Medical practices need to have good HIPAA-compliance policies in place if staff members can be expected to prevent breaches of protected health information (PHI). Many groups search the internet for free or inexpensive templates upon which to base policies. This is not necessarily bad, but each organization has its unique characteristics, and HIPAA policies should reflect that.
“I’ve seen policies that actually still have ‘organization’ where the name of the group should be,” said Susan Lucci, senior privacy and security officer for tw-Security, which is based in Overland Park, Kansas. “That shouldn’t be on the policy in any form.”
Because policies and procedures are such an important part of a security plan, they were included in a recent set of recommendations released by a Department of Health and Human Services (HHS) cybersecurity task force. One section focused solely on what organizations should do to protect data and prevent PHI loss.
“You don’t have to spend a ton of money to get a set of policies and procedures and training that fit your workforce,” Lucci said. “If you have someone on board with expertise, have them do it. If not, get them trained or get help from an outside group.”
The importance of tailoring policies to a workforce and training the staff to comply cannot be overstated, Lucci said. Regulations change, as do the threats to a practice. Policies, procedures, and training should be regularly updated, including new documentation to prove a group is taking the task seriously.
Because health care employees work with PHI constantly, they may get lax about how they handle and transmit it. This is where establishing policies can be useful. Creating these policies helps build expectations for how staff is supposed to manage sensitive information.
Failure to categorize data is among the shortcomings at many practices. Gary Pritts, president of Cleveland-based Eagle Consulting Partners, Inc., advises his clients to segregate information into 3 categories: PHI, company confidential information, and public information. HHS’s recommendations add the additional category of highly-sensitive PHI, such as data that could be used to commit fraud or a major breach, including Social Security and credit card numbers, or patient data such as sexually transmitted diseases or mental health information. Access to this should only be given to staff whose job requires they see it.
Once data are categorized, an organization needs to put procedures in place to manage the information. Medical groups should determine which employees should have access to what levels. Pritts said groups should follow HIPAA’s “need to know” principle and allow access only to what employees need to perform their daily job duties. Clinical staff might need access to electronic medical records, but not billing information. The front desk might just need scheduling and patient demographics. In small offices, people might be wearing many hats and need access to all.
“Practices need to think this through and then document it,” Pritts said. “Then [they should] go into the computer systems and configure them so they can restrict people to the information they need and not give them the information they don’t.”
HHS recommends encrypting all texts and emails except when patients request records. If patients want records sent unencrypted, they should be informed of the potential for a breach. HHS recommends using a secure email application like Direct Secure Messaging.
Pritts said most of the practices with which he works do not use secure email, mostly because of the cost (which he said can be around $100 per employee per year). Instead, many small practices have adopted the policy that they simply do not send any patient information via email.
Finally, technologies can be put in place to mitigate the risk of a breach. Data loss prevention systems, typically used by larger organizations, can include programs on all devices that monitor information being sent from them and block data that may be PHI. Smaller organizations can perform simple procedures such as having their IT provider disable USB drives or configure firewalls to disable access to sites like Google Drive where someone could upload information. “You can train employees not to do certain things, but you can prohibit it by using a firewall,” Pritts said.