Medicare Compliance & Reimbursement

Hint: Store your back-ups at an offsite location for added protection.

This hurricane season has been one for the record books, and many Medicare providers have been working overtime to assist patients through the chaos, despite downed systems and destroyed offices. Plan ahead now for the next big disaster — smart and detailed preparation ensures less of a headache later.

The protection of protected health information (PHI) and electronic protected health information (ePHI) falls under HIPAA, ensuring that patients’ privacy and security aren’t compromised. But it’s more than that because “the availability and integrity of such data is what allows healthcare providers to make educated decisions on patients’ behalf,” cautions Brand Barney, HCISPP, CISSP, QSA, security analyst with Security Metrics in Orem, Utah.

“In all honesty, most providers I know get overly anxious when the power is down for even a few minutes and they don’t have access to their charts. So, when you are juggling HIPAA requirements, hackers, and security issues during and after an emergency, the arising situations can seem insurmountable,” explains Barney.

Take a look at these seven tips from Barney on what to do before catastrophe:

Tip 1: Encrypt, encrypt, encrypt. “If you do have a breach in your networks, or if a device containing PHI is stolen, proper encryption can be a lifesaver,” Barney points out. “If your data is properly encrypted using industry-accepted encryption strengths, you don’t have a breach. And it’s also a requirement for HIPAA.”

Tip 2: Train and retain. “Your staff are your greatest asset, but can also be your biggest weakness,” he maintains. “Security awareness training doesn’t have to be a once-a-year event, or happen only when there’s a new hire. Make sure your staff understand that they must reasonably and appropriately restrict access to only those persons/entities with a need for access to PHI and systems.”

Tip 3: Back IT up. Don’t get stuck in an emergency situation. “Backing up your data and storing your backups in a safe, offsite location is essential,” advises Barney. “Keep exact, retrievable copies of PHI for emergencies. This will allow for continuation of critical business processes. Remember, don’t forget to encrypt those backups.”

Tip 4: Revise and revisit policies often. “We often think of the [HIPAA] Privacy Rule as the only thing that has policies, but Security and Breach are equally important,” he points out. “If you don’t have these policies and subsequent procedures in place, it is time to get them.”

Tip 5: Know your risks. Risk assessment, analysis, planning, and management are required under HIPAA, so it is mandated that you understand and study your threats and vulnerabilities. “You will be able to make educated decisions to improve your security and prevent data breaches,” says Barney. “It is important to note that there is no such thing as a network in-scope environment without risk.”

Tip 6: Control your physical devices appropriately. “Make sure that you have an up-to-date list of all devices that create, receive, transmit, and maintain PHI,” Barney recommends. “This will help you keep track of devices and know if/when something has been replaced, tampered with, or stolen.” He adds, “Your devices should be periodically inspected to ensure that tampering or device replacement has not occurred.”

Tip 7: Consider cloud redundancy. “Putting your data and trust in a cloud provider can be a nerve-wracking experience,” counsels Barney. “Many cloud vendors can offer you access to your data even if your physical offices have been destroyed.”