Healthcare News & Tech

Recommendations for Health Care Organizations to Protect PHI

March 16, 2022

Recommendations for Health Care Organizations to Protect PHI

Data breaches continue to be a costly occurrence in the United States, especially for the health care industry. Breaches covered under the Health Insurance Portability and Accountability (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Acts are increasing, meaning more protected health information (PHI) is at risk.

PHI under HIPAA consists of 18 identifiers, including names, dates, geographic data, social security and account numbers, email addresses, fingerprints and internet protocol (IP) addresses. Entities that create, receive or transmit protected health information are required to comply with the Security Rule of HIPAA and its administrative, physical and technical safeguards.

Between 2009 and 2020, 3,705 health care data breaches of 500 or more records have been reported, resulting in the loss, theft, exposure or impermissible disclosure of an astounding 268,189,693 health care records. In 2018, health care data breaches of 500 or more records were being reported at a rate of around one per day. Last year, the average number of breaches per day was 1.76, a 25% increase from 2019.

The average price per record in a data breach is $360. In cases where a HIPAA breach compromises PHI, the average cost is $7.79 million.

Avoiding costly breaches

The use of multiple technologies adds to the copious amounts of PHI that health care organizations are required to handle, and not all instances of noncompliance and breaches are due to intentional acts. Either way, providers and other health care entities who fail to address weak spots in HIPAA compliance risk a loss of revenue, a damaged reputation and heavy fines. Even denying a patient access to PHI or not providing it within 30 days of request can result in a HIPAA violation.

The advantages of keeping PHI secure go beyond preventing data breaches. Patients who trust their health systems to protect their data are more likely to receive better outcomes.

We’ve compiled a list of four recommendations for health care entities who handle PHI to follow to achieve increased HIPAA compliance. The Office of the National Coordinator for Health Information Technology (ONC) provides additional tips on how to keep electronic PHI secure.

1.  Perform a comprehensive risk analysis/assessment

Health care organizations that don’t regularly perform any type of comprehensive risk analysis neglect assessing possible threats and risks to PHI. According to the U.S. Department of Health and Human Services (HHS), the objective of a HIPAA risk assessment is to identify potential risks and vulnerabilities to the confidentiality, availability and integrity of all PHI that an organization creates, receives, maintains or transmits.

2.  Control access to PHI

Access to PHI within a health care organization should only be given to employees when it’s essential for their job. This access should be reviewed regularly. Safeguards such as encryption, unique user identification, automatic logoff and tracking logs also should be used to ensure that only those authorized to access PHI do so.

3.  Educate staff members

To combat the issue of health care data breaches that happen because of human error or negligence, providers must train their employees to ensure they’re knowledgeable about security procedures to project PHI. This training should highlight the importance of secure PHI and how to recognize potential cyberattacks. In addition, defined policies should be in place to guide staff members through PHI security.

4.  Procure a business associate agreement

Many providers and other health care organizations are turning to cloud computing to not only store and retrieve the data, but also procure unlimited backup space and reliable disaster recovery. These entities are required to have a HIPAA-compliant business associate agreement (BAA).

A BAA is a contract that stipulates the types of PHI that will be provided to the business associate, the allowable uses and disclosures of PHI, the measures that must be implemented to protect that information and the actions the business associate must take in the event of a security breach exposing PHI. Health care organizations in possession of PHI should never do business with a cloud services provider that won’t sign a BAA.

Health care entities dealing with PHI also should consider upgrading all computing devices with up-to-date antivirus software, ensuring remediation plans are implemented for user authentication deficiencies and prohibiting employees from connecting to public Wi-Fi networks using a device with access to PHI. If possible, unnecessary data should be removed; the HHS recommends deleting or destroying PHI on electronic media through disintegration, pulverization, melting, incinerating or shredding.

The Advanced Medical Reviews Client Portal was designed to intuitively promote operational efficiency, with the ability to submit, track and create reporting on physician reviews of all types. Clients work closely with our operations, sales and account management teams in customizing our platform technology to support their peer review requirements. In addition, AMR has achieved SOCII Security accreditation and we are HITRUST CSF-certified, all part of going above and beyond to ensure client and patient data remains secure.

Subscribe to our blog to learn more about issues affecting the health care industry and contact us for a demo of the client portal.

Recommendations for Health Care Organizations to Protect PHI