This is the second of a set of two tips from Jaime Dupuis, practice consultant for the Regional Extension Center of New Hampshire (RECNH). The first tip covered why it's
important to conduct organizational risk assessments. Here, Jaime details how to establish a culture of PHI security in order to be compliant with the upcoming HIPAA omnibus rule.
Don't fall for the fallacy that a meaningful use certified EHR vendor has created HIPAA compliance for you merely through the certification process.
- Protect mobile devices. This includes, but isn't limited to the following: Use passwords or
other user authentication to access the devices; install and enable data encryption; do not install
(or if they're present, disable) file-sharing applications; secure Wi-Fi networks delivering
protected health information (PHI) to mobile devices and create a guest network for non-employees;
store no patient data on mobile devices if possible; and employ remote-wiping systems in case of
mobile device loss or theft.
- Remember, the omnibus rule states that providers can't send information on a particular patient
procedure back to the patient's health plan if
the patient pays out-of-pocket for that care. Set up a process to honor such requests among
billing and coding staff.
- Control physical access to your facilities, as well as to your PHI. Consider the following
questions: Who handles your backups? Where do they take them? How is data destroyed once paper,
hard drives or thumb drives, and tapes leave your organization's possession? Be sure to monitor and
- Speaking of audit logs, remember that the systems that have been set up to record who's logged
into your EHR and other systems, when they log in, and which data files they access there are
useless unless you review them periodically, take action when discrepancies or potential privacy
violations are found, and document those actions.
- Plan for the unexpected. Have data backup and disaster
contingency plans in place to ensure continuity of access to patient data.
- Establish and foster a culture of PHI security through training, refreshers and reminders to change passwords, update antivirus software, etc. Empower users to deal with breaches the right way by designing a breach reporting process and training employees to understand what is reportable, how to report it, and how investigations will proceed.
Lastly, don't fall for the fallacy that a meaningful use certified EHR vendor has created HIPAA compliance for you merely through the certification process. This fallacy is one that small providers might be tempted to believe.
"I hear [this] a lot: 'My EHR vendor took care of everything I need to do about privacy and security -- I'm on a certified system, isn't that enough?'" said Dupuis, whose RECNH is a division of the Massachusetts eHealth Collaborative. "As you can see, there are things aside from the technical aspects that need to be controlled when looking at privacy and security. There are many parts to this."
This was first published in August 2013