In the popular TV series: “8 Simple Rules for Dating My Teenage Daughter,” the rules may have been a bit exaggerated but they sure made their point. (Rule #1: Use your hands on my daughter and you’ll lose them after). Likewise, my “8 Simple Rules for Protecting PHI?” strike a similar chord – no threats to bodily harm, but certain transgressions may be bad enough to result in personnel sanctions or even loss of employment. This is serious stuff.
And as with the dating commandments, my 8 rules for safeguarding PHI are not simple but they are doable – provided you can engender operational discipline throughout your enterprise and extend that influence over important business partners. This always requires a 100% commitment to security at the highest level of your organization. But that really shouldn’t be an issue. After all, breach notification rules are strict and the monetary penalties high enough that survival of your business may literally depend on it.
Rule #1: Maintain a comprehensive PHI inventory within your organization and your business associates. You need to know everywhere under your direct and indirect control where protected health information “lives.”? This includes both structured and unstructured data in ePHI, records replicated in multiple places, paper files etc.
Rule #2: Establish a data classification model and assign levels of sensitivity. While many government agencies use a 5-level model (or even more), a 2 or 3-tiered system should be sufficient to start with.
Rule #3: Map how ePHI travels during normal workflow. Ensure that compatible security controls exist at both ends of each data transfer. Then do an additional exercise looking at how ePHI might need to be transferred during exceptional events or in crisis management situations. Apply the same safeguards.
Rule #4: Develop access control policies balancing “need to know”? without compromising patient care. Then implement and enforce those policies and controls systematically so that software applications, database rules, and personnel restrict access to sensitive information to only people and/or other software programs that have been specifically granted access rights.
Rule #5: Monitor and audit all access to ePHI (include read-only, data changes, privileged activity such as changes to data structures and changes to user access rights).
Rule #6: Conduct internal vulnerability testing and an assessment of current security measures (controls testing). These are components of the risk analysis process that everyone should be working on. If you don’t have the skill set in house, bring in a qualified outside vendor. Expert security firms can add more technical depth to your analysis. Establish a regular, repeatable, ongoing security assessment process that enables you to adapt to new changes in technology, people, systems, business relationships and workflows. Make certain the process maintains historical data so that management can see progress over time.
Rule #7: Implement an ongoing security awareness campaign and regular training program that fits your culture, yet ensures employees understand their role in safeguarding PHI. Conduct social engineering testing on your employees to measure the effectiveness of the training.
Rule #8: Encrypt all ePHI stored on any device that can be carried out of your office (desktops, laptops, hard drives, backup tapes, iPads/tablets, smart phones, and other portable media).
We understand that this is one of the most significant undertakings facing healthcare organizations today. But there really isn’t a choice. A single individuals healthcare involves multiple practitioners, facilities, diagnostic labs, administrators, payers, ancillary service providers, etc. The very benefits that electronic health records promise can only be realized if the security challenges are met. We’re here to help. It’s 11PM. Do you know where your PHI is?