No matter how tight its HIPAA privacy procedures, if the office isn’t also focusing on common sense, the patient data is wide open to compromise.
“That’s because we do things we don’t think about,” says Rosemarie Nelson, a principle with MGMA practice management consulting in Syracuse, NY.
“It’s not hackers trying to get at the office’s data” that the manager needs to worry about, she says, “it’s accidents.” And the accidents are caused by “the stuff we do every day and become blank to.”
Lost laptop
The greatest danger comes from lost and stolen laptops. They disappear because people take them home, Nelson says, and the data isn’t as secure as people think.
Suppose the data is stored in the cloud. True, it’s not on the laptop, but that doesn’t mean it can’t be accessed. There may well be a report or document on the desktop that carries parts of the data. “People forget about that,” Nelson says.
The same for smartphones. They get left in cabs and restaurants, and many times files can be downloaded from them. The danger depends on what applications are on the phone. If there’s access to email, all the messages are at risk; if there are patient medication lists or clinical notes, patient privacy is at risk.
Easy safety steps to take
The safety steps are both obvious and simple, Nelson says. But people don’t take them – or at least not all of them – and failure to do so cancels out the most sophisticated privacy protections the office has set up.
Easiest and simplest of all safety measures: passwords.
|
How to keep laptops safe outside the office Here are laptop protections law enforcement and computer security companies recommend.
The FAA warns that thieves steal laptops by working in pairs. They get in line together and the first thief goes through the scanner. But the second thief has pockets full of change and keys or wears something that will set off the alarm and holds up the line. The people waiting have already put their belongings on the conveyor, so the first thief picks up a laptop that rolls out and walks off with it.
|
Every computer should require a password to open it.
Every application should have another password.
And every password should be protected.
The manager needs to set a rule that staff can’t keep their passwords on notes at the desk or in a file on the computer or on a smartphone. “That’s just basic common sense,” Nelson says.
Then set another rule nobody (including the manager) wants to follow: Change all the passwords every 90 days.
The passwords need to be changed that often because they are the weak link in data protection, Nelson explains. People share them, especially in a medical office. And sometimes it’s a necessity as when a physician needs a password to review patient notes on a nurse’s terminal. But if the physician gets called away and leaves the computer running, the data is there for anybody to see. Or maybe the doctor closes the file but needs it again later and asks another nurse to get the information – and now that second nurse has the password.
Changing passwords “is a hassle for everybody,” Nelson admits. But it’s common sense, “the same as a rule not to talk about patients in the elevator.” It’s a necessity for protecting patient privacy.
Timeouts and limited access
Another common-sense protection is to set computers to revert to passwords automatically after a certain number of minutes of no activity. That way, staff don’t have to remember to log out when they walk away.
Still another is to limit each staffer’s data access to what’s needed to do the specific job. The schedule staffer, for example, should not be able to access patient medication lists.
In a small office where everybody does everything, limits aren’t always possible. But in an office where each staffer’s job is structured, it’s both possible and necessary.
Exposed server
Server protection is another given but also a point that gets overlooked.
The server should be in a locked area, Nelson says. Mostly that’s to prevent accidents such as somebody walking by and spilling a drink on it. But it’s a HIPAA issue as well. No office allows people to wander through the paper files in the medical record room lest a file be taken out or compromised. The same for the server. The information could get downloaded.
Unprotected phone
Protect the doctors’ smartphones as well. A good solution is to contract with a remote management service that can lock access or wipe out the data if the phone is lost. “It’s like an insurance policy,” Nelson says.
Also, to prevent shoulder surfing on both phones and terminals, install screens so the information can’t be read at an angle.
Privacy more than theft
On the positive side, Nelson says, a medical office doesn’t have to worry about theft nearly as much as a financial firm or retail business does. While an office may store Social Security numbers and driver’s license information, it doesn’t typically store the big-ticket items, which are credit card numbers and bank account information.
Thieves want money data, “not information about somebody’s allergy medication,” she explains. There may be interest in getting prescription access from a pain management practice, “but the real win for criminals is money, and there’s no money from knowing somebody’s prescriptions.”
Added to that is the fact that people don’t scoop up lost laptops or phones for data but for their own personal use. And even if a thief tries to use the data for fraud, if everything is password protected, “that criminal is going to move to the next easy target,” she says.
The concern instead is patient privacy. And it’s common sense that protects it, Nelson says.
Do the basics “and the office is safe,” she says. “There’s no need to get paranoid about that.” But there is a need to keep staff sensitive to the common-sense protections for patient privacy.
| Editor’s picks: | ||
 HIPAA extends to gossip as well as to searching out dirt on an ex-spouse
|
 5 essential steps to ensure an effective HIPAA program |
 HIPAA Refresher: Is your practice on top of NPPs? |
