Keeping data secure is an involved process for any business nowadays. Electronic devices and internet servers are the main storage methods, and physical measures are insufficient. This applies to medical records and health information too. Protected health information is dealt with under HIPAA law, and businesses should do everything possible to prevent a PHI breach.
According to HIPAA, a PHI breach is the “acquisition, access, use, or disclosure of protected health information in a manner not permitted which compromises the security or privacy of the protected health information.” This might look like anything from a system being hacked and information leaked to an authorized employee emailing private medical records to an unauthorized party for any reason.
PHI is protected strictly by HIPAA law and must be handled with care by businesses authorized to handle it, including health care providers, insurance companies, clearinghouses, and government health care entities.
PHI includes several pieces of information, including:
This information is all protected as PHI under HIPAA.
Certain factors may warrant a situation not being considered a HIPAA breach in the first place. For example, if an employee handles PHI insecurely by accident and with good faith that they’re doing the right thing, the result may not be an official PHI breach.
Another exception is when the recipient of private information cannot retain it. For example, if a letter is sent to the wrong person but is ultimately returned to the sender untouched, the offending business or party might be in the clear. Finally, if one authorized staff member in a hospital or business accidentally sends irrelevant PHI to another authorized staff member, a breach is not considered to have occurred as long as the recipient handles it properly (for example, by deleting it and not sending it to anyone else).
A big part of avoiding the consequences of a breach of PHI is simply preventing one in the first place. Here are a few important safety measures you should take to make sure information is secure and handled correctly.
If you are a healthcare provider or another business that works with any PHI, you must train your team to handle information safely. If anyone does not take the situation seriously, it can result in leaked information. This applies to both medical and administrative staff.
Having an official information security policy will keep things organized and lower your business’s liability if something happens. The policy needs to be periodically updated and communicated to your team regularly as it is updated. HIPAA laws and other best practices should inform your approach.
For securing physical information, filing cabinets should be locked securely, and keys should be well organized so that only the right people can access them. While it may not seem like a big help, having a clearly defined system for access keys to rooms, cabinets, and other information areas will help you keep track of things, especially when there’s staff turnover or a missing key.
Encryption is key for digital data (which is increasingly the default form of stored information). Make sure that all your servers, hard drives, and other digital platforms are as well-encrypted as possible, which will keep out people who don’t have the right passwords and permissions. Your IT team can help you streamline your digital security and provide the right training to staff.
Another simple but essential measure to take is securing the internet and Wi-Fi. By doing so, you can stop potential cybersecurity threats and reduce the chance of a PHI breach.
In the unfortunate event that a PHI breach does occur, you must take the right steps as outlined by HIPAA law. Here is what needs to happen:
To figure out if a breach must be reported, you must first determine whether the PHI was “unsecured,” because only unsecured data violations must be reported. Unsecured data is any digital PHI that is not encrypted and any physical PHI that has not been destroyed. Next, you must determine whether the breach meets any of the exceptions listed above with regard to reporting. If it is not a legitimate exception, it must be reported.
When you need to report a breach, you must tell the individual(s) whose information was compromised and the U.S. Department of Health and Human Services. The employees involved must tell their organization within 60 days, and the organization must report the breach to both the individual in question and the HHS within 60 days from discovery. If the breach involves the PHI of 500 or more people, the organization must also report the violation to local media within 60 days of discovery. The organization must also maintain documentation of all of this for six years.
Taking these steps right after a breach will help protect your business from severe consequences and demonstrate to your clients, patients, and staff that the situation and PHI are being taken seriously.
Businesses that deal with PHI need to prepare well to avoid a breach. Start by crafting and implementing specific policies for your business and team that will equip them to handle information safely and securely. Contact Compyl today to learn about our superior solutions for privacy and security.