5 Tips To Protect Patient Information

HIPAA security guidelines can be confusing and compliance expensive. Yet there are simple and inexpensive tips you can take to secure patient information. The first thing to realize is that HIPAA security is a process and takes time to implement. No one becomes “HIPAA compliant” overnight. There is no magic product to purchase or book to read that will make your organization instantly HIPAA compliant.

Iterative Risk Management Process

At the core of HIPAA security is a process called Risk Management. It sounds much more confusing than it actually is. So what is Risk Management?

Risk Management

Step A – Identify how you are currently protecting patient information and identify current weakness in your protection.

Step B – Implement additional security safeguards to better protect patient information

Step C – Go back to Step A

This an oversimplified definition of Risk Management but it illustrates that the process is one that is repeated over and over. This paper will focus on some of the things you can do for Step B but let’s briefly look at Step A.

Risk Assessment

How do you identify how you are protecting patient information and your weaknesses? The HIPAA Security Rule and Meaningful Use requirements call for all organizations to perform a HIPAA Risk Assessment. Let’s look at a simplified definition of a Risk Assessment.

Step 1 – Identify where patient information is stored (EMR, PACS system, email, etc)

Step 2 – Identify threats to patient information (employee loses a laptop with patient information, fire destroys your EMR, a patient is sent another patient’s test results, etc.)

Step 3 – Assess how you are currently protecting patient information (backing up your EMR on a nightly basis, using secure email to send patient information, using anti-virus to protect your systems from viruses, etc.)

Step 4 – Determine your risk for each of the threats that were identified in Step 2. You determine your risk by looking at how likely something is to happen and the impact if it does happen. Let’s look at an example to better explain risk.

Risk of a Fire Destroying Your EMR

How likely is it that a fire will destroy your EMR? The risk is probably very low. Fires happen but the probability of a fire is low.

What is the impact of a fire destroying your EMR? Your first reaction might be “the impact would be huge!” There is no denying that a fire would impact your organization but you have to look at the impact more closely.

Let’s look at the worst case scenario first. If a fire destroys your EMR and the data has not been backed up, all your patient information would be lost forever. You could not recover the information. Months or even years of patient records would be gone. You would have no history of any of your patients. This scenario could put your practice out of business and even jeopardize the health of your patients. It is hard to argue that the impact would not be great.

Let’s look at another scenario where the impact would not be as severe. If your EMR data is backed up on a nightly basis and stored offsite, a fire would not have the same impact as in the first scenario. Yes your server would be destroyed and your patient information would be inaccessible but it would not be lost forever. You could purchase another server from Dell or HP. You can have your IT staff or company setup a new server. You can have your EMR vendor reinstall the EMR software. You can restore your EMR data from backup. It may take some time but you would eventually have your EMR and patient information up and running and accessible once again.

The impact of the second scenario is obviously much less severe than the impact of the first scenario where all your patient information data is lost forever.

Step 5 – Determine additional protections to lower the risk. Using the previous example, if you determined the risk of a fire would be high because you are not backing up your data then implementing a nightly data backup would lower your risk.

Again, these 5 steps are an oversimplified explanation of a Risk Assessment but hopefully, it gives you a better understanding of the process. The key is to identify the risks that could have a major impact on your organization and identify additional protections that could lower the risks.

By now you may be saying to yourself “Okay, I understand the concept of risk but where are the simple and inexpensive tips I can take to secure patient information?”

Simple & Inexpensive Tips To Secure Patient Information

A majority of HIPAA related breaches to patient information happen due to lost or stolen portable devices. Portable devices include laptops, USB drives, CDs, DVDs, Backup tapes, Smartphones, etc. These portable devices can hold hundreds or thousands of patient records. There are a few simple and inexpensive ways of protecting portable devices to minimize the risk of losing patient information. Four of the tips will focus on portable devices and the fifth tip will look at how good password controls can protect patient information.

