How to Ensure the Privacy of Protected Health Information
The HIPAA Privacy Rule sets a set of standards for the protection of certain health information. The Rule requires that special precautions are taken to ensure that the privacy of Protected Health Information (PHI) is maintained through the flow of health information. PHI must be protected as it is created, kept, filed, used and/or shared.
What constitutes PHI? PHI is any health information transmitted or maintained by any entity subject to HIPAA regulations that can lead to the Identity of an individual or the contents of the information can be used to make a reasonable assumption as to the identity of the individual. PHI can be written, spoken, or electronic.
1. Maintain the security of your passwords
a. Never share your password.
b. Never write down a password. When you set a new password, you may wish to write down your password until you have a chance to memorize it. If you do this, you should take extreme care not to lose the paper you have written it on. You should destroy the paper (once you have learned the password). If you MUST write down your password, never store it near your workstation.
c. Change your password with some frequency (60-90 days).
d. Never store your password in a program or browser.
e. Create complex but easy to remember passwords. Passwords should be a minimum of eight characters and contain a combination of letters, numbers and characters. Passwords should not be based on personally identifiable information, like; your name, initials, date of birth, pet’s name, etc…
2. Be mindful when faxing or printing
a. When faxing or printing PHI, monitor the machine closely to obtain the document ASAP.
b. Double check the fax number to make sure you have the correct phone number. You do not want PHI to go to an unintended recipient.
c. Notify the recipient ahead of time so she knows the document is on its way.
d. Use secure shredder bins to dispose of documents containing PHI or other confidential information. Never recycle documents containing confidential information.
e. Keep PHI out of sight and secure it when not in use to prevent unauthorized access.
3. Use encrypted email when emailing PHI
Never use standard email to communicate PHI. Basic email is not encrypted. Email encryption protects the content of a message from being read by anyone but the intended recipients.
4. Safeguard your mobile devices (smart phone, tablet, etc.)
Always secure your device with a passcode or other user authentication. The effectiveness of data protection depends on a strong passcode, so it is important to use a passcode stronger than four digits. Disable access to notification center and alerts from locked screen to prevent display of potentially sensitive data.
5. HIPAA is everyone’s responsibility
If you see something or someone who is putting confidential information at risk, it is your duty to report it. If you don’t know how to report a breach or concern, find out from your supervisor or Human Resources department.
6. Access to PHI is limited to your job description
Curiosity is not acceptable when it comes to viewing or using PHI. You are only permitted access to PHI when it is necessary for you to do your job. You may…
a. Look at a person’s PHI only if you need it to do your job.
b. Use a person’s PHI only if you need it to do your job.
c. Give a person’s PHI to others when it is necessary for them to do their jobs.
d. Talk to others about a person’s PHI only if it is necessary to do your job.
7. Keep your workstation secure
Only engage in work activity on your workstation. This is the safest way to protect PHI. When computers are compromised by adware, spyware or a virus, it puts the PHI on your workstation at risk AND all the workstations and servers on your network at risk. Games, applications and screen savers are typically a doorway for malware. In addition, do not take it upon yourself to install software on your workstation; even if it is work related. Software downloaded off the Internet can provide a gateway for a breach. Even the most reputable software applications can install toolbars and other unwanted add on to your computer.
What can happen when PHI is not safeguarded? For the individual, irresponsible actions in handling PHI can lead to disciplinary actions up to and including termination. Companies can be fined $50,000 per violation, with an annual maximum of $1.5 million.
Comply with HIPAA to Safeguard Protected Health Information
By following these common sense rules, you can ensure that you are handling PHI in accordance with the requirements of HIPAA.
Click the button below to learn more about HIPAA security and compliance risk analysis.