Protecting patient privacy continues to get more complicated as communication evolves and cyber attacks increase. What can physicians do to keep up and be compliant with the Health Insurance Portability and Accountability Act (HIPAA)?
A recent interview with Michael J Sacopulos, JD highlights some of the greatest threats for physicians in the digital age and ways a practice can circumvent them.
1. Train all staff members on cybersecurity
As is the case with many aspects of life, human error is a major risk. Phishing emails and clicking unknown links open the door for hackers to install malware on a practice’s computers and gain patient data. Anyone working in a physician’s office should be trained on recognizing scams and suspicious emails.
2. View patient information privately
If you or an employee are working remotely, avoid using free Wi-Fi networks such as those in a coffee shop, airport or library. Those unsecure connections are easier to hack and passersby can easily view your computer screen.
It is best to use dedicated work spaces such as a home office that can be locked and secured with filing cabinets for hard copies, on a password-protected computer dedicated for work use. Take patient-related phone calls in a private space – even away from family members.
3. Use proper software
Privacy is possible with good firewalls with proper encryption for patient portals and other methods of communication, but routine updates must take place. Follow all manufacturer recommendations for software updates, as old software is vulnerable to cyber attacks. The government considers non-supported software as a per se violation.
4. Limit the scope of patient record access
Physicians may want to regularly consider who on staff needs access to patients’ electronic health records (EHRs) and, if they aren’t involved with a given patient’s care, prevent them from accessing those records. Deactivate email accounts and passwords for former employees immediately and have a policy in place for employee’s use of social media and email access.
5. Review your cell phone’s security
If you or an employee are using a cell phone for work-related needs, be sure it’s password protected so the information remains secure if the phone is lost or stolen. Any texts between physicians or physicians and patients should be entered into the chart to ensure continuity of care.
6. Hire an IT professional
Small businesses benefit with having a dedicated employee for IT-related business needs, and a practice can similarly benefit. These professionals can conduct risk analyses, provide advice, offer employee training, activate and deactivate staff email accounts, and more.
Many of the cybersecurity concerns we have today were not foreseeable when HIPAA passed in 2009. However, while keeping up may feel daunting, it is essential to a modern practice.