Electronic health records (EHR) are tremendously valuable in retaining and exchanging patient data. When they use them, health care providers have to remember their responsibilities. The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) impose strict requirements for security and privacy.
The Office for Civil Rights (OCR) has imposed penalties as high as $16 million on negligent healthcare organizations.  The amounts are based on the amount of information breached and the degree of culpability. If your organization has solid security practices, it’s unlikely to be fined.
Health IT policy enforcement falls under the Office of the National Coordinator for Health Information Technology. In addition to enforcement, the office provides valuable information on its website. 
The two key sets of requirements are the HIPAA Security Rule and the Privacy Rule. They specify the conditions under which you can disclose protected health information and how you have to safeguard it. They don’t mandate specific technologies, but you need to maintain a strong level of protection.
The seven steps listed here give you a framework for securing electronic health data. Follow them carefully, and you’ll have a high level of protection. These steps are:
- Risk analysis
- Security policy
- Network security
- Incident response plan
- Proper data purging
- Business associate management
Cybersecurity And Risk Analysis
The starting point is to determine your level of risk and identify the pressing issues. The risks include not only electronic ones but human factors. An analysis will address these questions:
- What healthcare information requires protection against potential threats?
- Where is it located?
- What policies exist to protect it, and do employees know them?
- Are there adequate technical safeguards protecting electronic health records?
- Is there an incident response plan?
The analysis lets you set priorities. You should address the most serious concerns first, then move to the less urgent ones. The balance between patient convenience and cybersecurity depends on the kind and amount of data. A hospital chain with tens of thousands of patient records needs tighter security measures than a small practice. However, no organization can afford to be sloppy with patient data.
You have to enumerate your security practices in a written policy. It serves two purposes: (1) It lets employees know what to do. (2) It documents good faith efforts if HHS investigates your organization for an incident.
Some of the items the policy should include are:
- Designation of a Privacy Officer and others responsible for privacy and security.
- Enumeration of employee responsibilities and prohibited actions.
- A description of acceptable Internet usage.
- A process for reporting and handling security incidents and issuing notifications.
- Requirements for identification and authentication.
- Requirements for network management and security.
- Protection against malware.
- Physical security practices.
- Standards for information retention and destruction, including record disposal.
- Training requirements.
- Emergency procedures.
The policy needs to be updated from time to time, and employees need to know the parts that apply to their work.
The best way to protect stored medical records and other confidential information is to encrypt it. While the security rule doesn’t specifically require it, few alternatives serve as well. All mobile devices which may leave the premises should be encrypted if they hold confidential patient information. Stolen laptops with unprotected data have led to security breaches and expensive penalties. 
Whole-disk encryption is transparent to the user, requiring only the entry of a password when activating the device.
Data encryption protects information on servers as well. If malware gets into a server, encrypting sensitive data items will reduce the amount of valuable information it can steal. Patients are better protected from identity theft.
You should take advantage of encryption for the transfer of information over the Internet. Unencrypted data can be intercepted. Using SSL or other secure protocols makes it nearly impossible for anyone to decipher the data in transit.
Your office’s computer network needs to be kept secure, whether it’s big or small. Doing this requires multiple ongoing actions. Our cybersecurity professionals can help you with this.
A well-configured firewall keeps unwanted network traffic out. It reduces the chance of unauthorized access by limiting the network’s attack surface. It reduces the chance of denial-of-service attacks at the same time.
Workstations and servers should have antivirus software and keep it regularly updated. New kinds of threats constantly turn up, and you need the latest release of the protective software to guard against it.
Access control is another important consideration. The software which gives access to personal health information should require strong passwords. Multifactor authentication provides an extra measure of safety. Passwords can be guessed or stolen. Adding a second factor, such as a code sent to a smartphone, prevents password theft by itself from opening up unauthorized access.
Incident Response Plan
No IT security system is foolproof. You need a plan for dealing with security incidents. Catching them before they blow up into data breaches saves a lot of trouble.
The U.S. Department of Health and Human Services (HHS) has specific notification requirements for potential security breaches. Even the possibility that a healthcare system has leaked patient information requires a report. In some cases, you have to notify patients that their information might be compromised.
An unprepared organization could panic when facing a security problem. An incident response plan spells out who is responsible and what they have to do. There’s less confusion, and they can fix the problem faster. Prompt action reduces the magnitude of a security issue. Making the necessary notifications satisfies the legal requirements.
It’s eventually necessary to dispose of old computers, storage devices, and paper records. You have to do this properly so that they won’t fall into unauthorized hands.
Old health information needs to be destroyed, not thrown away. Storage devices need to be erased and overwritten, not just “formatted.” Alternatively, physical crushing wipes out the data thoroughly. Printouts and forms need to be shredded and carefully handled on the way to the shredder. In one memorable incident, a large collection of printed health records on their way to be shredded fell off a truck and were scattered all over the street. 
You should have a policy for retaining and destroying data so that it doesn’t get forgotten. It should include material such as sign-in forms as well as more formal record systems. Without specific direction, old devices and file cabinet contents might just get tossed.
Management Of Business Associates
You can legally contract out operations to other businesses and give them electronic medical records, but you need to enter a Business Associate contract to ensure that they will respect patient privacy and security. The contract must specify that your business partner will live up to HIPAA standards when handling your sensitive data.
Of course, the existence of a contract doesn’t mean that a business is reliable. You should entrust businesses with medical records only after checking their past performance and trustworthiness. Reliable business associates will maintain a high level of information security and help you to stay compliant.
Free HIPAA Compliance Consultation With RedTeam Security
RedTeam’s HIPAA penetration testing identifies and documents possible threats and vulnerabilities, and also outlines the likelihood of threat occurrence, explores the likely impact, and decides the reasonable and proper security measures to take. Contact us online or call today at 612-234-7848 for a free consultation
 Anthem Pays OCR $16 Million in Record HIPAA Settlement (hhs.gov)
 Stolen Laptops Lead to Important HIPAA Settlements (hhs.gov)
 Medical Records from New Mexico Hospital Found Scattered in Street (HIPAA Journal)
10-Point Offensive Security Checklist
Get A Bird's Eye View Of Your Organization's Security Readiness