Think your practice is too small for a data breach to occur? Think again. It’s vital to stay on the right side of HIPAA requirements for data security. This isn’t always easy and can cost a
significant amount, but in general, locking down data is less expensive than damage control after a breach.
Breaches of patient information are on the rise—138% from 2012 to 2013, according to breach data reported to the Department of Health and Human Services (HHS). And no system is completely theft-proof. However, there are steps you can take to make your privacy harder to invade. That’s important because many data thieves are opportunists who will bypass difficult targets in search of easier quarry.
- Consider hiring a security expert and conducting a thorough vulnerability assessment. It isn’t cheap, but there are payoffs for practices that consider this an investment.
- Partner with strong IT vendors and services. Is your EHR as theft-proof as possible?
- Encrypt all transmission of electronic private health information, including texts and emails.
- The biggest threat to data security in your office could be your most loyal employees. Train your staff to be vigilant about email and web use, and develop a policy for BYOD (bring your own device). Many patients and employees now use their own mobile devices—everything from smart phones, laptops and tabletsto wearables—in the workplace. BYOD policies must ensure patient data remains secure.
- At the other end of the technology spectrum, paper-based data breaches still account for substantial amounts of data loss. In 2012, for example, there were 50 reports of data loss to HHS involving paper documents, representing information for 386,065 individuals. If your office still has file cabinets full of paper folders, consider scanning then shredding or removal to a secure storage site.
- Many small and midsized medical practices are weighing the pros and cons of purchasing cyber or data breach insurance to mitigate the financial risks of a breach. This might be a good option for your office.
- Lead by example. HHS offers CME-eligible online educational programs that can help physicians understand what’s required to comply with HIPAA privacy and security rules.
If a data breach does occur, inform those affected as soon as possible, and identify the information that has potentially been compromised. Keep in mind you won’t be able to do this if you don’t know what data resides in your practice or what systems are networked.