Five Tips for Keeping Patient Information Safe

Five Tips for Keeping Patient Information Safe

Brent Bensten, Chief Technology Officer at Carpathia.

Sep 4, 2014

Five Tips for Keeping Patient Information Safe

 It’s no secret that compliance and security are paramount in the healthcare industry, as patient information must be protected from unauthorized access at all times. That’s precisely why federal regulations like the Health Insurance Portability and Accountability Act (HIPAA) exist, but navigating such regulations can often prove to be complex and difficult. 

With the vast array of demands facing healthcare providers, many aren’t investing enough time and energy into achieving and maintaining compliance under federal regulations. If you’re concerned that you may be one of them, be sure to take these five steps to safeguard against the accidental distribution of sensitive patient information. 

Make Sure you are HIPAA Compliant

This might seem obvious, but HIPAA has changed quite a bit since it was signed into law in 1996. For example, as of late 2013, all providers that maintain protected health information on behalf of covered entities became subject to HIPAA and Health Information Technology for Economic and Clinical Health (HITECH). Per HIPAA, those providers are now considered to be “business associates,” whether or not they actually view the information they hold. 

This Omnibus Final Rule now makes both subcontractors of business associates and business associates directly liable for compliance with certain parts of the Security Rule and HIPAA Privacy requirements. Simply put, the Omnibus Rule puts liability on the provider for breached protected health information. All covered physician practices were required to have updated their HIPAA policies and procedures regarding the Omnibus Rule and implemented accordingly by September 23, 2013. 

Make sure you are aware of these updates, as due diligence with regards to HIPAA is an absolute first and non-negotiable step. Non-compliance can bring about potential legal action and fines, along with other undesirable and significant side effects. 

Make Risk Assessments Part of your Routine

Completing an up-to-date risk assessment is another key step to protecting patient information and maintaining compliance. This increases awareness of details that contribute to your organization’s current risk profile and provides a clear picture of those specific elements that increase your susceptibility to a data breach. Ensuring this box is checked also provides the opportunity to create a plan and consider the budget, policies and processes necessary for closing up vulnerable areas. 

Upon completing an assessment, you may find that a minor change like reconfiguring an office so the public cannot view a computer monitor, may solve potential problems. In your risk assessment, be sure to include any equipment and devices that are not on your facility’s network but that store or transmit data, such as X-Ray machines. Overall, it is a great best practice to ensure you have an up-to-date plan in place for making necessary changes as resources become available. 

Keep Track of Meaningful Use and EHR Requirements

As the transfer to Electronic Health Records (EHR) continues, demonstrating Meaningful Use is becoming less of an option. The Medicare EHR Incentive Program first began in 2011, through which eligible healthcare providers were offered financial incentives for adopting, upgrading, implementing, or demonstrating Meaningful Use of EHR. The incentive payments from the program will continue through 2016, and 2014 marks the last year to begin participation in the program. The Medicaid EHR Incentive Program’s incentive payments will continue through 2021; however, the last year that an eligible healthcare professional can begin participation in the program is 2016. One point of note is that beginning in 2015 penalties may be assessed to healthcare providers who fail to demonstrate Meaningful Use. As a result, organizations need to ensure they are in-line with Meaningful Use to avoid future penalties. 

Make Sure YOUR Policies Work for YOU

The plans you create in order to achieve and maintain compliance will be slightly different depending on your organizational structure, needs and areas of concern. The staffing structure you have in place, method of data storage, Meaningful Use and potential transmission of information will vary for every organization. Tailoring your policies to ensure that your organization’s needs are top-of-mind while compliance mandates are continuously met will ensure maximum security, in addition to ensuring that both your time and resources are being used effectively. 

Create a Community of Awareness

Your staff plays a vital role in maintaining the security of patient health information in all formats. Not only can information be compromised via hacking, it can also be compromised due to simple human error. HIPAA guidelines include the establishment of recurring security training of personnel in organizations that handle protected health information. All employees must be aware of current access and handling policies for sensitive information and the best physical and procedural practices to maintain necessary privacy guidelines. Achieving and maintaining compliance is a responsibility of every organization; not just the much larger ones. 

All in all, achieving and maintaining compliance is a key factor in the healthcare industry. Developing a plan to do so, as well as staying current with updates to the associated regulations is necessary for all organizations and will help set you up for success

About the Author

Brent Bensten is a data center specialist with over ten years of experience in multiple Fortune 500 companies focusing on managed services operations. In his role as Chief Technology Officer, Brent focuses on building and supporting new, innovative information systems. Brent previously served as Vice President of Operations, managing data centers around the world and the global IT operations team. Additionally, he streamlined operations, building and delivery of strict Information Technology Infrastructure Library (ITIL) compliance for more than 5,000 devices. Prior to joining Carpathia’s leadership team, Brent held the position of Senior Manager of Operations for Services at Sun Microsystems.