C3 Blog

The Weak Link in Your HIPAA Compliance Is NOT Your Technology

Posted by John Feucht on Oct 25, 2014 8:23:00 AM

We talk about HIPAA compliance a lot on this blog. And for good reason, it’s a critically important yet often misunderstood issue for small medical practices. While we’ve addressed how to make sure your technology is HIPAA compliant in a number of posts, there’s another aspect of compliance to be addressed.healthcare-medical-doctors-sharing-screen

If your systems are set up correctly, they shouldn’t have a problem in keeping with HIPAA guidelines. However, the weak link in your HIPAA compliance is not your technology. It’s how you and your employees are using it.

Educating Your Employees

Having secure IT systems in place is only part of the puzzle when it comes to protecting private patient information. You need to make sure your employees are properly educated and conscious of protecting PHI in their day-to-day office habits. While these may seem “simple,” they’re not things doctors and nurses are typically thinking about 24/7:

  • Use your own login - don't share your passwords. As obvious as this may be, you’d be surprised how common it is for people to let someone use their account “real quick.”
  • Log off your account when you're not using it or leave the room. This is especially important if the patient is in the room and you need to leave for a moment.
  • Don't leave patient files open after you are done using them.
  • Position your computer screen away from where others can see it. This is another common noncompliance issue that many doctors overlook.
  • Shred all information with PHI. When you print a chart and are done with it, shred it rather than just throw it away.
  • Don't leave charts where anyone can see them. If you're leaving charts on the door while using clear folders, position them facing the door so that people walking by can’t see the information.

Be Conscious With Communication

Information is often most vulnerable when it’s in transit. Make sure your employees are conscious around their communication of patient information.

  • Don't share PHI via email. Patients will always need to call the office to get their test results. Don't email results - unless you are 100% sure the email will be "secure" (encrypted, etc).
  • When leaving messages for patients, don't state out the whole issue. You can't actually give results on an answering machine. Be discreet and use good judgment. Ask the patient to return your call for more information.

Have the Right Systems in Place

For practice or office managers, it’s important to have the proper systems in place to support everyone’s effort to guard PHI. Make sure to:

  • Keep a record of everyone who enters and leaves the building, whether it’s a time clock, visitor sheet, video cameras or a combination of all three. Just have some record of everyone in and out of the office. If there were a security breach, you have a record of everyone in the building and can trace it back to the breach and find out whether procedures were correctly followed or not.
  • Make employees aware that when they see these measures not taken, they need to report it, and understand the procedure for how and whom to report it to. It may be the office or practice manager, or a compliance or security officer, depending on the size of your practice. This goes for any potential breaches, even seemingly minor ones such as a patient looking at a computer while in the room, or an employee leaving their computer logged in while they go to the bathroom. While it may sound harsh, protecting PHI is no joke.
  • If employees are allowed to bring their own device, make sure you have a correctly set up mobile device management option. This is an invisible piece of software installed that lets you track when devices leave the network, and provide monitoring and permissions around accessing hosted desktops. Your IT provider can set you up with this, but it’s a good idea to make employees aware of policy around device usage and the protective measures in place.

Remember, your technology is only a part of HIPAA compliance - if your employees are not following these best practices, you're vulnerable to security breaches and violating HIPAA. With good habits and good systems in place, you can easily protect your patients and your practice. For more on the technical side of HIPAA compliance, download our whitepaper on HIPAA Compliance in the Cloud with a Hosted Desktop Solution. 

Download the free whitepaper - HIPAA Compliance in the Cloud

Topics: HIPAA

Comments

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all