As a pediatric practice you deal constantly with Personal Health Information (PHI). This data includes:
- Name, Address, Phone Number
- Social Security Number
- Date of Birth
- Insurance Information
- Medical Records, including test results
This information can be extremely valuable, and therefore a target for hackers. Here are some basic best practices you can implement in order to ensure your PHI remains safe.
Keep Your HIPAA Policy Documents Up-to-Date: HIPAA, or the Health Information Portability and Accountability Act, is a set of policies, procedures and guidelines that include rules around health insurance, medical savings accounts, and other aspects of healthcare. When most people talk about HIPAA, they are talking about the HIPAA Title II sections on privacy, rules around information transactions, and security. HIPAA rules around privacy are not just arbitrary requirements, they are also practical measures you can take to secure the PHI and other data at your practice. Read more about HIPAA and security here.
Perform a Periodic Security Risk Assessment: Your practice is obligated to perform and record an annual Security Risk Assessment. You can use your Security Risk Assessment to inform and update your practice’s HIPAA Security Policy.
Get Social Security Numbers Out Of Your System: One of the best ways to increase data security at your practice is to not store any unnecessary sensitive data. It can be tempting to use Social Security numbers as unique identifiers for patients, but those numbers are a target for identity theft. CMS has already removed SSNs from Medicare cards and replaced them with a Medicare Beneficiary Identifiers (MBI). It’s possible that until this change propagates out to all agencies and payers you may still need to use your patients’ SSNs, but if you don’t, you should remove them from your system. Maybe you have a custom field in PCC EHR that you use to store SSNs? Contact PCC for help with removing/re-purposing that field.
Maintain Proper Wireless Network Configuration and Passwords: Your practice uses a wireless network that was set up by PCC or by a third party IT consultant. Networks in your office configured by PCC include both an internal network that can access your PCC server but does not have access to the internet, as well as a staff/guest network that has access to the internet but does not have access to PCC. This “network segmentation” isolates your system from outside attacks. The weakest link in network security is generally the human user. With that in mind:
- Never share your clinical network password with anyone.
- Do not share your staff/guest password with patients. If you want to provide network access to your patients and families, contact PCC.
- If you keep your passwords written down, treat them as sensitive information. Secure them, and do not leave them exposed on paper, post-it notes, etc.
- PCC does not know your password and will never ask you for your password.
Perform Staff Training on Practice-Wide Procedures for Data Protection: Your staff should be trained on HIPAA privacy guidelines and your practice’s HIPAA policies. The Department of Health & Human Services has a summary of the HIPAA guidelines, and healthIT.gov’s Privacy, Security, and HIPAA page has a number of resources including a Security Risk Assessment tool and various training modules.
Make Sure Your Credit Card Processors Are PCI DSS Compliant: The Payment Card Industry Data Security Standard (PCI DSS) is a standard established by the major credit card brands to protect cardholder data. Any business that processes, stores, or transmits credit card information must comply with the standard. You can find more information about PCI DSS compliance, as well as self-assessment tools here.
Encrypt Your Data: Any computer that holds PHI should always have encrypted drives. Your practice’s server already has an encrypted drive, and all data backups, both locally and in the cloud, are also encrypted. Your workstations and laptops may contain PHI (maybe a saved e-mail attachment, or an exported report), and so should be encrypted as well. If one of your practices laptops is lost or stolen, it does not need to be treated as a HIPAA breach if its hard drives are encrypted.
Periodically Review Your User Lists in PCC EHR, Partner, and Other Logins Around Your Practice: Employee turnover is a natural part of running a business. When an employee leaves, you should remove (or change the password for) their logins in PCC EHR, Partner, or any other hardware or software you use in your office. Only people who have a reason to log in to your system should be able to do so.
Review Your Audit Logs in PCC: PCC’s Audit Log gives you granular details about which users are accessing or changing information in PCC EHR. More information is here.
Don't Share User Logins For PCC or Any Other Services: It can be tempting to use the same login or password for multiple services. Never use your PCC login or password for other services or websites.
More detailed information about HIPAA, Security Risk Assessments, and your practice can be found here.