12 Tips for Protecting PHI

Tips for Protecting PHI

The below list is not completely exhaustive, but it is a good place to start when protecting PHI.

1. Carry out a HIPAA Assessment

Doing so will help organizations understand their current security posture and provide insight into what they can do to improve it. They will also need to carry out regular security audits to monitor the effectiveness of their security strategy.

2. Appoint Privacy and Security Officers

Organizations will need to appoint one or more security personnel to ensure that the organization is following the HIPAA guidelines, and to ensure that staff members are trained to a sufficient level.

3. Sign a BAA (Business Associate Agreement)

Healthcare organizations and any third-parties that have access to PHI will need to sign a BAA (Business Associate Agreement), which states how PHI can be stored, processed and transported.

4. Provide Training on PHI Handling

Both the HIPAA Privacy Rule and the HIPAA Security Rule have training requirements. All members of the workforce must be trained by a covered entity on the policies and procedures relating to protected health information. Training must be provided to each new workforce member within a reasonable period of time after the person joins the workforce. Training must also be updated if workforce members’ functions are affected by a change in any Privacy Rule policies and procedures.

The Security Rule requires a security awareness and training program to be implemented for all workforce members.

5. Use Two-Factor Authentication

Any cloud-based solutions, such as EMR (Electronic Medical Record) solutions and communication/chat applications, should use 2FA for added security. In addition to a simple username and password, the user will be required to enter a code, provide a fingerprint scan, or anything else which can strengthen the authentication process.

6. Secure Your Physical Assets

While this may seem obvious, some smaller service providers have been known to overlook physical security procedures. Only authorized personnel should be allowed to enter the server room. Use security cameras, alarm systems and electronic door access to protect all physical assets which may contain PHI.

7. Implement a Breach Notification Plan

Should a service provider fall victim to a data breach, HIPAA requires that they notify those who were affected within 60 days. Service providers will need a documented set of procedures to follow in the event of a breach.

8. Restrict access to PHI

Organizations need to ensure that access to the PHI is limited to those who need it. A common method for restricting access to sensitive data is Role-Based Access Control (RBAC), whereby access is restricted based on roles as opposed to individuals.

9. Encrypt PHI Both at Rest and in Transit

Any data stored on portable drives, mobile phones and laptops will need to be encrypted in order to protect the data, should the device fall into the wrong hands. Likewise, PHI sent in emails will need to be encrypted.

10. Keep Antivirus and Antimalware Solutions Updated

It is essential to keep antivirus and antimalware protection up to date. Updates and patches should be applied as a priority to keep networks secure when protecting patient privacy.

11. Securely Dispose of Old Equipment

Any equipment that contains sensitive data will need to be destroyed, and the process will need to be documented.

12. Tighten up Perimeter Security

Ensure that firewalls are well configured. If you don’t have a firewall, you can use a Firewall-as-a-Service or go a step further and implement an Intrusion Detection Prevention System (IPDS).

How Lepide Helps Protect and Secure PHI

The Lepide Data Security Platform helps you detect and respond to threats involving ePHI. The Lepide Solution uses built-in data classification to scan both your on-premise and cloud-based repositories, and classifies the ePHI as it is found. This will make it easier to assign the relevant access permissions to keep it secure. The Lepide Platform uses machine learning techniques to identify anomalous changes to your ePHI, and when discovered, will send real-time alerts to your inbox or mobile app. You can also generate pre-defined reports that are customized to meet the HIPAA compliance requirements, thus enabling you to easily demonstrate your compliance efforts to the relevant authorities.