Keeping Confidential Information Secure in the Healthcare Environment
Federal and state laws govern the handling of confidential information in the healthcare industry. Most providers must follow the Health Insurance Portability and Accountability Act (HIPAA) and Privacy, Security, and Breach notification rules. Businesses must comply with these regulations to avoid costly fines and lawsuits. Data breaches of any size can destroy the public’s trust in the business. These privacy and security laws govern confidential and protected information and how it is used, shared, and accessed. The regulations cover all forms of information, written, verbal and electronic. In addition to the federal laws, states may impose additional restrictions. All these laws work together to protect individuals. The rules clearly state how the protected information can be shared, who has the right to view it, how to secure it, how to store it, and what steps to take if a data breach occurs. Businesses need to take the handling of confidential information seriously and establish a clear company policy. Here are the basic areas to consider when developing a policy.
Employee Training
To keep information secure, companies must provide training to employees. New employees need to be taught what exactly qualifies as confidential information, why it is important to protect it, and its policy on protecting the information. Employees need to know when and what information can be shared and when a signed release or Power of Attorney (POA) is needed. Employees should be made aware that they can be personally liable for breaches where they are found negligent. The best companies provide ongoing data privacy courses at least annually.
Sharing Information
Strong company protocols on releasing information need to be put in writing, and all employees must know how to handle the sharing of data. There are legitimate reasons to share data within the organization in healthcare settings, such as treatment collaboration and billing. Company policy should provide procedures to handle telephone requests for data. Employees need to be aware of caller ID spoofing, technology that impersonates numbers to make them appear as if they are a legitimate partner. These spoofing calls can be attempts to steal confidential information. Provide company policy and guidance on how to verify a caller’s identity. At a minimum healthcare, agencies need strong software to block unwanted calls.
Strong Passwords
For employees accessing computer systems that house confidential data, company policy needs to mandate strong password requirements. The best passwords require a set minimum number of characters and a combination of upper- and lower-case alpha characters, numbers, and special characters. Passwords should be set to expire at regular intervals where the employees need to change them. Never allow employees to share passwords with anyone.
Information Storage
Employees need to know the company policy on the storage of confidential information. Company policy should discuss accessing data on personal devices and under what circumstances equipment can be taken home. Computer screens should be locked anytime an employee steps away from the desk. Confidential paperwork must be secured at the end of the day to prevent unauthorized access.
Patient Access
In healthcare settings such as intake and waiting rooms, a private area where clients can provide information is necessary. Other patients should not overhear confidential information in the waiting areas.
Employee Badges
All employees should have ID badges with a clear, updated photo. Ideally, security systems should be configured to allow access into restricted areas by badge type. Unauthorized individuals should never be allowed into restricted areas where confidential information could be overheard or seen.
Healthcare companies are legally required to protect confidential information. Data privacy goes beyond the legal requirements. In today’s world, data breaches have become common. When this happens, patients can feel violated and take legal action against the company. If a data breach has occurred due to company negligence, the negative publicity could destroy the public’s trust in the business and, eventually, the practice. Companies must do everything they can to protect patient’s confidential information.