Protected Health Information (PHI) is any data that is handled by a health care service provider, whether a Covered Entity (CE) or Business Associate (BA), that relates to the physical or mental health of an individual in some way.
Any US organization that handles PHI is required to comply with HIPAA (Health Insurance Portability and Accountability Act of 1996). Below are some tips to help organizations achieve compliance with HIPAA and ensure that their PHI is secure.
Tips for Protecting PHI
The below list is not completely exhaustive, but it is a good place to start when protecting PHI.
1. Carry out a HIPAA Assessment
Doing so will help organizations understand their current security posture and provide insight into what they can do to improve it. They will also need to carry out regular security audits to monitor the effectiveness of their security strategy.
2. Appoint Privacy and Security Officers
Organizations will need to appoint one or more security personnel to ensure that the organization is following the HIPAA guidelines, and to ensure that staff members are trained to a sufficient level.
3. Sign a BAA (Business Associate Agreement)
Healthcare organizations and any third-parties that have access to PHI will need to sign a BAA (Business Associate Agreement), which states how PHI can be stored, processed and transported.
4. Provide Training on PHI Handling
Both the HIPAA Privacy Rule and the HIPAA Security Rule have training requirements. All members of the workforce must be trained by a covered entity on the policies and procedures relating to protected health information. Training must be provided to each new workforce member within a reasonable period of time after the person joins the workforce. Training must also be updated if workforce members’ functions are affected by a change in any Privacy Rule policies and procedures.
The Security Rule requires a security awareness and training program to be implemented for all workforce members.
5. Use Two-Factor Authentication
Any cloud-based solutions, such as EMR (Electronic Medical Record) solutions and communication/chat applications, should use 2FA for added security. In addition to a simple username and password, the user will be required to enter a code, provide a fingerprint scan, or anything else which can strengthen the authentication process.
6. Secure Your Physical Assets
While this may seem obvious, some smaller service providers have been known to overlook physical security procedures. Only authorized personnel should be allowed to enter the server room. Use security cameras, alarm systems and electronic door access to protect all physical assets which may contain PHI.
7. Implement a Breach Notification Plan
Should a service provider fall victim to a data breach, HIPAA requires that they notify those who were affected within 60 days. Service providers will need a documented set of procedures to follow in the event of a breach.
8. Restrict access to PHI
Organizations need to ensure that access to the PHI is limited to those who need it. A common method for restricting access to sensitive data is Role-Based Access Control (RBAC), whereby access is restricted based on roles as opposed to individuals.
9. Encrypt PHI Both at Rest and in Transit
Any data stored on portable drives, mobile phones and laptops will need to be encrypted in order to protect the data, should the device fall into the wrong hands. Likewise, PHI sent in emails will need to be encrypted.
10. Keep Antivirus and Antimalware Solutions Updated
It is essential to keep antivirus and antimalware protection up to date. Updates and patches should be applied as a priority to keep networks secure when protecting patient privacy.
11. Securely Dispose of Old Equipment
Any equipment that contains sensitive data will need to be destroyed, and the process will need to be documented.
12. Tighten up Perimeter Security
Ensure that firewalls are well configured. If you don’t have a firewall, you can use a Firewall-as-a-Service or go a step further and implement an Intrusion Detection Prevention System (IPDS).
How Lepide Helps Protect and Secure PHI
The Lepide Data Security Platform helps you detect and respond to threats involving ePHI. The Lepide Solution uses built-in data classification to scan both your on-premise and cloud-based repositories, and classifies the ePHI as it is found. This will make it easier to assign the relevant access permissions to keep it secure. The Lepide Platform uses machine learning techniques to identify anomalous changes to your ePHI, and when discovered, will send real-time alerts to your inbox or mobile app. You can also generate pre-defined reports that are customized to meet the HIPAA compliance requirements, thus enabling you to easily demonstrate your compliance efforts to the relevant authorities.