Start Your FREE Membership NOW
 Discover Proven Ways to Be a Better Medical Office Manager
 Get Our Daily eNewsletter, MOMAlert, and MUCH MORE
 Absolutely NO Risk or Obligation on Your Part -- It's FREE!

Upgrade to Premium Membership NOW for Just $90!
Get 3 Months of Full Premium Membership Access
Includes Our Monthly Newsletter, Office Toolbox, Policy Center, and Archives
Plus, You Get FREE Webinars, and MUCH MORE!

HIPAA security can fail if the office doesn’t take common-sense precautions

No matter how tight its HIPAA privacy procedures, if the office isn’t also focusing on common sense, the patient data is wide open to compromise.

“That’s because we do things we don’t think about,” says Rosemarie Nelson, a principle with MGMA practice management consulting in Syracuse, NY.

“It’s not hackers trying to get at the office’s data” that the manager needs to worry about, she says, “it’s accidents.” And the accidents are caused by “the stuff we do every day and become blank to.”

Lost laptop

The greatest danger comes from lost and stolen laptops. They disappear because people take them home, Nelson says, and the data isn’t as secure as people think.

Suppose the data is stored in the cloud. True, it’s not on the laptop, but that doesn’t mean it can’t be accessed. There may well be a report or document on the desktop that carries parts of the data. “People forget about that,” Nelson says.

The same for smartphones. They get left in cabs and restaurants, and many times files can be downloaded from them. The danger depends on what applications are on the phone. If there’s access to email, all the messages are at risk; if there are patient medication lists or clinical notes, patient privacy is at risk.

Easy safety steps to take

The safety steps are both obvious and simple, Nelson says. But people don’t take them – or at least not all of them – and failure to do so cancels out the most sophisticated privacy protections the office has set up.

Easiest and simplest of all safety measures: passwords.

How to keep laptops safe outside the office

Here are laptop protections law enforcement and computer security companies recommend.

  • Keep a file of the serial and model numbers of each laptop plus the support phone numbers. Then, if a laptop is stolen, the office has the identifying information for it.
  • Use a cable lock in the office and also when using a computer in a restaurant or airport. Do the same if the computer has to be left in a hotel room. View it as $1,000 in cash just sitting around.
  • On the outside of the laptop, engrave a phone number and a note that there’s a $300 reward for returning it. That’s more than a fence will pay for it, so the thief may call and say the laptop was found somewhere and collect the reward.
  • Put an obvious marking on the outside of the laptop with paint or white-out correction fluid. That deters theft, because the thief sees immediately that it won’t be easy to carry the computer off without being detected and also that the computer can’t be resold.
  • If the computer is in a backpack, put a lock on the zipper so nobody can get behind in a line and slip it out.
  • Don’t leave a laptop or any electrical device visible in a car, even at home. A thief can smash a window and grab it in a matter of seconds. On the other hand, nobody breaks into an empty car.
  • If a laptop is in the trunk of a car, hook it to the trunk lid with a cable lock.
  • Because computer theft is so common and can happen so fast at airports, keep a hand or a foot on the laptop while waiting for a flight.
  • Don’t put a laptop on an airport security conveyor belt until it’s time to walk through X-ray.

The FAA warns that thieves steal laptops by working in pairs.

They get in line together and the first thief goes through the scanner. But the second thief has pockets full of change and keys or wears something that will set off the alarm and holds up the line. The people waiting have already put their belongings on the conveyor, so the first thief picks up a laptop that rolls out and walks off with it.

  • Don’t advertise a laptop by carrying it in a standard case. Use a case that looks like a briefcase or carry-on luggage. And while on a plane, don’t leave a computer on the seat when going to the restroom. Put it in a case and put the case under the seat or in the overhead storage.

Every computer should require a password to open it.

Every application should have another password.

And every password should be protected.

The manager needs to set a rule that staff can’t keep their passwords on notes at the desk or in a file on the computer or on a smartphone. “That’s just basic common sense,” Nelson says.

Then set another rule nobody (including the manager) wants to follow: Change all the passwords every 90 days.

The passwords need to be changed that often because they are the weak link in data protection, Nelson explains. People share them, especially in a medical office. And sometimes it’s a necessity as when a physician needs a password to review patient notes on a nurse’s terminal. But if the physician gets called away and leaves the computer running, the data is there for anybody to see. Or maybe the doctor closes the file but needs it again later and asks another nurse to get the information – and now that second nurse has the password.

Changing passwords “is a hassle for everybody,” Nelson admits. But it’s common sense, “the same as a rule not to talk about patients in the elevator.” It’s a necessity for protecting patient privacy.

Timeouts and limited access

Another common-sense protection is to set computers to revert to passwords automatically after a certain number of minutes of no activity. That way, staff don’t have to remember to log out when they walk away.

Still another is to limit each staffer’s data access to what’s needed to do the specific job. The schedule staffer, for example, should not be able to access patient medication lists.

In a small office where everybody does everything, limits aren’t always possible. But in an office where each staffer’s job is structured, it’s both possible and necessary.

Exposed server

Server protection is another given but also a point that gets overlooked.

The server should be in a locked area, Nelson says. Mostly that’s to prevent accidents such as somebody walking by and spilling a drink on it. But it’s a HIPAA issue as well. No office allows people to wander through the paper files in the medical record room lest a file be taken out or compromised. The same for the server. The information could get downloaded.

Unprotected phone

Protect the doctors’ smartphones as well. A good solution is to contract with a remote management service that can lock access or wipe out the data if the phone is lost. “It’s like an insurance policy,” Nelson says.

Also, to prevent shoulder surfing on both phones and terminals, install screens so the information can’t be read at an angle.

Privacy more than theft

On the positive side, Nelson says, a medical office doesn’t have to worry about theft nearly as much as a financial firm or retail business does. While an office may store Social Security numbers and driver’s license information, it doesn’t typically store the big-ticket items, which are credit card numbers and bank account information.

Thieves want money data, “not information about somebody’s allergy medication,” she explains. There may be interest in getting prescription access from a pain management practice, “but the real win for criminals is money, and there’s no money from knowing somebody’s prescriptions.”

Added to that is the fact that people don’t scoop up lost laptops or phones for data but for their own personal use. And even if a thief tries to use the data for fraud, if everything is password protected, “that criminal is going to move to the next easy target,” she says.

The concern instead is patient privacy. And it’s common sense that protects it, Nelson says.

Do the basics “and the office is safe,” she says. “There’s no need to get paranoid about that.” But there is a need to keep staff sensitive to the common-sense protections for patient privacy.

Editor’s picks:

HIPAA extends to gossip as well as to searching out dirt on an ex-spouse

5 essential steps to ensure an effective HIPAA program

HIPAA Refresher: Is your practice on top of NPPs?









Try Premium Membership