Reasonable Safeguards for PHI are precautions that a prudent person must take to prevent a disclosure of Protected Health Information. To protect all forms of PHI: verbal, paper, and electronic, provides must apply these safeguards. They help prevent unauthorized uses or disclosures of PHI. In addition safeguards must be part of every privacy compliance plan. Organizations must share this with all members of the organization.
Safeguards for Verbal PHI
Apply Reasonable Safeguards for PHI to all of your verbal disclosures of Protected Health Information. When you work with a patient, first determine who is with the patient before discussing PHI. Secondly do not assume the patient permits disclosure of their PHI just because family or a friend is in the room with them. Ask who is with the patient and if the patient permits disclosure. Finally you may ask the persons to leave the room providing the patient an opportunity to object.
In addition, reasonable safeguards for PHI must apply to the use of all paper products to prevent these from reaching the wrong person. Providers must dispose of all paper products that have PHI in a shredder once no longer used. Personnel must make every effort to give the patients summary to the correct patient. When a paper patient summary is given to a patient, every effort must be made to give it to the correct patient.
Password protect all computers in order to protect electronic PHI. Employees must only use the computer medical accounts to which they are assigned. One must consider the use of encryption of any email or texts that contains ePHI.
Use of Reasonable Safeguards for PHI Prevent Violations
In conclusion the use of reasonable safeguards may be the difference between an Office for Civil Rights finding of a privacy violation or a finding that an incidental disclosure occurred. The latter is secondary to a permissible disclosure, and not a violation. Reasonable safeguards protect PHI and help prevent you from violating patient privacy.
Using cybersecurity to protect PHI is a key feature of HIPAA. Electronic protected health care information or EPHI is at increased risk from many sources:
Foreign hackers looking for data to sell – usually on the dark web
Ransomware attacks that lock up data until a ransom payment is received
Phishing schemes that lure the user into clicking a link or opening an attachment to deploy malicious software; and
Spear phishing –a targeted attack on a specific person that appears to come from a legitimate source usually instructing a transfer of funds.
What You Can Do
In order to safeguard EPHI against threats:
Firstly, know how to spot phishing emails.
Secondly, use strong passwords, two factor authentication and encryption.
Finally, have policies, procedures and safeguards in place to protect EPHI and Know who to report an incident to in your organization.
Prepare for Cyberattacks
In the case of a cyberattack or similar emergency an entity must:
Execute it response and mitigation procedures and contingency plans.
Report the time to other law enforcement agencies.
Should report all cyber threat indicators to federal and information-sharing and analysis organizations.
Finally, it must report the breach to OCR as soon as possible, but not later than 60 days after the discovery of a breach affecting 500 or more individuals.
Most importantly, OCR considers all mitigation efforts taken by the entity during in any particular breach investigation. For instance, such efforts include voluntary sharing of breach-related information with the appropriate agencies.