a laptop, encrypt it anyway. Although you didn’t intend to store EHR data on a portable computing device, it could have been emailed to you.

ePHI can be located in documents, PDFs, spreadsheets or reports that were downloaded from an EMR. If you encrypt all of your laptops and portable computing devices, you won’t have to worry about HIPAA violations if they are lost or stolen.

Note: Don’t forget to encrypt smartphones, USB drives, portable hard drives and backup tapes as well – anything that might contain ePHI.

Tip # 2 – Minimize The Use Of Portable Computer Devices.

If you want to reduce your risk exposure to a data breach, limit your reliance on portable computing devices. Educate your employees about the risks of using portable computing devices. Develop a policy to enforce this and have each employee sign that they’ve read it. Minimize the amount of patient data that’s sent via email.

Note: Ask your IT provider to implement a Mobile Device Management solution. If a smartphone, tablet or laptop is stolen, they can delete the data from it remotely.

Tip #3 – Encrypt All Backup Tapes & External Hard Drives.

If you are still using tapes and external hard drives to back up your data, make sure you encrypt them. Backup devices store all of your data. If one is lost or stolen, you can face a HIPAA violation if data is breached.

Don’t assume that your IT provider uses encryption. Make sure they are. Most backup software provides for data encryption, but you must enable it. Encryption isn’t automatic.

Tip #4 – Implement A Startup Password & Inactivity Timeout On All Business Smartphones.

Smartphones (iPhones, Androids, Windows Phones and Blackberries) may contain ePHI. Today, healthcare providers use smartphones to access EMRs, PACs and protected health information. They send this data in emails to other healthcare providers, physicians, allied health professionals and billing departments, etc. Smartphones can easily be lost or stolen. This presents a risk to the sensitive patient information that they may contain.

How can you protect electronic health information when a smartphone is lost or stolen?

  • Use a start-up password and inactivity timeout.
  • Encrypt the data on your smartphone.

This will reduce the likelihood that patient information will be compromised if a smartphone is lost or stolen.

Tip #5 –Use Proper Password Controls.

The stronger the passwords you and your employees use, the less risk to your ePHI. There are inexpensive ways to implement proper password controls.

  • Use Complex Passwords.

Encourage your staff to create complex passwords that have upper and lower case letters, number and symbols such as @ ! $ % &. Don’t use names, places or any commonly used words. The more complex the password, the harder it is for an intruder to guess.

Ensure that your employees understand the importance of protecting patient information by using complex passwords.

  • Don’t Write Down Passwords.

No more sticky notes with passwords on computer monitors, under desks or inside drawers. If your employees can’t remember their passwords, talk to your IT provider about using one of the many password managers.

  • Never Share Passwords.

Passwords, just like credit card and social security numbers should never be shared.

  • Lock Accounts After 5 Failed Password Attempts

Automatically lock accounts after five incorrect attempts. If an employee can’t enter their password correctly after five tries, lock the account and have them contact your IT administrator to open it. At that point, they can reset their password. This will protect your ePHI from unauthorized access.

In Summary

With these simple and cost-effective tips, you can easily protect ePHI and remain HIPAA compliant.

If you’re looking for a service provider with expertise in HIPAA Compliance and IT protection for healthcare organizations, contact Hitstech. We serve all of North Carolina with a full suite of professional managed IT services. Our specialists can help your healthcare organization remain compliant with industry regulations and protect your patients’ valuable healthcare information. Phone HitsTech at: (828) 695-9440 or email: sales@hitstech.net

Need More Information?

HitsTech is focused on bringing the right information technology solutions to organizations throughout North Carolina.
We welcome you the read some of our latest blog posts and technology articles.