First off, let’s make sure we’re on the same page with what is PHI. PHI stands for Protected Health Information and ePHI is the electronic form of that information. HIPAA defines Protected Health Information as:
- Data created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse.
- Relating to the past, present, or future physical or mental health or condition of any individual, or the past, present, or future payment for the provision of health care to an individual.
Who must protect PHI & ePHI? Any business that creates, stores, edits, or transfers Protected Health Information (PHI) must comply with HIPAA regulations. HIPAA breaks businesses into two categories:
- Covered Entities (CEs) includes health plans, clearinghouses, and providers (doctors, clinics, psychologists, dentists, chiropractors, nursing and hospice homes, and pharmacies).
- Business Associates (BAs) includes any company that comes into contact with PHI or ePHI, so the list is expansive. A Business Associate may be an IT firm (like My IT), shredding company, document storage company, attorney, accountant, collection agency, an EMR (Electronic Medical Record) company, data center, transcriptionist, and many more.
Why protect PHI? Besides being the right thing to do, HIPAA requires businesses to protect it by law. In fact, the minimum penalty for NOT protecting PHI is $50,000 and, potentially worse, for all breaches over 500 individuals, you must notify the local media. Also, the Office of Civil Rights who polices HIPAA states that “a medical entity’s reasonable lack of knowledge of a violation…is no longer accepted.” So you either need to protect PHI or not work with it at all.
Luckily, HIPAA requires a company’s “best effort” and gauges a single medical provider’s office differently than a hospital or health insurance company. That is the good news; nonetheless, you must take steps to protect your patient’s health information.
11 Steps You Legally Must Do to Protect ePHI & PHI
#1 – HIPAA Assessment – An assessment will advise you to where you are at currently and provide suggested areas to improve. Most importantly, it is your first documentation for HIPAA and if you are investigated by OCR, you can show that you are starting the process of becoming HIPAA compliant. Once you have this document, you can make a plan to continually evolve and tie it with your business plans. A good IT firm can do an assessment for you and help you create a compliancy; unfortunately, most IT firms are not knowledgeable in HIPAA regulations and are not compliant themselves.
#2 –Game Plan for Improvement – Once you have your baseline established with the assessment, you need to create a plan to improve on weaknesses and to shore up vulnerabilities.
#3 – HIPAA Audit – An audit is different than your initial assessment because the audit shows and verifies your progress, thus proving a remediation you’ve taken to protect your PHI. Depending on your size, you will be required to do an audit either annually, quarterly, or even monthly.
Other Steps Required by Law (luckily these are all relatively free things)
- Privacy & Security Officers – You must name a Privacy and Security Officer (whom can be the same person). These positions must be part of the person’s job description and job evaluation. The Privacy and Security Officers are responsible for ensuring the company is following HIPAA guidelines, including training the staff.
- Ongoing Training – If you do NOT continually train your staff, people will forget things and be laxer with processes and procedures. Create a culture of continuous improvement and training.
- BAA (Business Associate Agreement) – All Covered Entities (medical providers for example) must have a signed agreement with every company that has access to their PHI. These companies are Business Associates and the agreement (the BAA), states how the company will and not use, store, and transport the Covered Entities’ PHI. [Learn more about BAA.]
- Password protect computer – All computers should require an individual username and password to access it, even if you use an EMR (Electronic Medical Record) program that has a separate login. Also, make sure to have a policy that requires passwords to be changed at least twice a year. The key to the logins is having each individual with a unique one instead of one password everyone uses throughout the medical practice.
- Password protect mobile devices – All company-owned mobile devices, including smartphones and tablets, as well as employee-owned devices with access to PHI, need to have a passcode to unlock them. Many PHI data breaches occur accidentally from a medical provider losing their mobile device. If the device has a passcode, it is unlikely for the data to be compromised.
- Two-Factor Authentication – Many cloud-based EMR and communication programs like Slack offer the option to require an additional method of verifying the user. The first time a user logins or registers an account, the user must provide their username & password as well as enter a code texted to their cell phone, provide a fingerprint scan, or use a token from a second source. This one-time, extra step ensures access is provided to the correct user.
- Secure physical equipment & files – This one should be obvious, but a lot of smaller medical providers overlook it. Lock your server room and prevent unauthorized individuals like patients from accessing. This means a server cannot sit in the practice manager’s office, especially if she sees patients and vendors in her office from time to time.
- Breach Notification Plan – You only have 60 days to notify patients that a breach occurred and that is a relatively short time period if you don’t have a plan in place. HIPAA requires all Covered Entities to have a written breach notification plan. (Note: You can contract out your breach notification to a third-party company, however, that needs to be noted in your plan.)
Recommended Protection [may be required for larger entities]
- Access Management Plan – You need to limit your employees’ access to patient data based on their role with the company. For example, not everyone needs access to billing information and billing may not need to see detailed medical records. Limiting access restricts the exposure of your ePHI. (As you grow your practice, have access set up by role instead of individually makes it much easier to manage as personnel changes.)
- Encrypt Hard Drives – To further protect any ePHI (and company financials), you should encrypt the data on your hard drives in case they are stolen or lost.
- Encrypt Emails – You cannot send patient data (or credit card info) via email unless you secure the transmission. Once you have the service in place, sending an encrypted email can be as easy as clicking a button in Outlook or using a specific buzzword that will send patients and business associates a link where they will login to view.
- Destroy Decommissioned Hard Drives – Once a computer reaches end of life, you cannot just throw it in the trash. You need to destroy your hard drives, even if encrypted.
- Firewalls – Most companies have a firewall to secure their network from an external attack. For larger medical practices, HIPAA may require such a device. If you do not have a firewall already, consider renting one (known as Firewall-as-a-Service) to keep capital expenditures down and to always have an up-to-date device.
More Advanced Physical Protection
- Security Cameras – If you’re a small doctor’s office, you may already have cameras on the premises if you’re in an office building or adjacent to a hospital. Cameras are a powerful, visible deterrent to thieves and give peace of mind to patients and employees.
- Alarm Systems – Most businesses have an alarm these days and they help ensure your physical patient files are safe as well as protect someone from accessing your electronic files from within your office. (Still require a login to all workstations and mobile devices, even when on the local network.)
- Electronic Door Access – Once you have an alarm system in place, it is fairly inexpensive to replace keys with electronic access cards. This way you can monitor who enters a particular door and when, as well as lock out an employee quickly if need be.
The key to becoming HIPAA compliant and avoid fines from the Office of Civil Rights (OCR) is to get started. Do not wait for the auditor to contact you or for a peer to get audited. Do your assessment to set a baseline, create your game plan, and schedule your period audits. That shows that you’re working toward better protection, even if you do not have it now. OCR explicitly said ignorance is not an excuse, and that goes for Covered Entities and Business Associates.