Protecting Patient Privacy: HIPAA Compliance in the Electronic Age

E-mail accounts and passwords of former employees should be immediately deactivated so they can no longer access the network.

The privacy of patient data is protected by the Health Insurance Portability and Accountability Act (HIPAA) and the 2009 Health Information Technology for Economic and Clinical Health Act.1But the complexities of today’s high-tech methods of communication, data sharing, and data storage lay practices open to unforeseen and constantly changing threats, requiring vigilance and training of medical staff.

This second article devoted to cybersecurity takes a closer look at protecting patients’ privacy. To gain further insight into this complex subject, MPR interviewed Michael J Sacopulos, JD, CEO of Medical Risk Institute (MRI), a firm that provides “proactive counsel” to the healthcare community to identify where liability risks originate and to reduce or remove those risks. He is also General Counsel to Medical Justice Services. Mr Sacopulos is the coauthor of Tweets, Likes, and Liabilities: Online and Electronic Risks to the Healthcare Professional (Phoenix, MD; GreenbranchPublishing: 2018).

What do you think the greatest threat is to HIPAA in physicians’ practices?

Some of the issues I discussed in our previous interview are central in potential HIPAA violations. In particular, I’m talking about lack of cyber-hygiene, by which I mean the numerous human errors that can compromise patient privacy, even with the best software and firewalls. We already discussed the importance of training staff not to click into unknown e-mails often called “phishing” e-mails, which are cyber attacks that open the door to hackers to access your system or install malware on your computers. Teaching your staff to recognize these scams and malware e-mails is critical.

What other potential concerns might compromise privacy?

An important area of concern is the location where you and your staff access any practice-related Internet. If you have an employee, consultant, or contractor who works remotely – for example, a bookkeeper or someone who does medical billing – you need to be sure that several important things are in place.

Neither you nor your employee should be using the free Wi-Fi at Starbucks or the library or the airport, for example, to do any e-mailing or work on patient records, since those are not secure connections and can easily be hacked. Additionally, in a public place, a person sitting near you, or a passerby can catch a glimpse of a patient’s name or some other information or might even use their own cellphone to photograph it.

Employees who work from home should have a dedicated work space, such as a home office, with a door that closes and file cabinets that can be locked and secured from others. The office shouldn’t double as the guest room or children’s bedroom. And the employee should dedicate specific time and space to working on practice-related matters and not multitask. I’ve seen situations in which the person who does billing was working on generating electronic bills while trying to cook dinner for her family and having the computer or paperwork on the table.

Any conversations about patients, whether you are returning a patient’s call or whether your staff member is talking to an insurance company, should be conducted in private where no family members or others can hear you. One doctor was discussing a child’s bedwetting problem with a parent within earshot of his own children. It was a small town and the doctor’s children went to school with the child who had the bedwetting issue. Soon, it was public knowledge in the classroom and the other children teased the boy with the problem. This took place in the days before HIPAA was put into place, but the issue could just as easily take place today if patient-related conversations could be overheard.