It’s a bull market for black market health records. A single patient health record can earn cybercriminals 10 times the price of a stolen credit card number. The Office of Civil Rights is auditing small and large healthcare providers alike, imposing multi-million dollar fines in some cases. Meanwhile, the same electronic storage, mobile devices, and cloud-based applications that patients, doctors, and healthcare staff want to use often compromise a practice’s ability to keep that patient data safe.
In light of all this, it is obvious that HIPAA compliant technology practices are more important than ever. Using the ten tips outlined here, you can make sure you are using technology in a way that supports your HIPAA compliance goals and keeps your patients’ health records secure.
1. Analyze and manage risk. Before any other steps can be taken, perform a documented risk analysis to determine where ePHI is being used and stored. Use the findings of this analysis to identify the possible areas where HIPAA violations may occur. Then, work to implement measures to reduce any risks to an acceptable level.
2. Encrypt electronic protected health information (ePHI). Robust data encryption is the first line of defense against improper disclosure of ePHI. When ePHI is properly encrypted, it is protected even when physical controls are not properly followed and a piece of hardware is misplaced or stolen. Endpoint encryption is often regarded as one of the cheapest and easiest ways to reduce the risk of most ePHI data breaches. Click here to learn more about endpoint encryption.
3. Store ePHI on secure servers or in a secure cloud environment. In addition to being encrypted, servers on which ePHI is stored should be kept secure, both physically and virtually. Servers and data should not be accessible to staff without authorization, and servers should be protected with passwords or public key authentication. If your ePHI will be stored in a cloud computing environment, carefully evaluate the cloud provider’s approaches to management, security and accountability.
4. Avoid storing ePHI on disks or thumb drives. If a laptop can be misplaced or stolen, a thumb drive, disk, or external hard drive can be, too – and often far more easily. Misplaced thumb drives and storage disks are one of the most common causes of HIPAA violations. This problem can be completely eliminated simply by prohibiting the use of these devices. If you must use a thumb drive, make sure they it is encrypted, that there is a record of its chain of custody, and that it does not leave the facility.
5. Use clearance levels to limit access to ePHI. Individual access to workstations, transactions, and software should be limited by authorization and clearance levels. Employees should only be granted access to ePHI when it is critical to their ability to perform their job, and they must be properly trained on HIPAA compliance procedures in order to be approved for access.
6. Consistently update IT security measures. IT security can only be robust when it is regularly updated. Security updates are essential to identifying and fixing bugs and patching vulnerabilities that could lead to improper access of ePHI. Employee authentication credentials (passwords) should also be regularly updated and never shared.
7. Regularly train staff on improper disclosure of ePHI. Improper access, disclosure, or transmission of ePHI by employees is a major cause of HIPAA breaches – and more often than not, it’s accidental. Staff must be thoroughly educated about protecting health information, and participate in periodic trainings to remind them of its importance.
8. Use and review audit reports. Audit reports are logs that track activity on hardware and software. These allow security officers to easily find the cause or source of any breaches, improper access, or improper disclosure of ePHI. All staff should have a unique, authenticated name and/or number so that audit reports can correctly identify users.
9. Perform periodic evaluations. Periodically review your business practices and changes to the law to determine whether your HIPAA compliance procedures need to be updated. Regularly evaluate systems’ security measures to ensure they are current.
10. Have contingency plans. Make sure that all ePHI is backed up, that backups are accessible, and that procedures are in place to recover any lost data. Establish procedures that will enable critical business procedures to continue operating in the event of an emergency.
Technology on its own cannot make a healthcare practice HIPAA compliant. With forethought, regular employee education, and relevant policies, however, any practice can leverage the best that technology has to offer while securing patient data.