Top Ten Data Security Best Practices for a Small Pediatric Practice

As a pediatric practice you deal constantly with Personal Health Information (PHI). This data includes:

Name, Address, Phone Number
Social Security Number
Date of Birth
Insurance Information
Medical Records, including test results

This information can be extremely valuable, and therefore a target for hackers. Here are some basic best practices you can implement in order to ensure your PHI remains safe.

Keep Your HIPAA Policy Documents Up-to-Date: HIPAA, or the Health Information Portability and Accountability Act, is a set of policies, procedures and guidelines that include rules around health insurance, medical savings accounts, and other aspects of healthcare. When most people talk about HIPAA, they are talking about the HIPAA Title II sections on privacy, rules around information transactions, and security. HIPAA rules around privacy are not just arbitrary requirements, they are also practical measures you can take to secure the PHI and other data at your practice. Read more about HIPAA and security here.
Perform a Periodic Security Risk Assessment: Your practice is obligated to perform and record an annual Security Risk Assessment. You can use your Security Risk Assessment to inform and update your practice’s HIPAA Security Policy.
Get Social Security Numbers Out Of Your System: One of the best ways to increase data security at your practice is to not store any unnecessary sensitive data. It can be tempting to use Social Security numbers as unique identifiers for patients, but those numbers are a target for identity theft. CMS has already removed SSNs from Medicare cards and replaced them with a Medicare Beneficiary Identifiers (MBI). Maybe you have an old custom field in PCC EHR that you used to store SSNs? Contact PCC for help with removing/re-purposing that field.
Maintain Proper Wireless Network Configuration and Passwords: Your practice uses a wireless network that was set up by PCC or by a third party IT consultant. Networks in your office configured by PCC include both an internal network that can access your PCC server but does not have access to the internet, as well as a staff/guest network that has access to the internet but does not have access to PCC. This “network segmentation” isolates your system from outside attacks. The weakest link in network security is generally the human user. With that in mind:
- Never share your clinical network password with anyone.
- Do not share your staff/guest password with patients. If you want to provide network access to your patients and families, contact PCC.
- If you keep your passwords written down, treat them as sensitive information. Secure them, and do not leave them exposed on paper, post-it notes, etc.
- PCC does not know your password and will never ask you for your password.
Perform Staff Training on Practice-Wide Procedures for Data Protection: Your staff should be trained on HIPAA privacy guidelines and your practice’s HIPAA policies. The Department of Health & Human Services has a summary of the HIPAA guidelines, and healthIT.gov’s Privacy, Security, and HIPAA page has a number of resources including a Security Risk Assessment tool and various training modules.
Make Sure Your Credit Card Processors Are PCI DSS Compliant: The Payment Card Industry Data Security Standard (PCI DSS) is a standard established by the major credit card brands to protect cardholder data. Any business that processes, stores, or transmits credit card information must comply with the standard. You can find more information about PCI DSS compliance, as well as self-assessment tools here.
Encrypt Your Data: Any computer that holds PHI should always have encrypted drives. Your practice’s server already has an encrypted drive, and all data backups, both locally and in the cloud, are also encrypted. Your workstations and laptops may contain PHI (maybe a saved e-mail attachment, or an exported report), and so should be encrypted as well. If one of your practices laptops is lost or stolen, it does not need to be treated as a HIPAA breach if its hard drives are encrypted.
Periodically Review Your User Lists in PCC EHR, Partner, and Other Logins Around Your Practice: Employee turnover is a natural part of running a business. When an employee leaves, you should remove (or change the password for) their logins in PCC EHR, Partner, or any other hardware or software you use in your office. Only people who have a reason to log in to your system should be able to do so.
Review Your Audit Logs in PCC: PCC’s Audit Log gives you granular details about which users are accessing or changing information in PCC EHR. More information is here.
Don't Share User Logins For PCC or Any Other Services: It can be tempting to use the same login or password for multiple services. Never use your PCC login or password for other services or websites.

More detailed information about HIPAA, Security Risk Assessments, and your practice can be found here.

