4 questions to ask when you secure electronic protected health information (ePHI)

It’s inevitable: you need to view and share patient information to do your job. Whether you handle invoicing, billing, follow-up, or something else, patient security and satisfaction should be your top priority.

But what do you do to protect patient privacy as you go about your daily work? And do you even know when you’re handling electronic protected health information (ePHI)?

Keep reading to find out the answers to 4 questions that will help you keep ePHI safe.


1.   Why does compliance (e.g., with HIPAA and HITECH) seem so difficult?

First, a quick timeline:

  • President Clinton signed HIPAA into law 20 years ago.
  • Compliance with the Privacy and Security Rules was required by 2005.

Yet HIPAA-covered entities and business associates keep making the news for violations. Often, they settle for fines over $1 million and in-depth corrective action plans (CAPs).

It’s understandable that companies continue to be caught off guard. After all, the regulation text alone is over 80 pages. Who has time to understand all those rules?

Plus, achieving compliance and maintaining compliance aren’t the same thing. Just because you achieved compliance 4 years ago doesn’t mean you’re compliant today. In fact, it’s practically guaranteed that you won’t still be compliant if you haven’t updated your documentation in 4 years.

HIPAA and its Administrative Simplification provisions—like the Security Rule, Privacy Rule, and Breach Notification Rule—are intentionally vague.

HIPAA won’t say that you need a reverse-proxy firewall or that you need to change your passwords every 60 days. Instead, they’ve provided a framework to help you be intentional about protecting data.

HIPAA tells you what to do but not how to do it. You need to do whatever is reasonable and appropriate to protect ePHI.

Compliance can be overwhelming, especially at first. With good training, consistent security management, and help from intelligent software, compliance will become a manageable part of your job.

Reasons compliance is difficult:

  • The regulation text is dense and long (over 80 pages).
  • Compliance changes. What was compliant 4 years ago isn’t compliant today.


2.   What do employees do to protect ePHI?

Employee training is a critical step in protecting ePHI. If your employees don’t know about your company’s policies—or worse, if they refuse to follow them—not even perfect encryptions and policies will save your company from violations.

Cultivating an attitude of security from day 1 will make employees less likely to intentionally or accidentally put ePHI at risk.

To keep employees engaged during training, try methods that have been proven to help retention, such as the video below, 1-on-1 demonstrations, or interactive tutorials.

Just as HIPAA compliance is an ongoing process, so is employee training. New employees aren’t alone in their need to understand compliance standards. Every time you update a compliance procedure, make sure employees know about it. Whether that’s through a training day, an emailed document, or a lunch meeting is up to you.

Here are just a few basic things employees handling ePHI should know:

  • How to report a breach
  • Who to contact if their laptop is lost or stolen
  • What to do with printed PHI that isn’t needed


3.   When was the last security risk analysis?

Even though HIPAA and its regulations don’t change, you’ll need to consistently perform risk analyses.

The laws might not change, but your situation will. From new employees to new servers to new software, any change within your company can add unexpected risks to ePHI.

While HIPAA doesn’t give a specific frequency for how often you should do a risk analysis, it gives 2 hints:

  1. “The frequency of performance will vary among covered entities. Some covered entities may perform these processes annually or as needed (e.g., bi-annual or every 3 years) depending on circumstances of their environment.”
  2. “A truly integrated risk analysis and management process is performed as new technologies and business operations are planned, thus reducing the effort required to address risks identified after implementation. . . . Performing the risk analysis and adjusting risk management processes to address risks in a timely manner will allow the covered entity to reduce the associated risks to reasonable and appropriate levels.”

We can boil that down to 2 shorter statements:

  1. You shouldn’t have to do a risk analysis more than once per year


  1. You don’t have new technologies and business operations implemented more than once per year

That second bullet point from HIPAA is what you should be striving toward. Aiming for a risk analysis and management process that’s integrated into your company will make compliance much less of a hassle. A strong compliance team of 3 to 5 people can make sure new technologies and business operations keep compliance in mind.

And don’t forget to include business associates in your risk analysis. Under the Privacy Rule, you need to have a contract with all business associates. To greatly simplify it, the contract says your business associates will keep safe all PHI they receive or create.


4.   How does our software protect ePHI?

It’s reassuring to see a software company tout HIPAA compliance. But if you assume the software is compliant out of the box, you’re likely wrong.

Remember: HIPAA provides a framework, not a checklist. The chances that an out-of-the-box software solution will make your company compliant with the Security Rule are virtually zero.

Here are just some of the many different kinds of software that may interact with ePHI:

  • Electronic health records (EHRs) software
  • Customer relationship management software
  • Security management software
  • Enterprise report management software

Instead of looking for an out-of-the-box solution, find a customizable one to work within your risk management program. The size of your company will determine what compliance looks like for you. Your software systems should be scalable and adaptable to that end.


How you can check the security of your ePHI right now

  1. Try to log in from a personal device. Depending on what user permissions are in place, you may or may not be able to do this. Ensure that ePHI accessed on a personal device is protected. Whether that means that it can’t be accessed at all or that it needs a personalized password is up to you.
  2. Test data protection. Are your encryptions up to industry standards? If you don’t know how to personally test this, go have a chat with someone in IT. HIPAA expects due diligence in making sure your encryptions aren’t easy to hack.
  3. Read your latest documentation. Then, look around. Are people following it? User adoption of best practices is key to successful ePHI security.


Keep learning! Check out our free guide: Secure your ePHI



Comments are closed.