If your organization has HIPAA obligations -- either as a Covered Entity or a Business Associate -- you've probably heard the term Protected Health Information. Often referred to as PHI amongst industry insiders, understanding this term is crucial to standing up a strong cybersecurity perimeter to honor your HIPAA obligations. Although your HIPAA obligations are a mix of privacy and security obligations (and beyond), here we'll talk mostly about security of three particular types of information that are definitely a part of the patient records covered by HIPAA.
If you are a Covered Entity, there is a very good chance that you have patient Contact Information, Medical Information, and Payment Information floating around in your systems somewhere. Hopefully in a very centralized, well organized system. You are obligated to make sure that no unauthorized person is able to see, use, or decipher any contact information that is Protected Health Information. Think about the places that you store this type of information. Do you have patient information in your EHR system? In your accounting system? In your billing system? In other files that contain correspondence with your patients?
All of that needs to be guarded against unauthorized people being able to see, use, or decipher the information. Some of the things you should consider as part of your cybersecurity posture to fulfill your HIPAA obligations, are:
There are other factors that you should consider for Protected Health Information, but the above three items are what we consider to be the most essential starting point. It's hard to imagine a credible PHI strategy that does not incorporate the above three items, at a minimum.
The Office of Civil Rights has the ability to investigate Covered Entities and Business Associates. They can do this in response to a complaint received from a patient, employee, or other whistleblower -- or they can do this as part of a broader auditing effort that doesn't relate to a complaint. Although we don't imagine that many Covered Entities or Business Associates look forward to the possibility of an investigation, you'll sleep better if you take a few simple steps to ensure that you are well equipped to respond to an investigation or audit if one ever occurs. Some of these steps, are:
In brief, although no one looks forward to scrutiny of their HIPAA processes, the above steps can make the process as low-stress as possible.
Want to talk about your unique situation with regard to HIPAA? Havoc Shield is standing by to help. We can make it easy to get everyone in your organization trained (as soon as today), we can orchestrate encryption at rest and in transit, manage the workflow around rolling out policies and receiving acknowledgements, and more. If any of the above topics make you concerned that you may not be doing everything you need to for HIPAA, please be in touch so that we can discuss your unique circumstances.