Patient health records (PHI) are highly valuable to cybercriminals bent on reselling stolen data on the dark web or committing identity theft. On top of that, they also contain sensitive information which is subject to stringent privacy regulations. Healthcare providers and any associates handling PHI on their behalf must therefore adhere to the rules of the HIPAA regulation.
Here are the five most important things you need to do to ensure you’re compliant:
#1. Develop your privacy and security policies
Having documented privacy and security policies not only defines the standard your employees are expected to abide by, but it’s also a legal requirements of HIPAA.
HIPAA requires covered entities and business associates to have policies governing the use and positioning of computers and mobile devices, as well as for risk management.
Any system which employees can use to access PHI should be covered by your policy. This includes employee-owned devices used for work, such as smartphones and laptops. The physical location of these devices is also important, since PHI needs to be kept out of public view.
#2. Review your business associate agreements
Many data breaches occur at the hands of third parties, which in the case of healthcare might include clearing houses, insurance providers, and technology vendors. Any organization with access to your systems must be extensively vetted, and access should be restricted to provide only the information that’s necessary for the relationship to function.
Restricting third-party access requires a documented approach to vendor management. You need to maintain complete visibility into your supply chain and any third parties you work with. A business associate is legally defined as any individual or organization that creates, receives, stores, or transmits PHI on your behalf.
#3. Implement a means of access management
Implementing proper access controls is a key requirement of HIPAA, but given the legislation was introduced over 20 years ago when the technology landscape was quite different to what it is today, it’s not very clear on the exact measures you need to take. HITECH was introduced to clarify precisely which technical safeguards you need to implement.
At the core of any robust access management is a strong password policy that prohibits the use of weak passwords. All mobile devices should be PIN protected, while any accounts with PHI stored in them must be protected with multifactor authentication. Although HIPAA doesn’t explicitly require encryption, all records should ideally be encrypted at rest and in transit.
#4. Introduce activity logs and auditing controls
Today’s business technology environments are more complex than ever, healthcare being no exception. Conventional defense measures alone, such as firewalls and antivirus programs, don’t cut it anymore, not least because a lot of healthcare information ends up being stored and transmitted outside the office.
Many healthcare providers and their associates now use cloud-hosted applications to store PHI, while employees are accustomed to accessing records from mobile devices, including ones which belong to them. To enforce your security policies and maintain visibility into your digital assets, you need a centralized dashboard for tracking logins and keeping full audit trails.
#5. Provide a documented staff training program
Most data leaks and breaches occur at the hands of employees, usually by accident. Knowing this, cybercriminals use social engineering scams, rather than actual hacking, to steal sensitive data and gain unauthorized access to online accounts. That’s why employees are the first and last line of defense.
Although HIPAA doesn’t explicitly state that you should implement a security awareness training program, it’s critical for boosting your security standards. Having a documented procedure for training your staff will promote safe data management habits and reduce the risk of data breaches in your organization.
Record Retrieval Solutions provides secure and HIPAA-compliant record retrieval solutions for law firms. Call us today to learn more about our high-quality services.