Those in the healthcare industry are accustomed to fulfilling a long list of compliance responsibilities and personal health information (PHI) safeguards under HIPAA. Yet even with built-in safeguards, the risks to the integrity of systems management increase every day. Review these 10 tips to stay proactive about bolstering your information security protections.
- Conduct regular risk assessments
Under the HIPAA Security Rule, healthcare providers, health plans, and their business associates are required to conduct and update risk assessments. This includes assessing third parties that perform certain functions requiring the use of PHI – such as claims processors, or incorporating cybersecurity assessments when conducting due diligence as part of any merger and acquisition activity. Not only do these periodic checkups ensure compliance with the law’s technical, administrative, and physical safeguards, but they can also help reveal areas where PHI could be vulnerable.
- Have a formal incident response plan in place
Should a data breach occur, having a robust incident response plan already in place gives you a roadmap to quickly respond, investigate, and minimize damage. Immediate action steps include detecting, documenting, and gathering evidence to prioritize incident handling and reporting to internal personnel and external organizations.
Establish a team to lead these communication and response efforts, share information, manage communication, and ensure that all emergency tasks are being carried out. Communication to staff, those impacted by the event, and media venues by authorized personnel needs to be managed efficiently and accurately to avoid misinformation and confusion. Such preparation and vigilance pays off: One study found that an incident response team can reduce the cost of a breach by as much as $14 per compromised record from the average per-capita cost of $148.[i]
- Transition from paper records to secure, encrypted computer databases
Electronic health records (EHRs) outperform paper medical records when it comes to providing better access to and use of PHI. However, EHRs also introduce new privacy and security risks. The mix of security risks can depend on the type of EHR hosting you have: office-based (local host) or Internet-hosted (remote host). Check your EHR server often for viruses and malware.
- Encrypt data and hardware, such as servers, network endpoints, mobile, and medical devices
As devices become more sophisticated and provide greater access to electronic PHI, healthcare organizations require even greater control and management to protect patient information and comply with HIPAA. Ensure that all of your hardware is encrypted and backed up (perhaps with a third-party provider). And if you allow employees to use their personal computers or phones for work purposes, create a BYOD (bring your own device) policy to be sure that everyone is following security, compliance, and software update protocols.
- Educate employees about staying compliant
Commit to a HIPAA training program for all new staff when they are hired and on a regular basis for the entire team. Nearly four of 10 reported security breaches are caused by unauthorized access or improper disclosure of PHI. In fact, these types of breaches are the No. 1 most common HIPAA violation, according to HHS data.[ii] From sharing logins to abusing social media, human error is a major factor. Staff should be trained at least once every year and any time your facility changes its policies or procedures, systems, location, or infrastructure.
- Implement different access levels for employees’ access to personal health information (PHI) based on their job duties
Assess employees’ job functions and allow them to access only the minimum necessary health information as appropriate. Create a flowchart of roles and supervision, with access levels clearly marked for each tier of responsibility. Ensure that the flowchart is updated regularly – and assign a staff member this responsibility.
- Immediately stop access to PHI by terminated employees (or contractors) and escort them out if necessary
In situations of employee termination (especially involuntary discharges), be prepared in advance to do the following: Block computer system access; change passcodes to protected information and secure logins; remove all enterprise-related software; review post-termination restrictions on nondisclosure; collect keys, identification badges, and organization property; and use personal security to escort them from the building if necessary.
- Require a two-step verification process to ensure that mail and email recipients’ information is correct before sending invoices or appointment reminders
Two-step verification can help protect against inadvertently sending one person’s PHI to another. It uses two forms of identity to verify a recipient or account sign-in – typically a password and a contact method. Train staff not to send PHI via email unless the data is encrypted. Direct-messaging software and secure patient portals are just two ways that serve this purpose.
- Shred paper records when no longer needed
Shredding documents means using a method that ensures that PHI is rendered unreadable, indecipherable, and otherwise can’t be reconstructed. Many organizations contract out to third-party providers for this service to ensure that it is done correctly – and on schedule.
- Prevent break-ins by implementing physical safeguards such as security alarms, security guards, and locks on windows and doors
In addition to the HIPAA Security Rule’s technical and administrative safeguards, your healthcare organization is also responsible for physical security aimed at preventing unauthorized facility access, tampering, and theft of PHI. At a minimum, HHS recommends common controls such as locked doors; signs warning of restricted areas; workstation protocols; computer screens shielded from secondary viewers; secure rooms; surveillance cameras; alarm systems; identification badges; visitor badges; visitor escorts; and private security or patrols.[iii]
Preventing data breaches and maintaining IT security in a healthcare setting is a big challenge – but you don’t have to go it alone. Consult with your insurance provider to get advanced expertise on mitigating risk, or visit our website for more information on Liberty Mutual’s healthcare offerings.
This website is general in nature, and is provided as a courtesy to you. Information is accurate to the best of Liberty Mutual’s knowledge, but companies and individuals should not rely on it to prevent and mitigate all risks as an explanation of coverage or benefits under an insurance policy. Consult your professional advisor regarding your particular facts and circumstance. By citing external authorities or linking to other websites, Liberty Mutual is not endorsing them.