You’re asked to walk a tight rope, blindfolded, hands tied behind your back – with workman boots on your feet – so far, you’re performing this amazing act and can’t wait to get to safety as officials weigh in. This is the story of healthcare and the players involved: the “covered” provider, the business associate, the employee and subcontractor (yes, you too!) who all need to be HIPPA-ePHI compliant.
Here’s the thing – it’s next to impossible to be 100 percent secure with electronic patient health information or ePHI. You may already know the reason for this, but I’ll mention four primary reasons for you, anyway:
Too many hands are in the “pot” exchanging information (the billing company, the covered provider and the subcontractor chain).
The rules are not precise. Some gray areas call for personal judgment, which makes them variable and subjective at best (for example, when a health provider is asked to exercise: “low-probability standards” referring to email dispatch of PHI, what proven measures are you to use?).
Human error is built into our DNA; it’s a programmed default which means someone is likely to misstep (you pressed “send” and forgot to encrypt the ePHI as planned – yikes!).
Our high-tech world is still trying to make the next breakthrough in technology, one that protects you against hackers, miscreants and malicious cyber pirates.
Does it mean you should pack up and head out the door? Absolutely not! While the risks are high and safeguards are never truly perfect, there are standard precautions you can take to avoid common mistakes, at least 99 percent of the time.
Number 1: NEVER Send Electronic Patient Health Information without Consent!
This rule on PHI disclosure is pretty clear. A covered OB-GYN, for example, using email to communicate with her patients should do so only after receiving written consent.
Number 2: Never Relax over the Internet with Sensitive Information
Never compromise personal health information because you find it convenient to chat over the internet, even when authorized by patients. Only physician-to-physician ePHI discussions are deemed safely within HIPAA requirements.
Number 3: PHI Should be Sent Encrypted and Stored Encrypted
Why take the risk, even with consent, that an email could end up in the wrong hands. Send secure ePHI in email by using encryption. Theft of electronic devices is one of the most common causes of HIPAA data breaches–always encrypt your ePHI! If you have lots of sensitive information on your computer, employ full-disk encryption–now is the time to invest!
Number 4: Training to Minimize Employee Error
The two biggest employee errors involve: 1) sending ePHI to the wrong client contact, which then ends up in the public domain; and 2) backing up files, unencrypted, which become stolen or subject to unauthorized scrutiny. These incidents are huge flags to update HIPAA training materials and then re-train your workforce. While you’re at it, ensure all of your business associates’ employees are also re-training!
Number 5: Enforce HIPAA Compliance with Business Associates
According to HHS.gov, the most common cause of data breaches involve business associates. This means vendor selecting is a crucial step towards achieving full compliance. Draft an agreement that addresses the various HIPAA requirements, including a timeline of breach notification and how to handle PHI.
Number 6: Conduct a Security Risk Assessment
The OCR has posted guidelines on how to comply with HIPAA Security Rules; it’s your duty to know them. Conduct a security risk assessment and implement guarded polices. For example, incorporate services essential to keeping you compliant (HIPAA hosting provider, offsite backup, firewall/VPN, purge devices available for re-use, etc.).
Written By Karen SC Ashley
Karen SC Ashley is a full-time freelance writer who specializes in health, HR and travel articles. As an experienced nurse, administrative professional and traveler, she actively seeks opportunities to publish compelling articles in these genres.