Protecting Patient Data: the Right Way and the Wrong Way!

Medical institutions are under intense pressure to ensure that electronic health records and protected health information remain safeguarded to the highest data integrity standards on behalf of their patients. However, when it comes to protecting a patient’s health record, there is a “right way” and a “wrong way.” Join us as we untangle the fundamental requirements for securing health data that patients expect and legislative protections demand.

All healthcare providers that operate in the United States have an obligation to protect patient records, including all electronic medical records (EMRs), electronic health records (EHRs), and any other sensitive healthcare data. Healthcare practices are also required by law to take steps to ensure the organization is in compliance with the rules and regulations of HIPAA. This will defend against the hefty fines and help prevent the violation of patient trust in your organization.

We will draw a comparison between two different strategies that can have different outcomes, either beneficial or detrimental, to healthcare.

The Wrong Way

HIPAA compliance is a difficult status to achieve, especially if your healthcare organization is just starting out on this journey. HIPAA has been around since 1996, and healthcare professionals understand the need for compliance. Practices that are doing things the “wrong way” will rarely willfully neglect patient data; instead, genuine mistakes are made because they lack the knowledge of the required HIPAA safeguards or they fail to research the best HIPAA compliant partners, such as their HIPAA compliant hosting company.

It is not unheard of for healthcare practices to cut corners to save money, but as you can see from the HIPAA Wall of Shame, the OCR is quite willing to hand out fines for neglectful practices. Here are some telltale signs that your practice may be protecting patient data the wrong way:

• Paper Patient Records: Maintaining paper records on patients does not automatically breach HIPAA; however, it introduces a wide scope of unnecessary risk. Physical copies are harder to shield, papers are easily lost, results can be conveniently changed, and there are sometimes questions about their accuracy.
• Limited IT Security: In-house IT systems are more likely to have weak or nonexistent security, especially if managed by an inexperienced team. Our engineers frequently hear the excuse “That’s how we have always done it.”
• Choosing Low-Budget Hosting: Some healthcare practices want to save dollars by outsourcing to cheap hosting with basic or limited security. The basic safeguards of HIPAA compliance, such as encryption, are ignored in favor of a cheaper expenditure.
• Partnering with Organizations that Falsely Claim HIPAA Compliance: This is surprisingly more common than you may think. Some of the red flags here are providers that refuse to sign a business associate agreement, have no reliable backup strategy, and disaster recovery either doesn’t work or is nonexistent.

Doing It the Right Way

Doing HIPAA-Compliance the right way is hard, but it’s critical that all forms of electronic protected health information (ePHI) meet the standards of the five HIPAA rules:

• Transactions and Code Sets Rules
• Unique Identifiers Rule
• The Security Rule
• The Privacy Rule
• Enforcement Rule (Final Omnibus Rule)

Each rule has various physical, technical, and administrative safeguards that are required to meet compliance. You can read more about these rules on our detailed HIPAA checklist.

To follow HIPAA the right way, there are several required standards that your hosting provider must meet. Does your provider meet and exceed all of these standards? Or is it time to switch to a provider that can? Ask yourself these questions:

• Encryption to NIST Standards: Are all external network traffic interfaces encrypted? Is traffic routed over a secure VPN tunnel between sites? Are all endpoints encrypted, servers, laptops, and cell phones? Is there a HIPAA-Compliant Firewall installed? Does you provider feature an Intrusion Prevention System (IPS)?
• Identify ePHI: Do you know where all in-scope ePHI is located? Is it protected from unauthorized changes or accidental deletion?
• Access Controls: Does every user have a unique username and passworded account protected by MFA? Does the business follow the principle of least privilege?
• Audit: Can your logs identify user access facts or if ePHI data is changed?
• Automatic Logoff: Are users automatically logged out of IT systems?
• Data Center Access: Can your host provider give details of all access made to the data center? Is the data center monitored 24x7x365? Does it have CCTV and manned security?
• Workstation Policies: Can your hosting provider restrict workstation access to PHI?
• Cell Phones: If a business mobile is stolen, are you able to delete the data remotely?
• Tracking Equipment: Do you have an inventory of all HIPAA infrastructure?
• Risk Assessment: Can your provider assist with a risk assessment for all of your data?
• Risk Management: How does your hosting provider manage security incidents related to HIPAA?
• Training: Can your provider help train the workforce? Can employees identify phishing, hacking, and deception techniques?
• Disaster Recovery: Does the hosting provider offer DR as a service? Is DR tested regularly?
• Business Continuity: What is your provider’s contingency plan in the event of a disaster?

Now that you have seen both options, the choice is yours. If you choose the cheap route, be prepared for the increased possibility of a hefty fine in the event of a breach or an unexpected audit. Or choose to outsource to a HIPAA-audited hosting company like Atlantic.Net – we stand ready to assist you with HIPAA WordPress hosting, HIPAA database hosting, HIPAA compliant applications, and more!