It’s inevitable: you need to view and share patient information to do your job. Whether you handle invoicing, billing, follow-up, or something else, patient security and satisfaction should be your top priority.
But what do you do to protect patient privacy as you go about your daily work? And do you even know when you’re handling electronic protected health information (ePHI)?
— Affinity Technology (@affinitytp) September 23, 2016
Keep reading to find out the answers to 4 questions that will help you keep ePHI safe.
1. Why does compliance (e.g., with HIPAA and HITECH) seem so difficult?
First, a quick timeline:
- President Clinton signed HIPAA into law 20 years ago.
- Compliance with the Privacy and Security Rules was required by 2005.
Yet HIPAA-covered entities and business associates keep making the news for violations. Often, they settle for fines over $1 million and in-depth corrective action plans (CAPs).
— RMorris (@rmorris2011) January 27, 2017
It’s understandable that companies continue to be caught off guard. After all, the regulation text alone is over 80 pages. Who has time to understand all those rules?
Plus, achieving compliance and maintaining compliance aren’t the same thing. Just because you achieved compliance 4 years ago doesn’t mean you’re compliant today. In fact, it’s practically guaranteed that you won’t still be compliant if you haven’t updated your documentation in 4 years.
HIPAA and its Administrative Simplification provisions—like the Security Rule, Privacy Rule, and Breach Notification Rule—are intentionally vague.
HIPAA won’t say that you need a reverse-proxy firewall or that you need to change your passwords every 60 days. Instead, they’ve provided a framework to help you be intentional about protecting data.
HIPAA tells you what to do but not how to do it. You need to do whatever is reasonable and appropriate to protect ePHI.
Compliance can be overwhelming, especially at first. With good training, consistent security management, and help from intelligent software, compliance will become a manageable part of your job.
2. What do employees do to protect ePHI?
Employee training is a critical step in protecting ePHI. If your employees don’t know about your company’s policies—or worse, if they refuse to follow them—not even perfect encryptions and policies will save your company from violations.
— OnRamp Data Centers (@onrampaccess) February 15, 2017
Cultivating an attitude of security from day 1 will make employees less likely to intentionally or accidentally put ePHI at risk.
Just as HIPAA compliance is an ongoing process, so is employee training. New employees aren’t alone in their need to understand compliance standards. Every time you update a compliance procedure, make sure employees know about it. Whether that’s through a training day, an emailed document, or a lunch meeting is up to you.
3. When was the last security risk analysis?
Even though HIPAA and its regulations don’t change, you’ll need to consistently perform risk analyses.
The laws might not change, but your situation will. From new employees to new servers to new software, any change within your company can add unexpected risks to ePHI.
— IBM Security (@IBMSecurity) February 2, 2017
While HIPAA doesn’t give a specific frequency for how often you should do a risk analysis, it gives 2 hints:
- “The frequency of performance will vary among covered entities. Some covered entities may perform these processes annually or as needed (e.g., bi-annual or every 3 years) depending on circumstances of their environment.”
- “A truly integrated risk analysis and management process is performed as new technologies and business operations are planned, thus reducing the effort required to address risks identified after implementation. . . . Performing the risk analysis and adjusting risk management processes to address risks in a timely manner will allow the covered entity to reduce the associated risks to reasonable and appropriate levels.”
We can boil that down to 2 shorter statements:
That second bullet point from HIPAA is what you should be striving toward. Aiming for a risk analysis and management process that’s integrated into your company will make compliance much less of a hassle. A strong compliance team of 3 to 5 people can make sure new technologies and business operations keep compliance in mind.
And don’t forget to include business associates in your risk analysis. Under the Privacy Rule, you need to have a contract with all business associates. To greatly simplify it, the contract says your business associates will keep safe all PHI they receive or create.
4. How does our software protect ePHI?
It’s reassuring to see a software company tout HIPAA compliance. But if you assume the software is compliant out of the box, you’re likely wrong.
— Kays Harbor (@KaysHarbor) May 24, 2016
Remember: HIPAA provides a framework, not a checklist. The chances that an out-of-the-box software solution will make your company compliant with the Security Rule are virtually zero.
Instead of looking for an out-of-the-box solution, find a customizable one to work within your risk management program. The size of your company will determine what compliance looks like for you. Your software systems should be scalable and adaptable to that end.
How you can check the security of your ePHI right now
- Try to log in from a personal device. Depending on what user permissions are in place, you may or may not be able to do this. Ensure that ePHI accessed on a personal device is protected. Whether that means that it can’t be accessed at all or that it needs a personalized password is up to you.
- Test data protection. Are your encryptions up to industry standards? If you don’t know how to personally test this, go have a chat with someone in IT. HIPAA expects due diligence in making sure your encryptions aren’t easy to hack.
- Read your latest documentation. Then, look around. Are people following it? User adoption of best practices is key to successful ePHI security.
Keep learning! Check out our free guide: Secure your ePHI