Resources

Blog

5 Policies to Protect ePHI

5 Policies to Protect ePHI

Creating a secure cyber environment is never only about having the best software and technical support. There are things every practice can do right now, at no cost and with no IT background needed. Having the right policies in place, along with the training on and enforcement of, is just as essential to the security of your practice as having the right antivirus.

Policies Every Practice Should Implement to Protect Their Patients

  • Create and enforce a good workstation use policy that prohibits employees from using their work computers for personal use. Most cyber-attacks can be traced back to someone clicking through a fake email, opening a suspicious attachment, or visiting an unsecure website. Even as the hackers become more and more sophisticated, these deceptive tactics remain their best way into your system. According to a 2020 Statista report, phishing emails accounted for 54% of the reported ransomware attacks.
  • Enforce proper password management. This means no sharing of passwords, changing passwords on a consistent basis, and creating complex passwords as opposed to a person’s name or birthday. It is also advised that you do not write your passwords on a post-it and stick it on your monitor. Everyone has experienced the frustration of not being able to log into a system, but this policy is essential to protecting your system and your patient info.
  • Always follow HIPAA’s minimum necessary standard. This means ONLY accessing, discussing, or transmitting the absolute minimum amount of patient info that’s needed for treatment.
  • Always do your due diligence and always have a Business Associate Agreement (BAA) in place. Choosing which vendor to work with, whether it’s an IT company, a medical billing company or a practice management software, is a big decision for a practice and should be treated as such. Do your research and keep an eye out for any red flags, such as a poor web presence or a suspicious history. And if a vendor is not willing to have a business associate agreement, they may not be willing to protect your patient info. Even the biggest organizations have recognized the need for a BAA and have made it easy to find their agreement and keep it on file.
    • BAA for Microsoft Office 365
      • Login to Microsoft Office 365 Administrator Center > Billing > Subscriptions > Optional Privacy and Security Contractual Supplements.
      • Next, on this page you should see the Office 365 and CRM Online HIPAA/HITech Business Associate Agreement. Check off the box for that agreement, provide your electronic signature, and click Accept.
    • BAA for Google Workplace
      • Go to the Security and Privacy Additional Terms within the Administrator Center.
      • Click Google Workspace/Cloud Identity HIPAA Business Associate Amendment to review the amendment.
      • Click Review and Accept and answer all three questions to confirm that you are a HIPAA covered entity. To accept the HIPAA BAA, click OK.
  • Have an emergency plan in place. The plan should detail who does what at the practice when faced with different worst-case scenarios like a cyberbreach, loss of data, and even a natural disaster. By having the plan ready before something happens, you can maximize your response time and minimize any damage.

The days of offices filled with file cabinets filled with patient records and forms going back and forth through USPS are over. The use of technology has changed the way patients are treated and new technologies are constantly becoming more popular. As an example, a recent HHS survey found that 1 in 4 individuals have used telehealth services.

While advances in technology have been a huge benefit for practitioners and patients alike, they’ve also resulted in patient privacy and security being more at risk than ever before. What hasn’t changed is that you care about your patients. By approaching any technology with the same care and attention you give to a patient’s treatment, you will continue to protect them.

References

  1. U.S. Department of Health and Human Services Office for Civil Rights https://www.hhs.gov/sites/default/files/breach-report-to-congress-2020.pdf
  2. Statista https://www.statista.com/statistics/700965/leading-cause-of-ransomware-infection/

Get started today!

Thousands of providers like you supercharge their front office with Practice Management Bridge. Schedule a call to see how we can help reduce admin work, so you can focus on your patients.

Book a Demo