Part 5: 3 Best Practices to ensure the Privacy and Security of PHI

Part 5: 3 Best Practices to ensure the Privacy and Security of PHI

Healthcare professionals working on a tabletWhether you are an administrator of a large healthcare organization, a medical assistant of a small medical practice, or a healthcare provider working out of multiple locations; under HIPAA, we all have a responsibility to ensure the privacy and security of protected health information (PHI) regardless of our role.

In this fifth and final part of our multi-part HIPAA article series, we will recommend 3 best practices to help you and your organization ensure the privacy and security of PHI.

1. Implement and understand HIPAA Policies and Procedures specific to your organization

This one is by far this is one of the most important methods for you and your organization to ensure the privacy and security of PHI. If there is only one recommendation you take away from this entire article series it is to be certain your HIPAA policies and procedures specific to your organization are implemented and understood by all employees. Yes there are specific HIPAA Policies and Procedures we are all required to follow; however, there is a certain amount of wiggle room an organization can take to ensure the privacy of PHI is best safeguarded.

For example, you should have policies and procedures in place specific to your organization to ensure the proper storage and/or destruction of PHI when no longer in use.

2. HIPAA Walkthrough

Determining how to best safeguard the privacy of PHI is often best accomplished during your organization's HIPAA Walkthrough. While there may be one or more individuals assigned to perform a HIPAA Walkthrough, it is important for everyone in your organization to know the findings especially if something is discovered that could impact the privacy and security of PHI.

Imagine your organization has a main campus where employees follow your organization's policies and procedures which require hard copy PHI to be stored in a secured file cabinet when not in use, or immediately placed in the shred-it bin if it is to be destroyed. At your organization's satellite locations, PHI is placed in a bin on the edge of a desk until the end of the shift when the PHI is either stored or placed in a shred-it bin. While performing the HIPAA Walkthrough it is determined the bin at the edge of the desk offers a significant potential of a breach or theft of PHI that could occur. This finding should be shared with everyone at the satellite locations.

3. Security Risk Analysis

While it's important to perform a security risk analysis (SRA) initially and on an annual basis thereafter it's just as important to have an action plan in place to address any deficiencies. All employees impacted by the SRA findings should be brought up to speed with any changes in your organization's policies and procedures. This is often part of the SRA action plan. For an action plan to be effective, we recommend working on deficiencies based off of level of risk. Additionally, it is important to figure out what can be completed in the short term and what may require more time to implement.

For example, during your SRA you discover your organization's user ID / password policy isn't sufficient. Currently employees are allowed to choose their usernames, and rarely if ever, change their passwords. Because there is a high level of risk for compromise of data due to a weak password, this policy should be updated as soon as possible. Your action plan should identify when this policy will be changed. We recommend a unique username and strong password policy. The combination of a username and password, that meets recommended security requirements, such as a password that has a minimum length of 6-8 characters, combinations of alphanumeric characters, and requires users to change their password every sixty days, ensures proper user authentication for accessing and/or transmitting protected health information.

How we can help

Healthcare Compliance Pros helps your organization implement and train on customized policies and procedures that are specific to your organization while meeting HIPAA requirements. We have a HIPAA Virtual Walkthrough which provides you an opportunity to identify HIPAA Privacy and HIPAA Security opportunities for improvement. Many of you already have our self-guided online SRA; however, we have other options that include a comprehensive review and custom action plan provided by one of our HIPAA professionals. If need be, we can even come onsite and perform a HIPAA audit.

In case you missed it, here are parts 1-4 of our HIPAA Multi-Part Article Series:

Part 1:Clearing up the Confusion "HIPPA" vs HIPAA

Part 2:Permission Disclosures under the HIPAA Privacy Rule

Part 3:Mobile Device(s) Policy and Procedures

Part 4: HIPAA Provides the Framework and We must act to prevent a Cyber-Attack

We hope that this five-part HIPAA article series has been beneficial for your organization. If you have any questions about policies and procedures, HIPAA Walkthroughs or our SRA options, please feel free to comment below or send us an email at or reach us by phone toll-free at 855-427-0427.