From the January 2017 issue of HealthCare Business News magazine
By Chris Byers
Most health facilities are no stranger to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its privacy rule standards. But no matter how hard they work to remain HIPAA compliant and protect patients’ personal medical information, some health care entities inevitably fail to keep all patient details secure. Why?
Let’s consider the vast technological landscape overtaking the health care industry. The rise of mobile technology and electronic medical records created a few rough blind spots for health organizations. Electronic protected health information (ePHI) is highly susceptible to a HIPAA breach, so facilities have to be extra diligent to ensure they are fully safeguarding ePHI and upholding strict HIPAA compliance. To help you evaluate your organization’s HIPAA security efforts, consider the following four tips for removing your HIPAA compliance blind spots:
Limit what you share via mobile messaging
Many health facilities take advantage of today’s mobile technology to send appointment confirmations or prescription refill notices via voicemail, text or email. While this is convenient for providers and patients, it opens up the door for HIPAA security violations. To keep a patient’s private health information out of the wrong hands, health organizations should limit the information they share via mobile messaging. For example, a prescription refill notice should not contain details of the specific prescription. It should simply notify the patient that it’s time for him or her to submit a refill request. Likewise, appointment confirmation messages should leave out any details regarding the specific reason for the appointment. If a facility wants to take its privacy protection a step further, it can even limit its mobile messages to a simple request for a patient to call the facility for further information.
Avoid using patient names when collecting data
When possible, health facilities should avoid using patient names or other personally identifiable information when collecting patient information. Patients sometimes share ePHI unknowingly when filling out online medical forms, so it’s best to implement data collection practices that prevent tying patients directly to any sensitive medical information they provide. For example, if a facility is issuing a simple patient survey to help improve its services, the facility should consider gathering anonymous feedback. In other cases, when tying a patient record to the collected information is helpful or necessary, organizations should consider using a unique identifier — such as a patient ID or account number — instead of a name.
