1. Encrypt all health information. Encrypt laptops and other devices, like smartphones, that have ePHI stored on them. The Office for Civil Rights reports that nearly two-thirds of all large breaches involving ePHI are the result of laptops and other portable devices with unencrypted health information that were lost or stolen.
2. Utilize passwords or authentication requirements for software applications and devices. Passwords are like your front door. If it’s not locked, it’s not of much use. If it’s locked, it’s a barrier to criminals. Like doors, however, passwords vary in strength and effectiveness. Today’s cyber criminals are increasingly adept at breaking through weak passwords. Passwords should be unique and include numbers or special characters.
3. Don’t discuss patients in common areas. A healthcare organization can easily find itself in violation of HIPAA when a staff member purposely or inadvertently shares classified information about a patient. Make sure staff members know what is at stake if they reveal patient health information to an unauthorized person.
4. Put incident response plans into place. Although you might consider a HIPAA violation only a remote possibility, being caught unprepared would make such a scenario even worse. Ensure that any response plan is current, understandable and accurate. Train your staff members and test the plan so every person knows their roles and feels comfortable with their responsibilities.
5. Be vigilant about third-party business agreements. Because HIPAA violations can occur outside of a practice or business, HIPAA audits are now being performed on healthcare business partners. HIPAA rules require healthcare practices to sign a business associate agreement with any contractor or vendor that will create, store or transmit their ePHI.
6. Properly train all of your staff members on HIPAA. Make sure everybody in the organization, including part-time or ancillary staff, understands what HIPAA is, what the risks are for violators, and that they all play a part in keeping your practice compliant. As an example, teach staff to be suspicious of emails that ask the user to click on a link or ask for sensitive information, such as usernames and social security numbers. These types of emails can expose the practice’s information system to malware that enables cyber criminals to infiltrate the system.
For more information on HIPAA compliance, please contact us.