Today’s medical businesses are bound by the many restrictions of the Health Insurance Portability and Accountability Act or HIPAA. This law applies not only to information sent by medical providers and insurance companies, but also by third party business associates. The HIPAA Omnibus Rule effective earlier in 2013, strengthens a number of existing provisions to further protect the privacy and security of sensitive healthcare related information.
HIPAA violations can land a medical practice and their business associates in hot water with heavy penalties. In fact, businesses with breaches of 500 or more records are publicly listed on the “HIPAA Wall of Shame”. One area that may be overlooked in your practice is e-mail encryption. Below are some common tips on encrypting e-mail and protecting PHI information in transit.
IT professionals suggest encryption for a connection between an office and e-mail provider, the actual email message itself, and any stored or archived messages.
Public networks like restaurant and coffee shop connections are not as secure as specifically set up private networks. Make sure that you consider encryption (and other protections as applicable) for any information sent through these vulnerable networks. Better yet, avoid sending or opening any private information while using public networks.
Some healthcare practices send and receive PHI information via a file transfer protocol system. This is a program that allows you to easily move files from one computer to another. Understanding the full use of file transfer protocol or FTP and other server systems will help you develop and continuously update the right strategies for e-mail and data encryption. Check the Administrative Simplification section and Technical Safeguards for standards under HIPAA compliance for sending files using this method.
These two types of comprehensive data security support commercial banking processes and other sensitive financial transactions. By ensuring that all network segments are SSL/TLS compliant, you are promoting effective security for your own sensitive information as it goes through your electronic systems. Experts recommend checking for an ‘s’ after the http on a browser URL as one indication of its security setup.
Rather than trying to set up your own IT systems, you may be able to benefit from pre-designed tools that will effectively secure sensitive patient information. Check with any regular vendors or suppliers for tools that meet the high standards of HIPAA compliance.
Consider encrypting archives as well as messages in transit – some practices encrypt messages as they flow out of a network, but they don’t close the back door on archive systems. Hackers can get into archives and cause the kind of data breaches that end up being expensive and generating liability.
Rather than assuming that a system preserves encryption, do a little fact finding and confirmation with the vendor to make sure that your messaging systems are secure through each step of the data transmission process.
Some healthcare professionals who hear from others in their industry might suspect that HIPAA enforcement is not really as stringent as it appears to be, or that they “really don’t have to do” something. Or, maybe you think a breach could never happen to you. Be sure your IT professional and vendors are well versed in HIPAA compliance and will advise you on the necessary steps for complete protection. Making relaxed judgments can result in costly mishaps.
There are a large number of data breaches by unauthorized users getting their hands on a smartphone or tablet. Smart medical businesses must incorporate breach protection standards to include personally and company owned devices. Setting a password to unlock the device and installing an encryption application are a couple of basic defensive steps.
Some physician practices that are most HIPAA compliant have specific protocols for when a staffer steps away from his or her desk. Screensavers and other protectors such as logging off a work station immediately go into play. This will prevent visitors or others from snooping into PHI at a sensitive moment.
As some medical professionals have pointed out, PHI is only protected if it refers to specific medical care, treatment or contains patient identifiable information. Some general elements such as an identity without any diagnostic or medical information may not fall under HIPAA law. Although medical businesses have some room to maneuver under these kinds of rules, it’s better to be safe than sorry when it comes to protecting your patients’ privacy.
While you may have to increase your budget and time to ensure your systems meet HIPAA compliance standards, it is time and money well spent. The result of a breach can be monumental in terms of cost and trust. Don’t know where to begin or want to confirm your standards are compliant? The U.S. Department of Health and Human Services offers robust training guides and compliance checklists/templates to ensure you are on the right track and not alone.
More expert advice about Business Operations
Photo Credits: © Amy Walters - Fotolia.com; Check Man, Cross Man and Jump Man © ioannis kounadeas - Fotolia.com