With the migration to the digital world, there is now a more significant risk for data breaches than ever before. In healthcare news this week, Skagit County, Washington has been ordered to pay the Department of Health and Human Services $215,000 to compensate for deficiencies within its HIPAA privacy and security compliance program following a PHI breach.
Breaches of PHI can occur from many different scenarios. Unfortunately, some breaches occur because of simple errors. For example, a health department in Utah compromised 780,000 individual PHI records due to a weak password policy in effect on their server. In another instance, Emory Healthcare had backup disks containing 315,000 individual PHI records come up missing, due to an unlocked storage unit. So, now we must ask the question:
How can a facility take basic steps to become PROACTIVE rather than REACTIVE when it comes to breaches?
- Secure all physical locations: All entryways and windows to your facility must always be guarded, as these are the first barriers in PHI protection.
- Protect all electronic devices: Computers, laptops, and mobile devices containing PHI should be password protected and always stored in secure locations when not in use. Two thirds of security breaches are caused by stolen or lost portable devices containing PHI.
- Utilize a strong password policy: As noted above, a health department compromised hundreds of thousands of PHI files by having weak passwords protecting their systems. Passwords protecting PHI should contain a random combination of symbols & alphanumeric characters that would not be easily unveiled.
- Stress limited access to PHI: Accessing specific records should only be done when absolutely necessary and should be limited to authorized personnel. Employees should also be aware of what is considered PHI and only release the specific information that is requested.
- Double & triple checking information: Patient's name, date of birth, Social Security number, dates of service requested and the sending/receiving locations should always be checked several times before releasing the information.
- Internal & business associate auditing: Routine checks by the company's compliance officer is a must in order to ensure that all employees are following policies correctly. Furthermore, always make certain that all contracts with BA's are up to date.
- Destroy PHI properly: PHI includes both paper and electronic records. Protocols should be set in place to ensure paper records are shredded/destroyed and electronic information is deleted using proper HIPAA guidelines.
- COMPLIANCE, COMPLIANCE, COMPLIANCE: As all policies are important, they mean nothing if all employees are not properly trained to follow them. Make sure you and your fellow employees always understand and are dedicated to following HIPAA guidelines to keep PHI safe at your facility.
Research shows that breaches end up costing a facility significantly more in fines than in basic preventive costs. Implementing simple safeguards at your facility can make all the difference in protecting PHI.
Check out some of our Resources to help get you started.
- Allison Stejskal, Business Development Executive
Think you know everything about the rules + regulations of HIPAA? Help train your staff & promote compliance by testing your knowledge with our HIPAA flashcards.