Did you know a single patient health record can earn cybercriminals 10 times the price of a stolen credit card number on the black market?
The Office of Civil Rights is auditing small and large healthcare providers alike, imposing multi-million dollar fines in some cases. Meanwhile, the same electronic storage, mobile devices, and cloud-based applications that patients, doctors, and healthcare staff want to use often compromise a practice’s ability to keep that patient data safe.
In light of all this, it is obvious that HIPAA compliant technology practices are more important than ever. Using the 10 tips outlined here, you can make sure you are using technology in a way that supports your HIPAA compliance goals and keeps your patients’ health records secure.
- Analyze and manage risk. Before any other steps can be taken, perform a documented risk analysis to determine where patient information is being used and stored. Use the findings of this analysis to identify the possible areas where HIPAA violations may occur. Then, work to implement measures to reduce any risks to an acceptable level.
- Encrypt electronic protected health information (patient information). Robust data encryption is the first line of defense against improper disclosure of patient information. When patient information is properly encrypted, it is protected even when physical controls are not properly followed and a piece of hardware is misplaced or stolen. Encryption is often regarded as one of the cheapest and easiest ways to reduce the risk of most patient information data breaches. Click here to learn more about protecting your data.
- Store patient information on secure servers or in a secure cloud environment. In addition to being encrypted, servers on which patient information is stored should be kept secure, both physically and virtually. Servers and data should not be accessible to staff without authorization, and servers should be protected with passwords or public key authentication. If your patient information will be stored in a cloud computing environment, carefully evaluate the cloud provider’s approaches to management, security and accountability.
- Avoid storing patient information on disks or thumb drives. If a laptop can be misplaced or stolen, a thumb drive, disk, or external hard drive can be, too – and often far more easily. Misplaced thumb drives and storage disks are one of the most common causes of HIPAA violations. This problem can be completely eliminated simply by prohibiting the use of these devices. If you must use a thumb drive, make sure it is encrypted, that there is a record of its chain of custody, and that it does not leave the facility. Click here to learn more about protecting your data.
- Use clearance levels to limit access to patient information. Individual access to workstations, transactions, and software should be limited by authorization and clearance levels. Employees should only be granted access to patient information when it is critical to their ability to perform their job, and they must be properly trained on HIPAA compliance procedures in order to be approved for access.
- Consistently update IT security measures. IT security can only be robust when it is regularly updated. Security updates are essential to identifying and fixing bugs and patching vulnerabilities that could lead to improper access of patient information. Employee authentication credentials (passwords) should also be regularly updated and never shared. Click here to learn more about protecting your data.
- Regularly train staff on improper disclosure of patient information. Improper access, disclosure, or transmission of patient information by employees is a major cause of HIPAA breaches – and more often than not, it’s accidental. Staff must be thoroughly educated about protecting health information, and participate in periodic trainings to remind them of its importance.
- Use and review audit reports. Audit reports are logs that track activity on hardware and software. These allow security officers to easily find the cause or source of any breaches, improper access, or improper disclosure of patient information. All staff should have a unique, authenticated name and/or number so that audit reports can correctly identify users. Click here to learn more about protecting your data.
- Perform periodic evaluations. Periodically review your business practices and changes to the law to determine whether your HIPAA compliance procedures need to be updated. Regularly evaluate systems’ security measures to ensure they are current.
- Have contingency plans. Make sure that all patient information is backed up, that backups are accessible, and that procedures are in place to recover any lost data. Establish procedures that will enable critical business procedures to continue operating in the event of an emergency.
Technology on its own cannot make a healthcare practice HIPAA compliant. With forethought, regular employee education, and relevant policies, however, any practice can leverage the best that technology has to offer while securing patient data.