Blog >
5 Policies to Protect ePHI
March 23, 2022

5 Policies to Protect ePHI

The Cyber-World is scary.
The 2020 Congressional Breach Report showed that there were 656 breaches affecting 500 or more individuals, a 61% increase from 2019, and 66,509 breaches affecting less than 500 individuals. In total, these reported breaches affected almost 38 million individuals. 77% of these breaches targeted health-care practices, with the other 23% being split amongst business associates, health plans, and health-care clearinghouses. Those figures can be intimidating and protecting your patient’s privacy may begin
to seem like a very expensive task that requires a ton of technical knowledge.

What should be understood is that creating a secure cyber-environment is never only about having the best software and technical support. There are things every practice can do right now, at no cost and with no IT background needed. Having the right policies in place, along with the training on and enforcement of, is just as essential to the security of your practice as having the right anti-virus. The purpose of this article is to focus on the policies every practice should implement to protect their patients.

  • Create and enforce a good workstation use policy that prohibits employees from using their work computers for personal use. Most cyber-attacks can be traced back to someone clicking through a fake email, opening a suspicious attachment, or visiting an unsecure website. Even as the hackers become more and more sophisticated, these deceptive tactics remain their best way into your system. According to a 2020 Statista report, Phishing emails accounted for 54% of the reported Ransomware attacks.
  • Enforce proper password management. This means no sharing of passwords, changing passwords on a consistent basis, and creating complex passwords as opposed to a person’s name or birthday. It is also advised that you do NOT write your passwords on a post-it and stick it on your monitor. Everyone has experienced the frustration of not being able to log into a system, but this policy is essential to protecting your system and your patient info.
  • Always follow HIPAA’s minimum necessary standard. This means ONLY accessing, discussing, or transmitting the absolute minimum amount of patient info that’s needed for treatment.
  • Always do your due diligence and always have a Business Associate Agreement (B.A.A.) in place. Choosing which vendor to work with, whether it’s an IT company, a medical billing company or a practice management software, is a big decision for a practice and should be treated as such. Do your research and keep an eye out for any red flags, such as a poor web presence or a suspicious history. And if a vendor is not willing to have a business associate agreement, they may not be willing to protect your patient info. Even the biggest organizations have recognized the need for a B.A.A. and have made it easy to find their agreement and keep it on file.
    B.A.A. for Microsoft Office 365
    – Login to Microsoft Office 365 Administrator Center > Billing > Subscriptions > Optional Privacy and Security Contractual Supplements.
    – Next, on this page you should see the Office 365 and CRM Online HIPAA/HITech Business Associate Agreement. Check off the box for that agreement, provide your electronic signature, and click Accept.
    B.A.A. for Google Workplace
    – Go to the Security and Privacy Additional Terms within the Administrator Center.
    – Click Google Workspace/Cloud Identity HIPAA Business Associate Amendment to review the amendment.
    – Click Review and Accept and answer all three questions to confirm that you are a HIPAA covered entity. To accept the HIPAA B.A.A., click OK.
  • Have an emergency plan in place. The plan should detail who does what at the practice when faced with different worst-case scenarios like a cyber-breach, loss of data, and even a natural disaster. By having the plan ready before something happens, you can maximize your response time and minimize any damage.

The days of offices filled with file cabinets filled with patient records and forms going back and forth through USPS are over. The use of technology has changed the way patients are treated and new technologies are constantly becoming more popular. As an example, a recent HHS survey found that 1 in 4 individuals have used telehealth services.

While advances in technology have been a huge benefit for practitioners and patients alike, they’ve also resulted in patient privacy and security being more at risk than ever before. What hasn’t changed is that you care about your patients. By approaching any technology with the same care and attention you give to a patient’s treatment, you will continue to protect them.

Sources:
U.S. Department of Health and Human Services Office for Civil Rights
https://www.hhs.gov/sites/default/files/breach-report-to-congress-2020.pdf
Statista
https://www.statista.com/statistics/700965/leading-cause-of-ransomware-infection/

B.A.A. for Google Workplace

– Go to the Security and Privacy Additional Terms within the

Administrator Center.

– Click Google Workspace/Cloud Identity HIPAA Business Associate

Amendment to review the amendment.

