By Peter J. Cass, OD
Feb. 24, 2021
The ability to work from home is a potential life-saver during a dangerous pandemic, and it is also becoming common in American business. There are data security risks when doctors and employees log into practice computer systems remotely. In addition to the importance of maintaining your commitment to patients to keep their private information secure, fines for HIPAA violations can be costly, ranging from around $10,000 for mild breaches to in excess of $1 million in severe cases.
Here are important steps to take to ensure you optimize the benefits of working from home while keeping patient and practice data secure.
Ensure Secure Remote Connection & Platform
Providers who want to utilize remote access must ensure they have adequate standards both for their remote connection and for the internal office network which will be accessed remotely. The HIPAA Security Rule does not require specific technology solutions for providers, but the Health and Human Services (HHS) department gives general guidance (see Security Standards: Technical Safeguards for in-depth information). HHS specifically addresses five HIPAA technical standards. These are listed below with my recommendations for how to address each of these standards:
1. Access control – The ability or the means necessary to read, write, modify or communicate data/information, or otherwise use any system resource. Examples include:
• Require unique and complex username and passwords for each staff member
• Use automatic logoff
• Use of screen lock when not physically at the workstation
• Use of encryption and decryption (encrypt any hard drives with patient data)
• Isolate Wi-Fi off main network (one Wi-Fi for patients and separate secure Wi-Fi for staff)
• Confirm HIPAA security compliance for all remote access software, or use a virtual private network (VPN)
• Establish procedures for obtaining necessary electronic information during an emergency
2. Audit controls – Implement hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information.
• Make sure your EHR systems and router tracks user activity
3. Integrity – Implement policies and procedures to secure electronic protected health
• Information from improper alteration or destruction
• Use cloud-based backup
• Keep operating systems updated
• Keep antivirus updated
• Implement access controls to limit staff use of internet
4. Person or Entity Authentication – Implement procedures to verify that a person or entity seeking access to electronic information is who they claim to be
• Make sure workstations and servers require pins or passwords to access
5. Transmission Security – Implement technical security measures to guard against unauthorized access to electronic information that is being transmitted over an electronic communications network.
Implement a Platform that Complies
Once you have the basics taken care of for your internal network you can work on the remote-access portion. There are a few options here. For server based (in-office) EHR systems, A VPN (set up by your IT company) is secure and allows users to work as if they were at another computer in the office. HIPAA-compliant remote desktop apps such as TeamViewer, LogMeIn or GoToMyPC can give you access to a specific computer in the office that you can remotely control. Another option is a cloud-based EHR solution, which allows login from any internet-connected device (care should be taken to make sure that device is HIPAA-compliant).
Other Articles to Explore
A good commercial-grade router is critical for security. SonicWall makes good ones that your local IT company can install for you. These routers will also act as a firewall protecting the office network from unauthorized access.
Update HIPAA Security Staff Training
Provide additional HIPAA staff training with an emphasis on creating secure remote access. Major points to cover during this training include password safety, proper logoff, updating operating systems, updating web browsers and updating antivirus. Practices can conduct this training remotely, but should avoid sharing passwords or sensitive information over video calls or e-mails.
Employees should be instructed to never write down their passwords. One way to make passwords easier to remember and increase security is use a long easy-to-remember phrase in all lower case. For example, “thisismysupersecretandsecurepasswordfortheoffice” is a much stronger password than “*&5syhq_9.” Longer passwords are much harder to crack than shorter passwords (even with symbols and numbers).
What Do I Do In Case of Employee Security Breach?
Breaches should be addressed based on severity. A low-risk breach could be managed through documentation of what happened, write-up of the employee, additional training for the employee and documentation of corrective actions taken.
Breaches must be dealt with seriously, and employees with continued minor failures to follow compliance protocol, or those who have committed a severe breach, should be terminated.
With the right training and guidance, you can avoid security breaches, ensuring security of patient information, and assuring the practice will not find itself heavily fined for HIPAA violations.
Peter J. Cass, OD, is a partner in Practice Compliance Solutions, faculty for the University of Houston College of Optometry, an associate at MyEyeDr Beaumont and past-president of the Texas Optometric Association. To contact: peter@PCScomply.com