If you Googled, “How to protect patient health information.” The results that come up aren’t that helpful, especially if you aren’t tech-savvy. Maybe you’re great with technology. However, if this is your first time figuring out easy ways to protect your healthcare organization’s data this Google search isn’t going to help you.

Since the majority of healthcare organizations operate in a paperless office, their patient’s information exists within an electronic health records (EHR) system. In theory, EHRs are great because they organize data and make everything portable. In reality, their poor user experience leads to burnout, but I digress.

The point I’m trying to make is that modern-day healthcare is a digital landscape. As a result, the results from the Google search I mentioned in the first sentence end up being technical. In other words, you probably won’t understand them unless you work in cybersecurity or IT.

Yet, not every good practice for protecting patient health information in the workplace is technical. There are simple processes, policies and physical items you could implement in your office that would have an instant, positive impact on your compliance environment.

• Implement Entertaining Annual Training Sessions

• Implement a Clean Desk Policy

• Keep Software Updated

• Back-Up Your Data

• Implement Access Controls

• Communicate a Need-to-Know Basis

• Establish Cybersecurity Protocols

• Conclusion

If you follow HIPAA compliance, you know that it’s recommended to give your employees training on its requirements in some capacity.

The specific rule within this law leaves room for ambiguity as to how often to hold training sessions. Most expert’s recommended that you hold them annually.

Yet, there’s a big difference between holding annual training sessions and hosting an engaging learning event.

Studies show that linking personal relevance and emotional engagement boosts memory storage. Thus, turning a training exercise into a series of fun games boosts your compliance while building camaraderie.

No matter how paperless your organization is, printing out information won’t disappear entirely. Further, some employees are so set in their ways that they’d rather have information they’re working within a physical format.

It’s not reasonable to ban printing at your organization. Your patients might need helpful information like their prescription plan printed out for them. Instead, the only real option you have is to implement a policy that doesn’t allow your employees to leave any printed material unattended.

In 2014, Parkview Health System and the Department of Health and Human Services (HHS) settled to an $800,000 fine for an incident involving unattended paper medical records. The health system sent around 8,000 paper medical records to the house of a retiring physician. Although the physician had the authorization to have the medical records in his or her possession, they weren’t home at the time of delivery. The breach occurred when the delivery individuals dropped off the records on the physician’s driveway, even though they weren’t home.

Yes, the example above seems more like an extreme circumstance. Yet, it’s still pertinent to the point that I’m trying to make.

But, let’s look at it from an internal office level. Maybe your employees aren’t printing out any patient health information, meaning your organization doesn’t have to implement a clean desk policy, right? Wrong.

There’s still a chance that your employees may use physical memory cards such as USB sticks or external hard drives to transport data back and forth. Sometimes physical memory is faster to transport than through the cloud depending on your internet speed. If those devices aren’t encrypted and one of your employees leaves them on their desk, it’s no different than if they left paper unattended.

You likely have many software programs you use that help make your day-to-day easier. The software you use most likely requires updates to them from time to time. Yet, if you’re like the majority of people, updating software regularly takes a lot of time that you don’t have, especially if you’re a healthcare professional.

However, not updating the software you use on a regular basis could lead to massive exposures of the patient health information you’re in charge of protecting. 60% of all breaches in 2019 happened as a result of unpatched vulnerabilities.

It’s not hard to update programs, it just takes a little bit of time depending on the speed of your computer and internet connection. But, that time you spend updating saves your patients and your organization.

This is something you’ve either already heard of from cybersecurity experts or you used to do back before cloud computing existed. Back then, backing up your data meant purchasing a ton of external hard drives and requiring your employees to upload their work onto them at the end of the day.

If this is still the process you use at your practice to back-up your data, that’s OK. But, as I mentioned in an earlier section, if those external drives you assign to your employees aren’t encrypted, you’re putting your client’s patient health information at risk.

