6 Simple Steps to Prevent a HIPAA Breach

information securityHospital employees who peek at high-profile patient medical records out of curiosity may not-so-curiously find themselves out of a job.

At least one hospital sent a strong message recently and might serve as an example, when 14 of Carilion Clinic’s (Roanoke, Va.) employees were found to have accessed a high-profile patient’s medical records “without a legitimate patient care need.”

Though specifics of HIPAA violations cannot be divulged, Carilion Vice President of Internal Audit &  Compliance Vicki Clevenger said the incident was responded to appropriately with each employee involved in the HIPAA breach, “up to and including termination.”

Help your employees – and your organization – prevent costly security breaches and empower your staff by following the six tips below to prevent a HIPAA breach.

Conduct a yearly risk assessment
In accordance with the HIPAA Security Rule, which establishes national standards to protect individuals’ electronic personal health information, a thorough and accurate risk analysis must be conducted annually to assess “the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the organization.”

Enable MDM tools
Securing mobile device management (MDM) tools on employees’ devices provides an extra safety net in case employees’ mobile devices are ever stolen from a home, office or vehicle. Not only can MDM tools possibly protect electronic records from being accessed on mobile devices, but they can also locate those devices and allow for remote data removal if they’re lost or stolen from an employee.

Encrypt data and hardware
From 2009 to 2014, the loss or theft of unencrypted portable devices was responsible for more than a third of all large breach incidents and impacted more than 50% of all at-risk health records, according to Healthcare IT News in an article on the 2014 Redspin Breach Report. It may be costly, but encrypting data on all portable devices and hardware is often cheaper than the financial repercussions of a major breach incident.

Monitor emails, texts and social media
Since we live in a world of instant gratification (which includes instant venting), an employee may act without thinking and post something sensitive – either vague or specific – on a personal social media site or send it to a friend outside the hospital through a text or email. Ensure your organization is HIPAA compliant by advising employees to not post anything on social media or send an external email or text to anyone about anything that goes on in the hospital, advises HIPAAOne.com.

Protect paper files
Even if your organization has already transitioned to an EMR, protecting paper files within a hospital is still of utmost importance, and especially if your organization is still transitioning to its EMR. Since most HIPAA breaches happen through paper files instead of electronic files, handling and storing paper files correctly is crucial to preventing a costly mistake. Remind employees constantly to double-check their storage, viewing, saving and disposing of paper files to ensure they’re in the right folders and in the right hands.

Provide ongoing HIPAA training
Educate new employees and re-educate seasoned employees on current HIPAA rules. Keeping security top-of-mind for employees reminds them of what constitutes a security breach. The U.S. Department of Health & Human Services has additional information on where to receive additional HIPAA training and what specifics to provide your staff when they’re trained.