By now, everyone who works in a medical office is aware of the importance of protecting patient privacy and abiding by HIPAA regulations. You’re careful not to talk about patients in the presence of others, records and reports are not left lying around in plain view, when you receive a request for medical records you send only what has been authorized by the patient, and you’re careful when mailing information to patients’ homes and leaving phone messages, even for something as benign as an appointment reminder. But what about all of the data you store in your office? Is it secure? Here are 10 tips toward keeping valuable and private information safe.
- One of the best ways to ensure data security in your practice is to develop policies and procedures that address critical issues and then follow them to the letter. In order to write these documents, you will be forced into doing enough research to learn about data security and, in the process, identify vulnerabilities that exist in your office. Appoint a security officer for your practice and make that person responsible for creating policies and educating staff on an ongoing basis. The following nine tips are ones that may be included in your policies.
- All passwords used in the office should be strong, kept private (i.e., not on a sticky note attached to the computer screen), not shared among staff members and changed frequently. To create a strong password, make sure it is at least eight characters long. Also be sure to use a combination of uppercase letters, lowercase letters, numbers and special characters.
- Computers should be equipped with firewalls as well as with anti-virus and malware programs that either run continuously in the background or automatically run according to a schedule.
- Never click on links within e-mails or open attachments unless you are absolutely sure that they are safe and either from or connecting to a reliable, known source.
- Private patient information should stay in the office. Laptops, flash drives and printed materials should not be taken out of the office by staff members. One lost or stolen laptop containing private information will create a multitude of problems.
- Data should be backed up regularly and stored securely offsite or with an online backup service. If your building burns down and backup data is in a locked file cabinet next to the main computer you might as well have not backed up at all.
- Equip computers with uninterruptable power supplies (UPS) so that data is not lost if your system shuts down during an electrical outage.
- Make sure that patient data on your system is encrypted. The American Medical Association has published an excellent document on the process of encryption (read it here). It covers how patient information can be scrambled in such a way as to be rendered useless if your system is breached.
- If your practice accepts credit cards, you will need a separate policy to address how that information is protected. Check with your credit card processing vendor about how to make sure that your office is “PCI compliant.”
- Have paper shredders available throughout the office and make sure documents that are no longer needed that contain sensitive data are destroyed.
Does all of this make you long for the days when you simply locked up patient charts at night and went home without a worry? Times have changed and practices using technology have to keep up. Don’t underestimate the importance of protecting your data, and if it feels more complex than you can manage on your own, don’t underestimate the value of hiring a knowledgeable tech consultant who can help you make sure that your data is secure.