The rise of telemedicine and ubiquity of electronic medical records has created new concerns regarding patient data privacy. However, whether hospitals store health information electronically or on paper, patients have the right to keep those records private, and physicians and healthcare organizations must make strides to ensure we protect those rights.
The HIPAA Privacy Rule, a federal law, safeguards a patient's protected health information (PHI) and sets limits and conditions on who can look at and receive that data. The Privacy Rule applies to all forms of individuals' protected health information, whether electronic, written, or verbal.
It also grants patients the right to examine their records, obtain a copy, and request corrections. However, the Privacy Rule does permit the disclosure of personal health information needed for patient care and other essential purposes.
Another federal law, the HIPAA Security Rule, requires security for health information in electronic form and ensures that only authorized parties have access.
Common Healthcare Privacy and Security Issues
Today's internet technology tools and platforms are fraught with security hazards, which hospitals must address to remain HIPAA-compliant. These security barriers include:
Bring Your Own Device Policies
The healthcare industry's bring-your-own-device (BYOD) policies are increasing as familiarity with the comfort of utilizing personal devices in hospitals helps enhance staff productivity, efficiency, and workflow.
However, security issues stemming from a lack of control over the use of personal mobile devices, which may include sensitive patient PHI, make it one of the most significant healthcare information technology problems for hospital administrations.
WiFi in coffee shops, airports, and other public gathering places is a much-appreciated convenience. But healthcare institutions are HIPAA-covered entities, which means they must take precautions to safeguard PHI regardless of the technology used. That includes steps like not connecting to public WiFi from mobile devices used to access PHI, sending PHI over unsecured networks, and encrypting all information.
Unencrypted email poses another security threat. And although the HIPAA Security Rule does not directly ban the use of email to convey PHI, it does establish a set of standards that hospitals must meet before considering email conversations HIPAA compliant.
Video conferencing tools, such as Skype and Zoom, are not necessarily HIPAA-compliant, and issues such as the background of the video and who else can hear the conversation around the office become important.
Not only does the HIPAA Security Rule require that all electronically transmitted PHI data (ePHI) be encrypted, but the devices and channels utilized to communicate ePHI at a distance must be HIPAA-compliant as well.
HIPAA telemedicine standards apply to any medical practitioner or healthcare organization providing a remote service to patients in their homes or community centers. Also, only authorized parties can participate.
Finally, according to the HIPAA guidelines on telemedicine, any system communicating ePHI at a distance must have mechanisms in place to monitor communications and remotely delete if necessary to prevent accidental or malicious breaches.
The alarming uptick in ransomware attacks that have affected several health systems across the country has caused healthcare IT professionals to place particular emphasis on storing patient data securely.
Ransomware is a form of malware that encrypts a victim's files. In ransomware attacks, hackers encrypt sensitive information and demand a "ransom" (a monetary fee) to un-encrypt it. Such attacks disrupt systems and patient safety because hospitals can't access medical records or coordinate care.
Owing to the increase of these incidents, healthcare organizations must plan proactively to protect patient records. Choosing what data the organization will store and for how long is crucial. Knowing where that data is stored and who has access is also essential. (Access should be permitted only to individuals who have a business need.)
Additional protective measures include staff training on security best practices, system penetration testing, implementing multi-factor authentication or single sign-on, and system and device monitoring.
HIPAA rules only govern hospitals and health systems, not patients. But that doesn't mean they don't share a responsibility to protect their PHI.
For patients to access PHI electronically, they must also take security measures. It is a good idea to remind patients not to open unknown emails (especially those containing attachments, which may contain malware), encrypt their in-home WiFi routers, and occasionally change their passwords. That's a good idea not just for their health information but all sensitive data. And remember, no one will ever ask for your username and password – other than the bad guys!
SCP Health does not take protecting patient data lightly. For that reason, a few years ago, we developed mySCP, a HIPAA-compliant communication and security system that keeps patient and clinician information secure and private. Physicians must be credentialed to join, which ensures only authorized individuals have access.
mySCP now consists of a suite of apps that include:
- mySCP Connect - a secure messaging solution for SCP Health employees and clinicians;
- mySCP Care - a system that supplies clinicians with patient information in a secure and timely manner. It also helps them record the visit and address quality measures to provide the best care for patients;
- mySCP Practice - a convenient, secure, HIPAA-compliant practice management hub for SCP Health employees and clinicians.
For more insights on protecting patient information, read the SCP Health blog post, 10 Ways to Protect Your Hospital from Cyber-Attack. To learn more about mySCP, visit the mySCP website.