Medical practices across the nation are increasingly using digital tools to track patient health records, communicate with patients and collaborate across clinical specialties. But with the rewards of convenience and efficiency come the threats of potentially compromising patients’ privacy and exposing sensitive data to hackers or identity thieves.

Digitization is a fast-growing trend. About 30% of physicians have already implemented Electronic Health Records (EHRs), and 14% plan to implement an EHR system in the next three years, according to “The Future of Health Care,” a national survey of more than 5,000 physicians conducted by The Doctors Company (thedoctors.com). When making such a shift, healthcare providers must take pains to ensure their data is safe.

“Make a real commitment to implement security controls, not because it’s a requirement, but instead because it’s the right thing to do,” says Jeff VanSickel, compliance practice lead at SystemExperts Corporation (systemexperts.com), a network security consulting firm based in Sudbury, Massachusetts. “Too many companies will go through the process of implementing the minimum controls required by law. This philosophy will almost always result in a flawed approach and incomplete protection.”

HIPAA Security Rules are designed to safeguard electronic patient information while permitting access to the people who need it for treatment, payment and healthcare operations.

The HIPAA security requirements fall into three principal areas: administrative safeguards, physical safeguards and technical safeguards.
Administrative safeguards include the processes and responsibilities associated with computer network security management. Adhering to the principle of sticking to what you do best can be a judicious decision when it comes to administrative safeguards. Scot Glasberg, MD, vice president of advocacy and health policy for the American Society of Plastic Surgeons (ASPS, plasticsurgery.org), suggests using a professional who is familiar with HIPAA compliance to set up securities within a computer network.

“We’d be kidding ourselves as physicians if we thought we knew the nuances of setting up a computer network and understanding the ways of security breaches,” he says. “It’s worth the money to hire an appropriately trained person to set up a computer network for you.”
There are many who bill themselves as experts in the field of information security, so it’s important to ask for references to make sure their clients have had good experiences. Also, you want to do business with someone who is familiar with the healthcare industry and is aware of the potential exposures you face. If you’re not sure how to find a network security expert in your area, start by asking for a referral from a colleague or through a trade organization.

Caution should be given to internal decisions such as granting manufacturers access to patient databases (usually for co-op marketing purposes). Practices should be very careful when releasing Protected Health Information (PHI), particularly entire databases, says Peter MacKoul, senior HIPAA privacy consultant with HIPAA Solutions (hipaasolutions.org), based in Sugar Land, Texas.

“Practices need to have clear and accurate policies related to marketing activity and should act with extreme caution,” he advises.
The Health Information Technology for Economics and Clinical Health Act (HITECH), signed into law by President Obama in 2009, narrowed the HIPAA exceptions to the definition of marketing communications. The HITECH Act requires practices to create a “business associate agreement” with its vendors that includes provisions to safeguard PHI.

In order to avoid compromising a patient’s personal information, it is imperative to enforce any controls that have been put in place as part of your administrator safeguards. As Ken Hughes, senior network and HIPAA security consultant with HIPAA Solutions, points out, failing to properly implement controls creates a fertile ground for security breaches to occur. “Simply having controls is not adequate if they are not properly implemented and followed. This includes documenting actions taken to address compliance.”

Physical safeguards are the measures, policies and procedures enacted to protect electronic information systems, buildings and equipment. Laptops containing PHI should be secured with encryption, device tracking and data-wiping software. Such protections ensure that only the person authorized to use the laptop can access it, and if it is lost or stolen, software can cleanse the data remotely. Portable devices such as iPhones, iPads and Blackberry devices with confidential patient information should also have encryption and data-wiping software.

A number of breaches of PHI have occurred when desktop computers were stolen and the data was stored on the C: drives or desktops. All PHI should be saved on a network drive, never on the C: drive or the desktop of any computer.
Image copyright iStockPhoto.com