Staff training should be ongoing, not just once a year.
As a healthcare professional frequently working on the computer and handling emails, you may already have a good understanding of how to secure certain types of protected health information (PHI), such as patient names and medical records, while working online and via email. However, to prevent HIPAA breaches, it’s essential to apply this vigilance across all types of PHI, ensuring consistent protection against any potential leaks of patient information.
Familiarize yourself with the list of tips below to safeguard yourself and your practice from making mistakes that could mean a major HIPAA slip up and get you into hot water.
Tip 1: Reinforce Your Software Systems
Your office’s information technology (IT) team can work with you and your team to create a strong security system against cyber threats by doing the following:
- Maintain current software versions: Developers of operating systems and software frequently issue updates when they identify potential weaknesses, security issues, or other concerns. By promptly installing these updates after they have been approved by your practice’s IT team, you can ensure the security of your devices against potential threats.
- Ensure regular data backups: In the event of a cyberattack, having readily available backups can expedite the process of restoring your computer and network operations.
- Save items to the cloud: Storing files on the cloud involves uploading your data to a remote server, which is managed by a cloud service provider, rather than saving it solely on your local computer. This method allows you to access your files from any device with an internet connection, provides additional security measures, and offers more storage capacity compared to a local computer. It also ensures that your data is safe even if your local computer is damaged, lost, or stolen.
Tip 2: Offer Email-Specific Training
Each time a new threat emerges, particularly in the event of an incident like a phishing attack, it’s essential to refresh and reeducate your team, keeping them informed and providing necessary resources and advice, like the following:
- Disable automatic downloads: If your email application has a feature that allows for automatic downloading of attachments, it’s advisable to turn off this function to shield your computer systems from potentially harmful files. Check with the IT department before downloading any file that looks questionable. Even reliable antivirus software can be tricked by new threats.
- Use cloud-based email protection: With many of your team members potentially working remotely, a cloud-based email solution can effectively lessen ransomware concerns and enhance data security. This is because your IT department and service provider can more readily address and resolve problems.
- Consider encryption: Despite thorough training, your staff might not always be able to spot phishing attempts, which is where encryption technology proves beneficial. Using email encryption can aid your organization in verifying emails, providing tools to confirm that the email isn't part of a phishing scam.
- Stay vigilant: Even emails appearing to come from known colleagues may not be genuine, as attackers can mimic familiar email addresses. Always verify with the sender before opening any attachments.
Tip 3: Avoid Real-World Traps
It’s important to note that there is no such thing as HIPAA certification and “there is no standard or implementation specification that requires a covered entity to ‘certify’ compliance” at all, according to the Department of Health and Human Service (HHS) Office for Civil Rights (OCR) guidance. Fake vendors often employ various deceptive tactics to trick medical practices into availing their fraudulent compliance services. Here are some common methods they might use:
- Impersonating legitimate companies: They may pretend to be representatives of well-known, reputable compliance service providers to gain trust.
- Offering too-good-to-be-true deals: They might lure practices with incredibly low prices or promises of services that seem too good to be true.
- Fearmongering: They could use scare tactics, emphasizing the severe consequences of noncompliance to pressure practices into using their services.
- Unsolicited contact: They may reach out unexpectedly via phone, email, or in-person visits, insisting that their services are urgently needed.
- Vague or complex service descriptions: They might use complex jargon or provide vague descriptions of their services to confuse potential clients.
- Lack of transparency: They may not provide clear information about their company, contact details, or customer testimonials. To avoid falling for such scams, it’s crucial to conduct thorough research, ask for references, and consult with trusted colleagues or industry experts before engaging with a new vendor.
Keep in mind: “It is important to note that HHS does not endorse or otherwise recognize private organizations’ certifications’ regarding the [HIPAA] Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule,” warns OCR guidance. “Moreover, performance of a ‘certification’ by an external organization does not preclude HHS from subsequently finding a security violation.”
Lindsey Bush, BA, MA, CPC, Development Editor, AAPC
