When you have a site that deals with people’s health information, ensuring that your site follows the Health Insurance Portability and Accountability Act (HIPAA) is essential. Protecting your patient health information (PHI) requires identifying possible breach points, and taking measures towards preventing breaches happening.
Whether your organization creates, receives, stores or transmits PHI, identifying where PHI is handled is the first step to knowing how to protect it. This includes PHI that is shared with consultants, vendors, and Business Associates.
Threats to your PHI can come in many forms, and it’s important to try to account for all of them. Your PHI may be in jeopardy when entering your system depending on the method: email, texts, EHR entries, faxes, mail, papers, and databases. These methods can all be compromised if not protected. Ensuring your email is encrypted, and your devices and passwords that are used to relaying sensitive information are not widely available for others to use can help keep PHI safe as it enters the system.
Once it’s in your system, what happens to it? PHI can go through EHR systems, computers, servers, email, apps, mobile devices, encryption software, all of which need to be secured. Upon leaving the system, just because it is going out of your hands doesn’t mean you should be any less cautious. Use email encryption, regularly empty recycle bins on your computer, and if the PHI is physically being transferred via flash drive or other method, make sure to take the necessary precautions.
Knowing where PHI may be compromised, see if there are already measures in place to evade potential threats. Don’t forget to assess the likelihood of a “reasonably anticipated” breach occurring, because despite your precautions, there are always still risks. These risks can be digital, physical, internal, external, or environmental. Internal threats may be from an employee’s negligence, or it could be willful from a disgruntled employee. While we all hope this will not happen, human error is a fact or life which must still be factored.
After assigning the likelihood of a breach, give each potential occurrence a risk level based off of its likelihood to be breached, what the impact of a breach would be. A patient overseeing a computer screen with PHI on it is likely low risk, but an attacker gaining access your network would be a high risk.
Don’t let all your hard work analyzing potential threats go to waste, and make sure to fill out the HIPAA compliance checklist and ensure that you are meeting HIPAA compliance. Everything needs to be documented, otherwise it doesn’t count.
Compile your risks, the measures you’re taking against those risks, the rationale for the measures, procedures, and policies subsequently implemented into an official plan. All policy documents must be kept for a minimum of six years.