Protecting your patients personal health information (PHI) has always been a concern, but more and more since HIPAA was enacted in the 1990’s. At that time it may have been enough to monitor access to the filing area, keep the copier clear of patient records, and lock the drawers and cabinets at the end of the day. However, with mobile technology and the electronic transmission and access of patient health information, the enforcement of HIPAA standards has become increasingly complex.
Prior to the adoption of HIPAA and the Privacy Rule, personal health information could be distributed without patient notice or authorization. Moreover, private records could be released for reasons that had nothing to do with a patient’s medical treatment or reimbursement. Potentially, a patient’s medical bills could be passed on to a lender who could deny the patient’s application for a home mortgage or a credit card. An employer could even use personal health information in personnel decisions.
The Privacy Rule establishes a Federal baseline of safeguards to protect the confidentiality of personal medical information. State laws which provide stronger privacy protections will continue to apply over and above the new Federal privacy standards. HIPAA brought about Federal standards for the privacy of individually identifiable health information.
While the new laws were necessary, the actual implementation has long been a challenge. When training and policy are not effectively implemented, HIPAA rules can even become the butt of jokes around the clinic. Access to patient information can even become a challenge for the patients themselves. A Seinfeld episode on October 17, 1996, just after HIPAA being enacted that August, poked fun at patient access to medical records information.
While paper charts are still a big part of many clinics, more and more data is being stored and transmitted electronically. The use of mobile electronics including laptops, phones, tablets and other devices, represent a significant savings and efficiency as well as risk to personal health information and privacy standards. Other portable data storage devices like jump drives also pose a liability if lost or stolen. And it does happen; security breaches occur far too often and if your clinic does not implement PHI policy, procedure and training effectively you may end up like some of the clinics listed here:
- Clinic Fined for Stolen Unencrypted Thumb Drive
- Mental Health Center Corrects Process for Providing Notice of Privacy Practices
- Outpatient Surgical Facility Corrects Privacy Procedure in Research Recruitment
- Clinic Sanctions Supervisor for Accessing Employee Medical Record
- Entity Rescinds Improper Billing for Medical Record Copies
- Private Practice Implements Safeguards
- Private Practice Revises Process to Provide Access to Records
- Private Practice Revises Access Policy
- Private Practice Ceases Conditioning of Compliance with the Privacy Rule
- Private Practice Revises Access Procedure
As a rule, mobile devices should not be used to store or transport PHI. Robust policies on passwords, device security and encryption are needed. The use of user authentication, file compression, and/or automatic data encryption to access the data contained on the device should be required. Users of the devices should not be allowed to tamper and disable the security measures. In addition, polices that require the user to report loss or theft immediately should be in place.
Encryption of data and password protection is a step in the right direction, but the risks of releasing data unauthorized are too great. One effective solution is cloud based storage. This requires the user to login to access data through a secure internet portal. The actual data is stored and transmitted securely off-site. No actual files are stored on the laptop, phone, etc.
There are many cloud computing service providers out there. With more and more interfacing taking place in the cloud having a technology partner that can help solve problems is critical for success. Companies that offer the on-demand service and support, customization, and technology integration solutions mid-size independent clinics need are many, but finding a good match is important. Identifying business to business services that work with your organization effectively takes careful vetting.
Some of the features to look for in the clinic environment include:
Redundant backup. A full data center and real-time redundant backup at both the server and storage levels ensures your office is fully guarded from catastrophic loss of data.
Security. ProCirrus has put in place a very high level of security that functions at multiple levels. Of course, it is fully HIPAA compliant. ProCiruss describes themselves as the “junk yard dog” of security.
Customization. Having the ability to build a fully customized service and desktop to fit the individual needs of your company while providing integration between departments and clinic workflows.
When Outsource Receivables Inc. began looking for partners that offer such a service for medical billing we found ProCirrus. ProCirrus is an end-to-end solution that leverages the power of the cloud with a unified desktop and local network enterprise. Secure and HIPAA compliant; we’ve found that this application is an integrated partner for our business. The platform integrates with standard Microsoft applications like MS Office and creates a cloud based desktop that is accessible from any location creating greater employee flexibility.
Getting effective tools and policies in place for your employees to be successful is the first step. None of these precautions are effective without employee buy-in and having staff take PHI policy seriously starts with training and understanding. Organizing a HIPAA office walk through can be a great first step in getting the conversation started. Having an office Lunch & Learn is another great method of gaining buy-in and having an honest assessment of your office. Review policy, check your systems, and get buy-in before your patients PHI policy becomes the butt of jokes around the water cooler, or worse yet, big fines and big news.