Tip #1 – Encrypt all laptops

We are not going to get into the details of data encryption and you don’t need to fully understand what data encryption is to understand the benefits. The HIPAA Security Rule states that if patient data is encrypted and the data is lost or stolen there is no need to notify patients or report the breach. The official description of encryption is that it is a Safe Harbor under the HIPAA Security Rule but we like to call it the “get out of jail free card”. If you lose a laptop with patient information and it is encrypted you can act, for HIPAA compliance purposes as though it was never lost. It costs less than $100@year to encrypt a laptop. Encryption usually has no noticeable effect on using the laptop and only requires a password to be entered when you first start the laptop.

We have heard arguments from clients that “our laptops don’t have any patient data on them so why should we encrypt them?” While it may be true that you did not intend the laptop to contain patient information, the fact is it COULD contain patient information.

There could be emails with patient information; spreadsheets, documents or PDFs with patient information could be stored on the laptop; reports downloaded from an EMR could be on the laptop. If a laptop is lost or stolen the process of trying to figure out what data was stored on the laptop would likely cost you much more than the cost to encrypt the laptop in the first place. Bottom-line, if your laptops are encrypted you no longer have to worry about a HIPAA breach if they are lost or stolen

Tip # 2 – Minimize the use of portable devices and the amount of data on portable devices

In order to reduce the risk of losing patient information stored on a portable device, make it a practice to not use portable devices. Raise your employee awareness of the risks of portable devices. Write a memo or send an email to all employees stating that the use of portable devices to store patient information is frowned upon. If employees must use portable devices then the amount of patient information stored on the devices should be only the minimum needed.

If USB drives must be used then only use encrypted USB drives. While it is true that encrypted USB drives are more expensive than non-encrypted USB drives, the cost is not prohibitive.

Tip #3 – Encrypt all backup tapes

If you are still using tapes to backup your data then ensure that they are encrypted. Backup tapes hold all your data. If a backup tape is lost or stolen you could have a very large data breach. Don’t assume your IT people are using encryption on your backup tapes. Have a conversation with your IT people and confirm that they are encrypting your tapes. Most backup software supports data encryption but it must be enabled first.

Tip #4 – Ensure you have a startup password and inactivity timeout on your smartphone

Smartphones such as iPhone, Android, Windows Phone and BlackBerry may contain patient information. More and more smartphones are used to access EMRs, imaging systems, etc. In addition, more and more patient information is contained in emails between physicians, physician assistants, billing departments, etc. Smartphones are easily lost or stolen and represent a risk to the patient information that they may contain. So what can be done to protect the information in the event that a smartphone is lost or stolen?

Smartphone Safeguards

There are many safeguards you can put in place to reduce the risk of data breaches caused by smartphones. Here are 3 safeguards that will go a long way to minimize the impact if your phone is lost or stolen.

Minimize the amount of patient data that is sent via email
Protect your smartphone by ensuring that a start-up password and inactivity timeout has been implemented
Implement data encryption on your smartphone

You can reduce the impact of a lost smartphone by minimizing the amount of patient data that is on the phone. By implementing a start-up password, inactivity timeout and utilizing data encryption, you can reduce the likelihood that patient information is compromised if the phone is lost or stolen.

Tip #5 – Implement good password controls

Passwords are the key to protecting systems that contain patient information. The stronger the passwords that your employees use the more secure your systems are. Here are a few inexpensive ways to ensure you implement good password controls.

Complex Passwords

Encourage employees to use complex passwords that have upper and lower case letters, special symbols such as “@ ! $ % &” and numbers. The more complex the password the harder it is to guess or crack. Keep in mind that your employees probably have so many different passwords that they will not be too happy to have another password especially if it is hard to remember. You will have to ensure they understand the importance of protecting patient information and the importance of using complex passwords in order to respond to any employees’ resistance.

Don’t write passwords down

Passwords should not be written down. They should not be stuck to monitors on yellow sticky notes. They should not be on a piece of paper under the keyboard. Passwords, like credit card and social security numbers, should be protected and not shared.

Lock accounts after failed password attempts

Accounts should be locked after a number of failed passwords attempts. For example, if an employee enters their passwords incorrectly 5 times the account should be locked and require the network administrator to unlock the account. Account lockouts prevent passwords from being guessed or hackers from using special tools to break into accounts. Needing to reset passwords may be a little inconvenient, but account lockouts are a very effective way to protect patient information from unauthorized access.

