Reasonable Safeguards for PHI are precautions that a prudent person must take to prevent a disclosure of Protected Health Information. To protect all forms of PHI: verbal, paper, and electronic, provides must apply these safeguards. They help prevent unauthorized uses or disclosures of PHI. In addition safeguards must be part of every privacy compliance plan. Organizations must share this with all members of the organization.
Safeguards for Verbal PHI
Apply Reasonable Safeguards for PHI to all of your verbal disclosures of Protected Health Information. When you work with a patient, first determine who is with the patient before discussing PHI. Secondly do not assume the patient permits disclosure of their PHI just because family or a friend is in the room with them. Ask who is with the patient and if the patient permits disclosure. Finally you may ask the persons to leave the room providing the patient an opportunity to object.
In addition, reasonable safeguards for PHI must apply to the use of all paper products to prevent these from reaching the wrong person. Providers must dispose of all paper products that have PHI in a shredder once no longer used. Personnel must make every effort to give the patients summary to the correct patient. When a paper patient summary is given to a patient, every effort must be made to give it to the correct patient.
Password protect all computers in order to protect electronic PHI. Employees must only use the computer medical accounts to which they are assigned. One must consider the use of encryption of any email or texts that contains ePHI.
Use of Reasonable Safeguards for PHI Prevent Violations
In conclusion the use of reasonable safeguards may be the difference between an Office for Civil Rights finding of a privacy violation or a finding that an incidental disclosure occurred. The latter is secondary to a permissible disclosure, and not a violation. Reasonable safeguards protect PHI and help prevent you from violating patient privacy.
HIPAA Technical Safeguards protect PHI and are a major part of any HIPAA Security program. Using cybersecurity to protect EPHI is a key feature of HIPAA. Technical safeguards are key protections that help to maintain the safety of EPHI as the internet changes. One of the greatest challenges of healthcare organizations face is that of protecting electronic protected health information (EPHI). This includes protection of electronic health records, from various internal and external risks. To best reduce risks to EPHI, covered entities must implement technical safeguards.
An organization may face multiple challenges as it attempts to protect EPHI. These issues must all be considered as they may originate from inside or outside the organization. It is important for any organization to perform a full risk analysis to protect the organization from such a variety of threats. We present several examples of cyberthreats in healthcare you must be ready to address. This will help you as you develop your Security Program
Cyberthreats From Outside Sources
In today?s environment many new potential targets will develop from bad actors. We must be prepared to handle the security threats of tomorrow.
Cybersecurity is the art of protecting networks, devices and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information. There are many risks, and these come in various forms. Among these are malware erasing your entire system, a cyber-attacker breaching your system and altering files, a cyber-hijacker using your computer to attack others, or an attacker stealing or freezing your data in return for money. There is no guarantee that even with the best precautions you will prevent this, but there are steps you can take to minimize the chances.
Using cybersecurity to protect PHI is a key feature of HIPAA. Electronic protected health care information or EPHI is at increased risk from many sources:
Foreign hackers looking for data to sell ? usually on the dark web
Ransomware attacks that lock up data until a ransom payment is received
Phishing schemes that lure the user into clicking a link or opening an attachment to deploy malicious software; and
Spear phishing ?a targeted attack on a specific person that appears to come from a legitimate source usually instructing a transfer of funds.
The internet of Things or IoT will allow the interconnection of devices as a means for virus or malware to enter our systems.
What You Can Do
In order to safeguard EPHI against threats:
First, know how to spot phishing emails.
Learn how to use strong passwords, two factor authentication and encryption.
Finally, have policies, procedures and safeguards in place to protect EPHI and Know who to report an incident to in your organization.
Prepare for Cyberattacks
In the case of a cyberattack or similar emergency an entity must:
Execute its response and mitigation procedures and contingency plans.
Report the time to other law enforcement agencies.
Should report all cyber threat indicators to federal and information-sharing and analysis organizations.
Finally, it must report the breach to Office for Civil Rights (OCR) as soon as possible, but not later than 60 days after the discovery of a breach affecting 500 or more individuals.
The OCR considers all mitigation efforts taken by the entity during any breach investigation. For instance, such efforts include voluntary sharing of breach-related information with the appropriate agencies. Remember in the event of a cyberattack it is critical to comply with breach reporting requirements.
Texting Protected Health Information
When we talk about texting there are two different types of texting we must consider. Each of these acts differently and serve very different needs. The first type is what we usually perform using our phone and carrier and is also known as Short Message Service (SMS). This is the default app on our phone that many people use to send and receive texts every day. It is not secure. The second type is app based and is used by healthcare providers (mostly doctors and nurses) to communicate to one another on patient-related care. It can also be used by providers to communicate with patients and is secure.
To be compliant secure texting needs to meet certain technical standards for HIPAA compliance:
Encryption of message data in transit and at rest
Reporting/auditability of message content
Permissions management capabilities
If safeguards like these are in place, PHI can be sent with a minimum of risk.
Because SMS is an unencrypted channel one might presume an entity cannot send PHI. This is actually not true because encryption is not mandated according to the Security Rules. Healthcare organizations must determine whether encryption is reasonable and an appropriate safeguard, in protecting PHI. It is possible to use alternative safeguards If encryption is not deemed reasonable and appropriate by the covered.
Recent Clarification from OCR
At a recent conference at the HIMSS health IT conference in Las Vegas on March 6, Roger Severino, director of the OCR said that healthcare providers may share PHI with patients through standard (SMS) text messages.
Providers must do the following:
Warn their patients that texting is not secure
Gain the patients? authorization
Document the patients? consent
Presently these represent comments and have yet to enter into policy. The OCR has long-promised guidance on this topic and it is reasonable to assume a ruling on the topic is imminent.
In December 2017, the Joint Commission issued a clarification explicitly stating the use of Secure Texting for patient orders is prohibited. Providers should opt for the use of Computerized Provider Order Entry (CPOE) as the preferred method of order entry. CMS insists that a physician or Licensed Independent Practitioner (LIP) should enter orders into the medical record via a handwritten order or via CPOE. When using this system, orders are immediately downloaded into the provider?s electronic health records (EHR). Moreover, this method is preferred as the order would be dated, timed, authenticated and promptly placed in the medical record.
Finally, using cybersecurity to protect PHI remains the cornerstone to protecting all ePHI which all organizations should address in today’s healthcare climate.