Here are some related articles in Other Pediatric Practice Resources > Other Tools and Resources for Your Practice:

Data Security Best Practices for your Pediatric Practice
Learn best practices for keeping data secure at your pediatric practice. HIPAA guidelines: https://www.hhs.gov/hipaa/for-professionals/training/index.html Privacy and Security from healthIT.gov: https://www.healthit.gov/topic/privacy-security-and-hipaa/health-it-privacy-and-security-resources-providers
Connect to PCC’s Web Conferences and Web Labs
PCC uses the WebEx service to connect you to online training courses and training sessions.
Accounting Challenges
The medical biller's job would be easier if accounts paid on time and insurance companies reimbursed the correct amount. Unfortunately, accounts build up balances and credits and insurance companies overpay, underpay, and demand "takebacks."
PCC Community: The Home of PCCTalk
PCC Community is an online forum and email list for users of PCC's pediatric software. By connecting to PCC Community, you can join discussions about issues facing pediatric practices as well as PCC's software and services.
Read the Pulse: PCC’s Newsfeed
The Pulse is a source of news and information for PCC clients. We use The Pulse to share information about our upcoming software releases, trainings, conferences, events and web labs, as well as pediatric news and industry information.
AAP Resources: Pediatric Coding Newsletter, Red Book, and More
PCC offers our clients access to a number of resources from the AAP, including the Pediatric Coding Newsletter and the AAP Red Book.
Practice Vitals Dashboard Video Overview
A brief overview of the features available in the Practice Vitals Dashboard
Ask PCC For a Software Feature or Enhancement
PCC uses your requests and comments to help decide which features and services to develop. We depend on your feedback; we can't make software without you. Read this article to learn the best way to submit a feature enhancement request or defect.
Bright Futures in PCC
Bright Futures is a national health promotion and prevention initiative led by the American Academy of Pediatrics. PCC provides Bright Futures chart note protocols, periodicity schedules, handouts, and more to all PCC practices.
Best Practices For Sending Messages to Patients and Families
This article provides best practices and other recommendations to help you engage with your patients and improve care through communication. PCC recommends that pediatric practices follow communication best practices and abide by guidelines, even when not strictly required by law. Additionally, PCC recommends you include an explicit “consent to contact” in your practice policies.
Get Started with PCC Community and PCCTalk
Watch this video to learn how to sign up for and use PCC Community and PCCTalk. Sign Up: https://www.pcc.com/talk Sign In: https://community.pcc.com Learn More: https://learn.pcc.com/help/pcctalk/
Moving Your Practice to a New Location
So your practice is moving. Maybe you have outgrown your current space, or want to move to a more affordable location, or your lease is up, or you want to buy a building as an investment? Moving can be complicated. There are many moving pieces, and PCC is eager to make your move successful, with as little interruption to routine and as few surprises as possible.
Read Your PCC Email with Roundcube
You can access your PCC-provided email services with Roundcube, a Web-based email program. This manual contains an introduction to Roundcube, along with a guide for setting up two-factor authentication (2FA) for your PCC email using the Authy app.
Connect to Your PCC System from Home
This video will show you how to connect to your PCC system from home with SecureConnect.
Send Chat Messages to Colleagues
PCC EHR includes a chat/instant messaging tool that lets you chat and send messages to other PCC EHR users.
Why and How Pediatric Practices Should Launch a Recall Initiative Today
Contents1 Why Should My Practice Increase Patient Recall Efforts Now?2 Inform Patients of Your Practice’s New Safety Measures3 Adjust Visit Workflow4 Clean Up Your Practice’s Patient List Before You Do a Large Recall5 Perform Recalls For Specific Patients and Needs6 How to Code and Bill For These Visits7 Create a Library of Resources and Links […]
Send Chat Messages to Colleagues
PCC EHR's Chat allows you to message colleagues quickly without having to install and log in to a separate tool.
Run a Pediatric Drive-Up Flu or COVID-19 Shot Clinic
Your practice can perform a flu shot clinic while also meeting your enhanced COVID-19 safety protocols. PCC has worked with several practices who are running “drive through” or “curb side” flu clinics. In addition to providing your families and communities with a vital service (flu vaccines!), by running a drive through flu shot clinic, you can prepare your practice for participation in upcoming mass vaccinations coming for COVID-19.
Video: Group Chat Messages in PCC EHR
An overview of the group chat features in PCC EHR's chat tool.
Provide Good Faith Estimates for Pediatric Encounters
If a family does not have insurance, or the family won’t be using insurance for an encounter, then a pediatric practices needs to provide a “Good Faith Estimate” for the cost of care when an encounter is scheduled more than 3 days in advance.
Install and Set Up the Authy App
Contents1 Install the Authy App1.1 On iPhone1.2 On Android2 Register Your Device3 Set Up Notifications and One-Touch Approval3.1 On Your Phone3.2 On Your Apple Watch4 Access Your Authy Account on a New Device5 Helpful Authy Links The Authy app turns your smartphone into a secure password generator for taking certain actions on your PCC system. […]
Review Chat Logs in PCC EHR
The Chat Message Log records your saff’s usage of PCC EHR’s Chat messages, so you can review communication between your team members and investigate policy violations. Owing to PCC EHR’s chat potentially containing sensitive information, the Chat Log report is a separate permission from the Audit Log in PCC’s User Administration tool. To access the […]

Related Articles