Unfortunately, when file sharing medical records with patients seems like the right thing to do, it can violate HIPAA. It sounds like an oxymoron, but it's true. As such, HIPAA compliant file sharing is a big deal in the medical services industry.
According to the U.S Department of Health and Human Services (HHS), “Lack of patient access to their protected health information” is the third most frequent HIPAA violation. Health care providers are charged with the responsibility to keep medical records secure.
However, failing to disclose records to the patient when requested cost this healthcare provider $4.3 million. In addition, failing to put sufficient controls in place to protect electronic records attracts hefty fines. For example, Anthem Inc. had to pay a $16 million fine for failing to adequately address vulnerabilities in their system.
First, let us look at what HIPAA is and what it prescribes for patient records.
What Does HIPAA Say About Electronic Records?
The Health and Insurance Portability and Accountability Act (HIPAA) was established to safeguard the confidentiality of medical records. There are two parts to this Act, the Privacy Rule and the Security Rule. The Privacy rule is concerned with the protection of individually identifiable health information, referred to as protected health information (PHI).
The Security rule refers to protecting e-PHI, the same information created, received, maintained, or transmitted electronically.
Our area of focus is the Security Rule. The Regulation Text identifies the areas a covered entity, such as a health insurance provider or a health care provider, must address to comply with the Act. However, as technology changes, the ACT cannot prescribe specific courses of action. That is why we have come up with this list of security tips to keep you on the right side of the law and secure your data.
Files Sharing Best Practices for HIPAA Compliance
The following are a few digital privacy and security tips to help stay on the right side of the law when sharing files.
Encryption guarantees that only the person with the decryption key can view, alter, or download a file. Files should be encrypted at all stages of transmission. Even if the file is intercepted at the source or in transit, the interceptor cannot read the file.
One of the requirements of the ACT is risk assessment and evaluation. Internal risk assessment helps you identify the vulnerabilities in your system. The following are a few questions to ask yourself as you assess your threat level:
- Who has access to the files?
- Can personnel access medical records if they are not involved in the case?
- How do they access your files?
- What gadgets do they use?
- Do they need additional passwords?
- Can terminated employees access the system?
- Can employees gain access if they don’t have authorization?
Answering these questions will enable you to set up tighter controls, enhancing the security of your records.
Limit Physical Access to High-Risk Workstations
We invest in robust I.T security systems to limit off-site access, yet physical access is still a leading source of HIPAA violations. Here is an example of a nurse who gained unauthorized access to patient records using someone's login credentials when they stepped away from their workstation.
One way to limit such incidences is to initiate a timed log-off. When the computer remains unused for a specific number of seconds or minutes, it automatically logs the user off. The only way to log on is by inputting the password.
Train Employees on Procedures and Liability If They Fail to Comply
Training is expressly mentioned in the regulation text, but it is also good practice. Your employees can cause a security gap with just one click. Phishing, which involves getting valuable information from individuals under pretenses, is on the rise. Now, they use domain names that look similar to trusted sites.
Ensure your staff learns about these new tactics used by hackers. In addition, they need to understand the repercussions of HIPAA violations both as individuals and to the organization.
Use Password Managers
Too many of us use the same password across all our accounts. It makes it easy for an outsider to access a secure system. To eliminate the stress of creating secure passwords, why not use a password manager. Not only will it help you generate a strong password with the combination of characters needed, but it will also store those passwords, releasing your memory from that responsibility.
Regularly Update Your Security System
If you are using a local network, ensure your system remains updated. A cloud-based system will be updated automatically by the vendor with minimal disruption to your operation.
Every day, hackers spend a lot of time and resources creating malware. Even the United Kingdom's National Health Service (NHS) fell victim to a Wannacry ransomware attack a few years ago.
Ensure that your files are encrypted and that the system is regularly scanning for threats. In the case of an incident, an outdated system can be the reason you have to pay a hefty fine.
Limit Access by Unknown Devices
These days, most people use their phones and tablets to access work files. In a cloud-based system, access via a mobile device is a clear advantage. The problem is, it makes it difficult to control access.
If the staff has registered devices on the system, it is easy to monitor access. If someone uses a different device, institute a multi-factor authentication system to verify the user before accessing any information.
Back-Up Your Data
Regular file backups are a must-have. Even if you have copies of your records elsewhere, those digital files need to be accessible. Also, backup your cloud systems as well. It should be separate from your primary storage so that the information is accessible in case of an emergency.
The backup time and frequency depend on the volume of transactions involved. For example, a busy entity may need to back up its files every few hours.
Ensure you have a Business Associate Agreement in place
If a subcontractor gains access to patient records without a signed contract, you will automatically be liable. A business associate agreement is an official agreement between you and a service provider which requires them to adhere to HIPAA rules when dealing with the information they receive from you. It helps if this entity is already HIPAA compliant.
CDS File Sharing Solution
Ignorance is no defense when it comes to the law. The OCR dedicates a lot of time and resources to investigating and penalizing violators of HIPAA. To protect your patients and yourself, invest in a state-of-the-art HIPAA compliant solution. Our encrypted file sharing solution guarantees the privacy and safety of your records.