Any time youre collecting data from your patients, you have to think about the systems youre using for that collection and who can see it in the process.
You know your organization needs to keep its patient data secured on your servers. But what about all the other places where your patients are entering their protected health information (PHI) before it gets onto your network?
The Mississippi Division of Medicaid recently provided a pretty sobering example of what can go wrong with unsecured patient data. They had to report to the U.S. Department of Health and Human Services that more than 5,000 of their patients PHI was exposed due to an online form used on the divisions website. Used to collect information that was then transmitted in an unencrypted email open to anyone who placed a sniffing packet on the email network, the PHI was completely vulnerable to greedy hackers looking to turn a quick buck on valuable medical records.
Unsecured electronic forms are just one way you could be putting your patients data at risk. This piece walks through several others scenarios you could be facing every day.
So what can you do about it?
There are several things you can look at right now to help limit the risk of PHI exposure (not to mention your own liability):
- Encrypt all your email and web correspondence by default. Encryption solutions now are very simple and affordable to implement, especially when you consider the risks associated with not using encryption.
- Make sure your whole team understands the procedures and communications needed if patients request PHI be sent to them without encryption. Patients may think its easier to get data in clear text email, but once your staff makes them aware of the associated risks, they may change their minds. Not only is this a good idea, awareness building for your patients is also a HIPAA requirement.
- Talk with your staff about where PHI may go after it goes to the patient or another provider. The recipient may forward the message that came from you in encrypted form in a clear text email to another recipient, exposing PHI in the process. Knowing the initial recipient may not be the final recipient of the email may help your staff be more cautious in how theyre communication PHI to outside parties.
- Think about developing a secure message system on your own website for sharing information with your patients. An encrypted app may help keep patients info secure while also easily accessible check out the offerings from Callidus Health for example.
Protecting PHI has to be as essential to your staff as protecting the physical health of your patients. Help your staff think through all the places PHI is collected and all the places it may go after its entered into your systems.