While most HR professionals are sensitive to the requirements for safeguarding protected health information or PHI, many are taking risks they aren’t aware of.
DO Encrypt Most Everything
The most common mistake we see is emailing PHI without encrypting it. Often, our clients aren’t sure the data they’re dealing with even qualifies as PHI. We suggest erring on the side of caution. When in doubt, encrypt it! We now encrypt every type of personal data before sending it, no matter what insurance product it concerns.
Your first line of defense for emailed PHI is to send a password-protected file in one email and send the password separately. But it’s much better to install an inexpensive encryption software program. To become even more vigilant, install hardware that detects PHI and encrypts it for you.
DO Establish a Business Associate Agreement
Any organization dealing with PHI should have a legal business associate agreement with its brokers, carriers, vendors, contractors and employees. The Miller Group insists on these as a matter of course.
These agreements often cover:
- Who is approved, trained and responsible for accessing and protecting PHI.
- The level of access each of those people should have. For example, some may need to access client contact information but not details of a diagnosis or claim and vice versa.
- How each identified PHI “officer” is required to protect the data – physical, electronic and auditory.
- Reporting requirements for any suspected breaches.
DO Consider Non-Electronic Information
We may be so focused on the vulnerabilities of electronic files that we miss the more obvious threats to inadvertently sharing PHI through physical files, on-screen information and conversations.
- Physical files and on-screen information: How easy would it be for a visitor, vendor or unauthorized staff member to see PHI via paperwork left out on a desk, a computer monitor left unattended or an unlocked file cabinet? Those authorized to access the data have a responsibility to protect it at all times.
- Conversations: Within the HR department, how careful are we being about discussing employee information and claims? Could an innocent conversation between colleagues breach an employee’s privacy? Even if two HR people are authorized to discuss the information, how public is the work area? Are vendors, customers or other employees potentially hearing information they aren’t authorized to know?
DO Take Steps to Protect Your Data
- Establish a business associate agreement with everyone who could encounter PHI via your files, premises or equipment – even less obvious associates, such as the cleaning crew, IT service provider or repair company.
- Establish a “clean-desk” rule, requiring employees to shred discarded material containing PHI, place PHI in a file folder through the workday and lock it up when leaving the office.
- Place locks on file cabinets and create a protocol for using them.
- Set your computers to lock automatically when they’re idle for five minutes or more.
- Require employees to establish strong passwords and change them every 90 days.
- Consider how to protect access to your facilities – with an electronic system, security guard or receptionist. You also may want to keep a visitor log.
- Consider creating a mobile device management strategy to protect data your employees may be accessing outside your premises or protected electronic system. The best ones require stronger password protection and segregate personal from business data so the employer can wipe the business info quickly if the employee leaves or loses the device.
- Consider the less obvious sources of data breaches, too. How are you ensuring you have completely cleaned copiers, phones, hard drives and laptops of PHI before you dispose of them or return them to the leasing company?
- Don’t forget the trash. Make sure you shred any PHI before it leaves the protection of authorized staff. Or, place it in locked bins and establish a business associate agreement with your shredding vendor.
If you’re wondering how protected you are, consider hiring a consultant to do a full HIPAA audit. It’s a great way to identify gaps that might not be obvious.
Closing those gaps will go a long way toward protecting your data. As we’ve seen recently with Anthem Blue Cross and Blue Shield, however, breaches of PHI can happen to even the most careful businesses. So the next step is to have a plan for identifying breaches, re-securing your data, notifying those affected and remedying the situation.
By Robert Falke
Director of Client Experience and The Miller Group’s Information Security Officer