Maintaining the security of Protected Health Information (PHI) can be a menace to the modern physician. With all your other responsibilities, how are you to make time to study how to protect information and know what to do in case of a breach? It can be daunting to consider what could happen if your practice experiences a breach of security with this information, and it’s also confusing to know what needs to be reported and what does not.

Did you know that you are required by law not only to have methods and practices in place for protecting PHI from accidental disclosure, but to have your entire PHI protection plan documented, including the steps you will take in the event of a disclosure?  You must also have all employees trained in PHI protection and HIPAA guidelines. On top of that, you must be able to prove that you have had these systems in place to the satisfaction of an auditor and according to government guidelines.

If you subscribe to any of the security-oriented journals or blogs, you might think there is no way to avoid having your data hijacked. Security breaches are increasing (or at least we hear about them more often now), and the numbers of people affected by these breaches is sometimes staggering, as are the costs involved.  Bear in mind that the examples below are very low tech breaches, then imagine the abilities of the more technically astute criminals out there.

The practices above could be required to provide credit protection services as a first step for each victim in each of those cases. At an average of $10 per month per victim for at least a year, you can see that one breach of even these “small” proportions can add up to a lot of money and grief, not to mention the damage to your good name, fines and other penalties.

Most doctors’ offices are at least initially aware of PHI security and are doing the average things to help protect it; using password protected screen savers or locking screens when the user is not present, shredding documents, using password locked accounts, anti-virus/anti-malware programs, etc. These proactive activities, while helpful, only scratch the surface as a complete solution. They are inadequate and fall far short of the requirements of HIPAA and/or HITECH.

The processes and requirements involved in creating a meaningful PHI security program are available in many places on the web. You’ve probably already begun your education with a search of Google for HIPAA or HITECH, and that’s how you found this blog article, but here are some simple steps to take now while you get educated.

1. Have all your vendors and suppliers sign non-disclosure agreements.  Sample non-disclosure agreements can be obtained from any number of practice consulting websites, but Medical Billing Resources recommends these be standard parts of a comprehensive compliance plan for your practice.
2. If you have a wireless  workspace, make sure your system is properly set up for security using WEP, WPA and/or PSK.
3. Observe your employees at work. You will probably find instances where you can improve on security simply by changing the way a task is done.
4. Create a written Acceptable Computer Use Policy--also part of your comprehensive compliance program--and provide all employees with a copy. Examples of this can be found on the Internet or from any number of consultants.
5. Begin creating that security policy – common sense will go a long way here.
6. If you have the luxury of breaking up tasks and assigning different portions of them to different people, define which employee has access to which portion of the information associated with a task, and limit the access of others who do not have a bona fide need to work with it.
7. Ensure that all anti-virus/anti-malware software is up to date and is actually working.
8. Note that employee cell phones are supposed to be locked away when employees are in the work place.

This document barely scratches the surface of this topic. Above all, be aware that creating a security policy and implementing it is no small task. It will take diligence and some hard work. You might even want to consider hiring it done. Aren’t your good name, your investment and your earnings worth it?