How to Protect Patient Information
As healthcare breaches continue to rise, it is important for anyone working with protected health information (PHI) to understand how to protect patient information. Most healthcare breaches are the result of human error; as such, employees are the first line of defense when it comes to protecting patient health information in the workplace. The following are tips that can be implemented to mitigate the risk of exposing patients’ sensitive information:
- Do not share passwords or login credentials
- Do not leave documents or portable devices unsupervised
- Do not share patient information via text
- Do not dispose of PHI in your regular garbage
- Do not access patient information without reason
- Do not take medical records with you when changing jobs
- Do not access your own medical records using your login credentials
- Do not share ePHI on social media
- Always report suspected HIPAA violations
- Train employees
How to Protect Patient Information
A detailed list of how to protect patient information is explained below.
- Do not share passwords or login credentials
To ensure that actions can be attributed to specific individuals, it is important that login credentials are never shared between employees. Unique login credentials allow you to keep an audit log, which is a requirement under HIPAA. An audit log is a way to track access to PHI, and includes who accessed what information and for how long. Audit logs minimize the risk of insider threats as they establish normal access patterns for each employee, ensuring that PHI is not accessed excessively.
- Do not leave documents or portable devices unsupervised
One of the main reasons behind accidental PHI breaches, is leaving documents or portable devices unattended. Patient files hold a wealth of information, including Social Security numbers, financial information, and other sensitive information. PHI that is lost or stolen can result in the patient’s identity being stolen, or in financial fraud.
Employees should never leave paper records out. Records should be kept in locked rooms or cabinets, no matter how long the employee is leaving their desk for. In addition, laptop and desktop computers should be locked and password protected. If you have PHI contained on thumb drives or other portable devices, they should also be kept in locked areas.
- Do not share patient information via text
Traditional text messaging platforms are not HIPAA compliant as they do not have the protections necessary to safeguard protected health information. If you wish to use text messaging to communicate PHI internally, within your organization, or with patients, you must use a healthcare text messaging platform. However, before sending any PHI using a healthcare texting platform, you must have a signed business associate agreement (BAA). A BAA dictates the protections that the business associate is required to have in place securing PHI. It also determines which party is responsible for reporting a breach should one occur.
- Do not dispose of PHI in your regular garbage
Any document containing PHI must be disposed of properly. It is recommended that documents containing PHI be shredded or incinerated so that documents cannot be reconstructed. If there are documents waiting to be shredded, they should be kept in a locked shredder bin until they can be properly disposed of.
Devices containing PHI need to be adequately destroyed to prevent unauthorized access to PHI. This can be accomplished with hard drive shredders, or through degaussing. Degaussing is the process of using powerful magnets to permanently erase data contained on a hard drive.
- Do not access patient information without reason
The enactment of HIPAA established the “minimum necessary” standard. This standard requires PHI to be accessed only when necessary, to perform a job function. Unique login credentials ensure that PHI is only accessed with purpose, and audit logs ensure that PHI is not accessed excessively. With unique login credentials, administrators can grant access to PHI based on employees’ job functions. For instance, a nurse does not need access to patient’s billing information, as someone in the billing department does not need access to a patient’s health records.
- Do not take medical records with you when changing jobs
Employees may be tempted to take patient records with them when starting a new job. Taking patient records could give them an advantage in their new job, by bringing patients to the new practice. To prevent this from occurring, access to PHI should be immediately revoked, or severely limited, when an employee gives their notice.
- Do not access your own medical records using your login credentials
It is not permitted for employees to access personal health records using their login credentials. Employees must go through the same process of obtaining their records as patients.
- Do not share ePHI on social media
In 2019, a small dental practice was fined $10,000 for responding to a Yelp review, revealing protected health information. Even simply confirming that someone is a patient on a public platform is considered a HIPAA violation. When responding to patient reviews, a simple “thank you” or “please contact us” should be the only responses. Anything more is considered a breach of PHI.
If you would like to provide patient testimonials on your website or social media, you must have written consent from the patient prior to doing so. Additionally, when taking pictures at work, employees should be cognizant of the background of their images to ensure that there are no patients or patient information in the background. However, best practices are to discourage social media use at work.
- Always report suspected HIPAA violations
Detecting and responding to breaches quickly makes all the difference. Quick response limits the scope and costs associated by breaches. As such, it is important to train employees on how to recognize potential breaches, and how to respond to a breach. All suspected breaches must be reported to your organization’s compliance officer. However, it is required by HIPAA, to give employees the means to report breaches anonymously.
- Train employees
Employees must be aware of how to protect patient information adequately. To accomplish this, it is essential to train all of your employees on all of the above mentioned protections. Additionally, you must train employees annually on your policies and procedures, as well as HIPAA requirements.
When determining how to protect patient information in your organization, it is important to tailor your organization’s policies and procedures to your specific business practices. If you use premade policies and procedures, they may not account for the nuances of your specific business. To best understand how to protect patient information in your workplace, it is best to consult an expert.