Known to some as the “Wall of Shame” or the HHS Breach Portal, the Health and Human Services page featuring failures to protect Protected Health Information (PHI and ePHI) in a HIPAA-compliant manner is one kind of web publicity no health care provider or organization wants.
1500 HHS Breach Portal Reports (And Counting)
As of the end of April 2016, there were more than 1,500 reports. There are 20 from April 2016 alone.
The HITECH Act requires breaches of unsecured protected health information affecting 500 or more individuals to be posted. Types of breaches include:
- Hacking/IT Incident
- Improper Disposal
- Unauthorized Access/Disclosure
The most common causes of a breach so serious it requires notification to HHS include:
- Theft of desktop computers or network servers
- Theft or loss of laptops or portable electronic devices
- Hacking incidents
Those are the sorts of electronic and device issues you might expect, but there can be non-electronic problems as well (think dumpster-diving as a result of “improper disposal”):
- Failing to properly secure or destroy paper printouts
- Failure to secure or destroy films (x-rays, etc)
Actions To Take To Stay OFF the HHS Breach Portal
This Basic Security Checklist for the Small Healthcare Practice can provide sound advice on how to prevent problems. Many of the “best practices” are obvious (use strong passwords and change them often, use anti-virus protection, use a firewall…) but others involve relatively new issues, and foremost among those is the need to protect mobile devices that either contain ePHI or provide a means of accessing a server or EMR. Laptops are easy to lose, smartphones even more so.
The My Docs Online HIPAA page tells you what we do to protect ePHI, and includes guidelines for the correct use of My Docs Online by medical professionals.
Remember, the HIPAA Security Rule is not just about computers and networks. The rule specifies a series of administrative, and physical, as well as technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information.
Try My Docs Online Free Today. No Credit Card Required.
Electronic Protected Health Information (ePHI) refers to any Protected Health Information (PHI) that is covered under Health Insurance Portability and Accountability Act of 1996 (HIPAA) security regulations. ePHI is simply PHI which is produced, saved, transferred or received in an electronic form.
Sharing PHI Outside of an EMR
Despite rising use of Electronic Medical Records (EMR) technology within many medical practices, medical providers nonetheless have the need to be able to securely share documents that contain Protected Health Information with recipients that are outside their EMR.
A doctor or other medical professional might need to include PHI in a document sent for purposes of a referral. A doctor might be providing a second opinion, or sending the results of a specialist’s exam.
Some providers also routinely communicate with insurance companies or lawyers as part of accident or workers compensation cases.
PHI Recipients Hard to Predict in Advance
It’s hard to predict in advance who you will need to share PHI-containing documents with. Such sharing of PHI with a recipient might happen infrequently. You might only need to share documents with a particular recipient (more…)
The short answer is a resounding no, at least according to John Lynn, the man behind the popular EMR and HIPAA blog. In a recent post titled, Email is Not HIPAA Secure, John makes a compelling case for why email is not HIPAA secure and lays out the reasons why.
To quote from the article:
There is a way to encrypt email sent between 2 email systems, but so far a standard and mechanism for encryption between all the vast number of email providers has not been established. I won’t go into the details of why this is the case (cost of encryption, standards for encryption, etc), but suffice it to say that almost none of the email systems send encrypted email that would satisfy the HIPAA requirements.
Meeting HIPAA requirements when communicating secure patient data can be daunting task. If you’re in the business of handling medical dictation the rules are pretty clear. You need a secure method of moving both the voice files and the finished transcription documents. If you’re going to transfer those files using a computer you need to be using a HIPAA compliant method of transferring them.
My Docs Online offers a easy way of moving those files, that satisfies those complex HIPAA requirements. For more information please check out our Medical Transcription page.
If you’re really interested in learning more about HIPAA there is a wonderful e-book titled The HIPAA Survival Guide (affiliate link) that is available online. The book, written by Carlos and Deborah Leyva, costs $9.95 and is is a valuable resource. You can purchase and download the book from the HITECH Survival bookstore site.