– Click Review and Accept and answer all three questions to confirm

that you are a HIPAA covered entity. To accept the HIPAA B.A.A.,

click OK.

Have an emergency plan in place. The plan should detail who does

what at the practice when faced with different worst-case scenarios

like a cyber-breach, loss of data, and even a natural disaster. By

having the plan ready before something happens, you can maximize

your response time and minimize any damage.

The days of offices filled with file cabinets filled with patient records and

forms going back and forth through USPS are over. The use of technology

has changed the way patients are treated and new technologies are

constantly becoming more popular. As an example, a recent HHS survey

found that 1 in 4 individuals have used telehealth services.

While advances in technology have been a huge benefit for practitioners and

patients alike, they’ve also resulted in patient privacy and security being

more at risk than ever before. What hasn’t changed is that you care about

your patients. By approaching any technology with the same care and

attention you give to a patient’s treatment, you will continue to protect

them.

Sources:

U.S. Department of Health and Human Services Office for Civil Rights

https://www.hhs.gov/sites/default/files/breach-report-to-congress-2020.pdf

Statista

https://www.statista.com/statistics/700965/leading-cause-of-ransomware-

infection/

  • Enforce proper password management. This means no sharing of
  • passwords, changing passwords on a consistent basis, and creating
  • complex passwords as opposed to a person’s name or birthday. It is
  • also advised that you do NOT write your passwords on a post-it and
  • stick it on your monitor. Everyone has experienced the frustration of
  • not being able to log into a system, but this policy is essential to
  • protecting your system and your patient info.
  • Always follow HIPAA’s minimum necessary standard. This means
  • ONLY accessing, discussing, or transmitting the absolute minimum
  • amount of patient info that’s needed for treatment.
  • Always do your due diligence and always have a Business
  • Associate Agreement (B.A.A.) in place. Choosing which vendor to
  • work with, whether it’s an IT company, a medical billing company or a
  • practice management software, is a big decision for a practice and
  • should be treated as such. Do your research and keep an eye out for
  • any red flags, such as a poor web presence or a suspicious history.
  • And if a vendor is not willing to have a business associate agreement,
  • they may not be willing to protect your patient info. Even the biggest
  • organizations have recognized the need for a B.A.A. and have made it
  • easy to find their agreement and keep it on file.
  • B.A.A. for Microsoft Office 365
  • – Login to Microsoft Office 365 Administrator Center > Billing >
  • Subscriptions > Optional Privacy and Security Contractual
  • Supplements.
  • – Next, on this page you should see the Office 365 and CRM Online
  • HIPAA/HITech Business Associate Agreement. Check off the box for
  • that agreement, provide your electronic signature, and click Accept.B.A.A. for Google Workplace
  • – Go to the Security and Privacy Additional Terms within the
  • Administrator Center.
  • – Click Google Workspace/Cloud Identity HIPAA Business Associate
  • Amendment to review the amendment.
  • – Click Review and Accept and answer all three questions to confirm
  • that you are a HIPAA covered entity. To accept the HIPAA B.A.A.,
  • click OK.
  • Have an emergency plan in place. The plan should detail who does
  • what at the practice when faced with different worst-case scenarios
  • like a cyber-breach, loss of data, and even a natural disaster. By
  • having the plan ready before something happens, you can maximize
  • your response time and minimize any damage.
  • The days of offices filled with file cabinets filled with patient records and
  • forms going back and forth through USPS are over. The use of technology
  • has changed the way patients are treated and new technologies are
  • constantly becoming more popular. As an example, a recent HHS survey
  • found that 1 in 4 individuals have used telehealth services.
  • While advances in technology have been a huge benefit for practitioners and
  • patients alike, they’ve also resulted in patient privacy and security being
  • more at risk than ever before. What hasn’t changed is that you care about
  • your patients. By approaching any technology with the same care and
  • attention you give to a patient’s treatment, you will continue to protect
  • them.
  • Sources:
  • U.S. Department of Health and Human Services Office for Civil Rights
  • https://www.hhs.gov/sites/default/files/breach-report-to-congress-2020.pdf
  • Statista
  • https://www.statista.com/statistics/700965/leading-cause-of-ransomware-
  • infection/

Spotlight

Help
Frequently Asked Questions

Case Study
Protect Your Practice

Blog
What is Cyber-Security