Note: This is a guest post from Alok Prasad, the President of RevenueXL Inc. which is a leading provider of ONC-ATCB certified EHR software to small and mid-sized practices. Visit their site to find out about their free EMR trial.
It’s an ugly reality: Even despite providers’ best efforts to secure the health information kept in EHRs, data breaches continue to occur. HHS has received approximately 940 complaints alleging a violation of the Security Rule since October 2009 when the Office for Civil Rights (OCR) began reporting its Security Rule enforcement results. As of August 31, 2014, OCR had 316 open complaints and compliance reviews.
As providers continue to store electronic protected health information (ePHI) in EHRs, they must also keep in mind that these systems are vulnerable to cyberattacks and security breaches. These breaches could occur from outside hackers, or because of inappropriate access by staff members internally. The ONC recently published a Guide to Privacy and Security of Electronic Health Information that helps providers implement strategies to mitigate risk. This article provides five of the best compliance tips, based on this guide.
1. Conduct a security risk assessment
To thwart off potential security risks, practices must first identify where and why those risks could originate. HIPAA requires covered entities to perform a risk assessment to ensure that requirements are met and that entities can identify areas where ePHI could be at risk. HHS’ Guidance on Risk Analysis Requirements Under the HIPAA Security Rule suggests the following steps:
- Think ‘big picture’ in terms of the scope. This includes assessing ePHI in all forms of electronic media, such as hard drives, floppy disks, CDs, DVDs, smart cards or other storage devices, personal digital assistants, transmission media, or portable electronic media.
- Identify where the ePHI is stored, received, maintained, or transmitted. This may require policy review, interviews with staff members, or a review of past or existing projects.
- Identify and document potential threats and vulnerabilities. This includes natural, human, and environmental threats as well as technical or non-technical vulnerabilities.
- Assess current security measures. What does the practice currently do to mitigate risk, and are those techniques effective?
- Determine the likelihood and potential impact of any threats. Which threats can be reasonably anticipated, and which ones would have the largest impact?
2. Know the HIPAA Security Rule requirements
- Implement administrative safeguards, including policies and procedures to prevent, detect, contain, and correct any security violations. Be sure to update these policies as regulations change.
- Use physical safeguards to protect the EHR from natural and environmental hazards and unauthorized intrusion.
- Establish organizational standards to ensure the execution of formal contracts or other arrangements with business associates who will have access to ePHI.
3. Communicate with your EHR vendor
Ask your EHR vendor about specific security features and how your practice can make the most of them. To ensure security, your EHR should include these features:
- Data encryption. This includes encryption for data within the EHR, data within any secure email functions between patients and providers, data within the patient portal, and any data in transmission.
- Auditing functions and audit trails. This makes it easier for practices to perform ongoing audits to see who accesses information and why, and it can deter individuals from accessing information inappropriately. Be sure that the audit trail function is activated within the technology at all times.
- Unique user IDs and strong passwords. Encourage staff members not to share passwords or use passwords that can be easily guessed by hackers.
- Role-based or user-based access. This ensures that employees only have access to the information necessary to perform their job functions.
- Auto-time out. This ensures that information cannot be breached when terminals are left unattended for a certain period of time.
- Amendments and accounting of disclosures. Accounting of disclosures allows practices to track who information was disclosed to and why. Patients increasingly request this information to ensure that their ePHI has been kept private and secure.
To ensure effectiveness, staff members must be fully trained on each of these features and how to use them.
4. Stay up-to-date on software upgrades and available patches
These upgrades and patches often include important security-related features that prevent ongoing data breaches. Appoint someone within the practice to monitor these upgrades and ensure that they are installed on an ongoing basis. If you’re practice uses subscription-based SaaS software, check with the vendor to see if security updates are automatically installed, or if you need to periodically update the program.
5. Don’t forget about mobile technology
Security beaches don’t occur only with stationary desktop EHRs. They can also occur on smartphones, tablets, and other digital devices running EHR software. HealthIT.gov provides the following tips:
- Use a password or other user authentication (e.g., number code, finger swipe, and drawing).
- Install and enable encryption.
- Install and activate remote wiping and/or remote disabling in the event that the device is stolen or lost.
- Disable and do not use file sharing applications that could enable unauthorized users to access your files and other information.
- Install and enable a firewall to protect against unauthorized connections.
- Install and enable security software, and keep this software updated.
- Research mobile apps before downloading them so you’re aware of the information that the app is able to access.
- Maintain physical control.
- Avoid public Wi-Fi when sending private information.
- Delete all stored health information before discarding or reusing the device.
Invest now to reap the benefits
Monitoring security threats requires ongoing diligence and attention. Practices that devote the proper time and resources to this effort can rest assured that they are doing everything possible to mitigate these risks. Doing so also gives patients the confidence they seek in terms of provider protection of their ePHI.