How we communicate is changing every day, and this includes how patients are communicating with their doctors and insurance providers and even how doctors are communicating with each other. All this ease of communication can have huge benefits, but when it concerns protected health information (PHI), such information also needs to be carefully protected. Forgetting to implement proper protocols and processes to protect this information is the cause of many HIPAA breaches and resulting significant fines and even criminal prosecution.
- Email Data Breaches: While internal company communications may be secured, email can easily be re-directed out of a company and into an unsecured mailbox. Often, employees will send email to the wrong address, accidentally forward sensitive information and even attachments with PHI. Use of internal-only messaging systems helps with this, but doesn’t eliminate employee preference for convenient communication methods.
Businesses should offer employees training in the importance of keeping emails, especially PHI, secure, the different technologies available to encrypt and restrict access to information, and common phishing schemes. An accidentally emailed database or spreadsheet can result in a patient PHI breach that requires notification and investigation by state and federal authorities. In some cases, depending on the breach, they have the power to leverage fines or press criminal charges.
- Unsecured Communications: A patient may think nothing of texting their doctor for advice, and while responding that way may be easiest, it’s probably not secure. Many businesses choose to implement secure messaging portals to let patients, doctors, insurance providers, and others communicate. Another option is to look into methods of securing commonly used digital communications. Both options have advantages and disadvantages, but being aware of those and having proper training and security protocols in place are key to avoiding HIPAA breaches.
- Transfer Breaches: Information is often transferred from the office to an outside business associate responsible for storing, shredding, or processing the PHI. These transfers are rife with potential for breaches. From unlocked vans to outdated methods of encryption, these business associates are being trusted with PHI but aren’t always taking the appropriate steps to secure it. An up-to-date business associate agreement that clearly stresses the importance and requirements of securing PHI and taking steps to both prevent and report breaches is key to protecting HIPAA covered entities.
- Outdated Security Audit: Part of compliance with HIPAA for a business is conducting, and updating, a security audit. This audit looks at how information is being used and transferred, identifies potential threats to that information and sources of breaches, and then establishes the protocols to help protect that information. You should revisit your audit periodically as moving to a new facility, updating technology, or simply changes in regular office processes can cause the audit to be outdated and new potential for breaches to appear.