Conclusion

We mentioned a few simple and inexpensive tips that you can easily implement to protect patient information and help you toward HIPAA security compliance. Following these tips will go a long way toward providing increased protection of your patient information. If you would like to discuss implementing these safeguards, or learn more about our comprehensive HIPAA service, feel free to contact us at moc.snoitulosxet-ih@ofni. Or fill out this form and one of our HIPAA Administrators will call you back today and schedule your free 2-hour Network Assessment to identify your vulnerabilities and craft a cost-effective plan to get you compliant.

Free Network Assesment

Robert B

01:30 29 Feb 20

Fantastic! Working with Jason has been great. We initially scheduled an appointment for networking help and cyber security. On the day of his first visit we happened to have a fraud attach on our business accounts. Jason stepped in and helped with locking down our email and network. We are now setup with a managed cyber attack program. Thank you REB

Jeslyn Sabol

20:57 14 Jan 20

These guys have really helped out our office in becoming more up to date with hardware and better HIPAA compliant. They are very easy to work with, friendly, timely, and know their stuff!

Angie Greak Cuellar

14:56 28 May 19

Great service and fast responses. They did a review of my computer system, and they helped me set-up a back up system and a security system that would fit my needs (and price range) perfectly. They are very patient and explain things well! I highly recommend them! And they work remotely so you do not have to be in San Antonio to use their services! Win-win!

Heather Sanger

18:08 01 May 19

A home computer can be like a member of your family. It houses your memories, your data, and access to all the details of your life. When something happens to it, just like a loved one, you want the most qualified person taking care of it. I recently had an urgent computer issue. (Urgent because it’s college finals week and I had major assignments due in just days!) A new computer wouldn’t do, weeks and years of research were stored on this one. Googling didn’t get anywhere, help from family and friends fell short, and I knew I didn’t want to turn it over to a stranger at a big box store. (Does that guy really know what he’s doing, or is he just filling in from another dept?? How long would it take? How much would they charge?)I found the answers that I needed when I called Hi-Tex Solutions. I liked them because they’re locally owned and after speaking with them, instantly felt confident in their ability to help. A knowledge expert helped me to troubleshoot remotely over the phone. When the problem was discovered and they needed to work on it in person, drop off and pick up was seamless and it was (miraculously) fixed and ready to come home the same day! Hi-Tex Solutions brought me from the absolute desperation and devastation you feel when your trusted device stops working to the absolute relief of knowing that it’s going to be okay. I can’t handle doing business with a company that doesn’t sound like they know what they’re talking about, requires expensive diagnostics, or is just constantly up-selling. Just like my car, my health, and other important facets of life, I need someone I can trust when I have a problem, who gives an honest opinion without over-inflated estimates, and who cares about the outcome as much as I do. So grateful that I found them and will definitely do business again!

Maggie Titterington

20:14 26 Feb 19

Hi-Tex Solutions helped solve our business issues with ease and terminology that didn't require a technical degree to understand! Jason was very patient in explaining not only the processes we would need to implement but also the materials, time and different options. It is refreshing and gratifying to know that there are businesses that are IN business to really partner and help you. Thanks HI-Tex Solutions! We will definitely be using you again!

lis mathis

16:29 26 Feb 19

Prompt and timely service. Payed attention to what I needed. Been using Hi-Tex for years now for not only personal tech support but also for several of my businesses.

Thomas Boos

17:10 12 Oct 18

Great Service, Always on schedule and on time. The team at Hi-Tex is great to work with.

Justin Connally

19:58 21 Aug 18

This company is legit! Outstanding customer service, I would highly recommend them to my family and friends...

Kori Ashton

19:39 22 Jun 18

Jason has always been fast and fair in helping our small business. He's very knowledgeable and I'm more than happy to highly recommend him for all IT managed services.

Scott Savell

21:33 23 Jan 18

Hi-Tex Solutions is always very responsive to our needs! Jason and the gang does great work at a fair price! I would highly recommend them to anyone in the need of computer services.

Alvin Grigsby

20:14 23 Aug 17

Great job, very knowledgeable. Hard to find a task he doesn't know about. Great person to deal with.

HIPAA- 5 simple and inexpensive tips to protect patient information