By Mark Wright, OD, FCOVD,
and Carole Burns, OD, FCOVD
Jan. 29, 2020
You have to secure your practice’s data, and you also need to store it long-term. Here is what you need to consider, including how best to protect this information from both internal and external breaches.
Your patient data needs to be kept a minimum of seven years (some say 10 years) and longer if you are seeing pediatric patients. It is important to check with both your practice attorney and your malpractice insurer (because many of them stipulate how long to keep patient charts). The reason is if a malpractice lawsuit is filed and the patient records have been destroyed, it is hard to defend the care delivered.
Securing patient data is not just a good idea, it is a requirement. HIPAA requires you to secure your patient data. The idea is if the practice burned down today, your data is secure off-site in some fashion so that if a patient has a need tomorrow, the data is ready for access and patient care can continue uninterrupted.
Make sure you’ve secured your practice data from both internal and external breaches.
1) From internal breaches.
a) You should never permit a patient to be in a room alone with access to patient data. Teach doctors and staff if they leave the room, even for a short time, they must log out.
b) No staff member should be able to log in (or continue to access patient data) using another person’s password. For your software to accurately track who is making changes to patient or practice data, the software needs to know who is typing.
Other Articles to Explore
c) Not every staff member should have access to every piece of data in your software. For example, do you want every staff member to be able to change the financial data of patients?
2) From external breaches.
a) Bad actors are looking for ways into your software to steal data, harm data, or ransom data. You must have current and up-to-date protection in place to prevent this. This includes firewalls, anti-virus software, internet security and more. This also includes protocols for what staff can and cannot do with any e-mail or internet usage.
b) Make sure you have protocols in place that regulate the use of flash drives and portable hard drives.
c) Make sure your practice is utilizing a secure portal for any patient information interactions.
In today’s complex world, it is not enough to set up protections and let them run, because compliance drifts often occur. This requires that you have protocols for running compliance checks across your digital footprint routinely, as well as protocols for remediating any problems discovered quickly and accurately.
Prevention is always the better way to go, however, there is the possibility that you may have had an incident and need investigation, management and reporting. Check with your current IT specialists to make sure there is an action plan for this contingency.
Take this week to review your practice data security protocols. Use these two steps to make sure you are protected:
1) Make sure you are HIPAA-compliant.
2) Make sure all your doctors and staff are up-to-date on all security protocols.