Yeah Yeah, We All Know About HIPAA But…
The phone is ringing. The doctor’s eyes open, but she finds it hard to focus. She glances at the clock and sees that it’s 4:30 in the morning. Panicked, she picks up the phone, but doesn’t recognize the number. She answers. And while it wasn’t the life or death emergency she feared, it’s a whole different kind of disaster — one that could cost her a fortune, hurt her reputation, and lose the trust of her patients. It’s the type of disaster that just may put her whole medical practice at risk.
As more of our professional and medical lives rely on complex data warehouses, data breaches are becoming one of the primary concerns of physicians when it comes to patient information, medical compliance, and HIPAA regulations. With different regulations at the federal, state, and local levels, keeping patient information private while continuing to efficiently run a practice is a burdensome and confusing task. Doctors are forced to do more with less, often at the the cost of information security. Countless tools are available to help doctors communicate with one another, and all doctors are aware of HIPAA, but more often than not, doctors end up choosing the vehicle that’s fastest. Delivering the best possible care, in the best possible way is something we are still trying to figure out.
Taking a Multilayered Approach
To truly safeguard patients’ medical records, a multilayered approach to document security is necessary. It’s no longer enough to simply have a lock on the door and a password on a computer. Data encryption is pretty much mandatory if records are being transported through email; there are so many possible places for security failure that it’s nearly impossible to protect the information otherwise.
Companies that have adopted a bring your own device (BYOD) policy can also experience difficulty with patient information protection and HIPAA compliance. Special consideration must be made regarding not only what kind of information can be transmitted, but what kind of information can be stored in case of a lost or stolen phone.
Other data protection measures that should be in place when it comes to medical records and HIPAA regulations include:
- Virtual desktop infrastructure
- Anti-virus software
- Password systems
- Firewall with DPL
- HIPAA compliant storage and hosting
- Secure network and server
- Disaster Recovery
- Employee training to reduce human error
- … and in the case of a breach, timely breach notifications
Regular Risk Assessment
To ensure patient data is protected, it’s necessary to complete regular risk assessments. This can be a challenge when doctors and their staff are already so slammed for time. Risk assessments allow practices to find weak areas in their IT and practices, work to strengthen them, and constantly be prepared for updates. To use new innovations in the medical field, physicians have to find a way to allow their technology and security to grow and develop together. If not, one — typically the security aspect — will always get left behind. As the saying goes, “security at the experience of usability… ends up at the expense of security.” If and when a HIPAA audit is necessary, these risk assessments ensure that they are ready and prepared.
A Changing World
Within the last year, as estimated 100 million patient records have been impacted by healthcare data breaches. That’s nearly one-third of the people in the entire U.S.. It’s therefore necessary to start thinking not just in terms of tech progress, but acountability in security as well. Whether it’s creating secure (but efficient) ways of transmitting data, or building new cloud-based software that doesn’t put data at risk, we need to find a way to protect our medical information, even if it’s in ones and zeros.