Many modern healthcare practices don’t have to worry about backing up their data as much because their EHR systems already do so through cloud computing. However, that doesn’t mean they’re not operating without any risk.

It’s a requirement that you backup any and all patient health information that you deal with as a healthcare organization. If you have a cloud-based EHR system, you shouldn’t assume that your IT department enabled back-up processes.

The Family Medicine Residency of Idaho (FMRI) handled over 46,000 outpatient visits per year as a two clinic organization. The healthcare professionals of the practice communicated to their IT director that they needed to implement partial back-ups every night. They operated under the assumption that their IT director heard their instruction and enabled their necessary backup processes.

Four months later, FMRI suffered a power outage in their area at around 2 AM. This incident had a massive, negative impact on FMRI. It rendered all of their data unreadable and their backup protocols weren’t ever put in place. Thus, their closest rollback date was 4 months prior. They lost roughly 12,000 patient visits worth of information.

FMRI’s scenario serves as a great example to prove the importance of backing up your data regularly.

Do you know who’s coming in and out of your building on a given day? Sure, you likely have a sign-in sheet for visitors and maybe even your patients in your waiting room. But, are you keeping track of employees coming into the secure side of your office?

All that’s required to do so is to install access control card readers at doors. Once installed, give each team member a keycard that allows them to enter. These systems automatically log the activity at your physical location.

Furthermore, if one of your employees loses their keycard or it gets stolen, you can deactivate the card to ensure that the person who stole the card can’t get into the sensitive part of your building.

Access controls extend beyond physical entryways. This section also deals with establishing user access within your system. You probably have an awesome, trustworthy workforce. However, they still shouldn’t all have unrestricted access within your systems. If you give your entire team free-range access over your organization’s system, your bound to face a breach sooner rather than later.

According to compliance experts, limiting access to sensitive information to those who need it is an effective preventative measure to ward off the threats of a data breach.

I know what you’re thinking, the title of this section makes it sound like you’re working as a spy for a top-secret wing of the government.

If you think about it, though, don’t the protocols I’ve mentioned throughout this blog post closely align with those that government agencies have in place? If not, they definitely fit with how television shows depict these agencies.

The point I’m trying to make is that a need-to-know atmosphere is an easy, yet vital part of your effort towards protecting patient health information. Your staff needs to understand that they can’t ever discuss a patient among themselves, their friends, or their family. When they do give out information to a patient or their family member, they need to be sure of whom they’re speaking to.

Getting a patient’s permission is key. Even if their family member is visiting them and asking your staff questions, you need to make sure that your team member understands to receive permission from the patient and that the granting of that permission has a witness. If the patient can’t communicate directly, then the permission lands on their attorney or next of kin.

These tiny details matter so much when it comes to protecting health information. Otherwise, you might face a breach due to employee gossip.

You could implement everything I’ve listed within this blog post and more yet still experience a breach. That’s the unfortunate reality we face as modern-day healthcare organizations.

79% of all breaches that happen occur within the medical space.

What you’re establishing for your compliance environment isn’t wasted effort, even if you do end up falling victim to a breach. The HHS doles out penalties based on what safeguards, processes and policies you have in place for prevention. It also looks at what you do after the security event occurred.

As a result, you need to also implement protocols that kickoff when a breach happens at your organization. The process should include steps taken by upper management, IT and your marketing/PR team.

A process in place ensures that you’re prepared. It also helps your patients feel more confident in you before, during and after any problems arise.

Protecting patient health information is a big responsibility that’s placed on you as a healthcare organization. It doesn’t matter whether you’re in the workplace itself or taking your duties remote for the day. You have to ensure that the data you’re working with stays protected.

There are thousands of blog posts out there that talk about all of the different recommendations for making your compliance environment more protected. However, they’re filled with jargon and some of their tips could cost you hundreds of thousands of dollars to implement.

Yet, not everything you can put in place at your practice has to cost you much and/or take months to install. There are simple, fast and easy methods you could put in place today that would protect your data long-term. So, what are you waiting for?