Clinical staff works with HIT mostly on the “end-user” level. As a result, our services most requested for these roles involve education and training. Technology is evolving rapidly, especially in the fields of mobile health, cloud computing, and social media. Human error remains the weakest link, as evidenced by over 25 million compromised patient records and counting.
- If employees need to learn any aspect of HIT, from beginner to advanced level, we have a range of options to increase competency.
- Staff members need to know which HIPAA / HITECH regulations apply to their respective jobs. To accommodate this EHR 2.0 has developed Lesson / Training Course, which covers the fundamentals.
Protected Health Information (PHI) is any health information tied to a specific patient. PHI must not be disclosed to any one without permission, unless anything which may identify the patient is removed / separated from the record.
A record qualifies as PHI if it falls under one of 18 identifiers:
Any unauthorized disclosure or usage of PHI is considered a HIPAA violation or data breach.
Whether in electronic or paper format, HIPAA regulations must be followed at all times, pertaining to PHI. The HITECH act was enacted to cover the differences in how the process carries over from traditional paper records vs. digital.
Examples of HIT a healthcare provider may utilize include: laptops, workstations, cell-phones / mobile devices, copy / fax machines, and procedure-specific devices (such as x-ray machines).
All staff must receive training upon joining the practice, then annually thereafter, covering HIPAA / HITECH regulations along with security and privacy best practices.
Staff members are issued a unique user ID and password for use with applicable equipment. HIT not in use should remain off or at the default sign-in screen; any worker who notices otherwise should identify the user’s account, so this person can be notified, then sign them out. Be sure to sign out or lock the screen if away / on break.
Physical access controls are designed to ensure devices are not left where PHI can be viewed by unauthorized individuals.
Encryption renders data unreadable to every one except those who have the correct “key”; otherwise the information appears as random characters / jargon. PHI needs to be encrypted at all times, and software enables the keyholder to access for review / revision. Encryption is often built into the sign-in process, so the user signs in with his or her password as the encryption “key.” Additional caution must be exercised in properly “dismounting” the data after use, or else everything can be rendered permanently unusable.
Security software should be installed and updated at all times, including firewalls and antivirus to prevent unauthorized access when connected to a network.
“The privacy law requires doctors, hospitals, or other health care providers to ask for written proof that patients received the Notice of Privacy Practices. The law does not require patients to sign the acknowledgement form. If patients choose not to sign, providers must keep a record that they did not get the signature, but still have to treat them.”
HIPAA forms must be signed before any PHI is transmitted outside the practice, which indicate the patient’s name and which details to release.
The company IT officer / administrators / executives should have policies and procedures posted in an accessible and visible area. These policies may already assume mastery of HIPAA requirements, which would have been covered during training. If clinical staff follows company protocol and HIPAA / HITECH requirements, then errors otherwise are the responsibilities of administration.
Safeguards which should be in place:
– Administrative (provide training, assign officers)
– Technical (access control, encryption / transmission security)
– Physical safeguards (locks, computer equipment, the process of removing equipment)
Examples of data breaches:
Types of data breach – https://www.privacyrights.org/data-breach
– Unintended disclosure (DISC) – Sensitive information posted publicly on a website, mishandled or sent to the wrong party via email, fax or mail.
– Hacking or malware (HACK) – Electronic entry by an outside party, malware and spyware.
– Payment Card Fraud (CARD) – Fraud involving debit and credit cards that is not accomplished via hacking. For example, skimming devices at point-of-service terminals.
– Insider ( INSD) – Someone with legitimate access intentionally breaches information – such as an employee or contractor.
– Physical loss (PHYS) – Lost, discarded or stolen non-electronic records, such as paper documents
– Portable device (PORT) – Lost, discarded or stolen laptop, PDA, smartphone, portable memory device, CD, hard drive, data tape, etc
– Stationary device (STAT) – Lost, discarded or stolen stationary electronic device such as a computer or server not designed for mobility.
– Unknown or other (UNKN)
Forms of data that must be secured:
– Data in motion—data moving through a network (e.g., e-mail)
– Data at rest—data that is kept in databases, servers, flash drives, etc.
– Data in use—data that is in the process of being created, retrieved, updated, or deleted
– Data disposed—data that has been discarded”
Types of errors:
– Errors of commission
– Errors of omission
– Errors in data analysis
– Incompatibility between software applications or systems / vendors.
Upon request patients’ records usually must be provided within 30 days. Patients may request amendments to their records in writing – providers have 10 days to determine if the amendment should be included.
Staff members need to notify administrators of any potential breach ASAP. This applies in the event of lost or stolen devices and misreported data, along with the other forms of breach listed earlier.
Social media involves interacting online, usually through a personal profile. While healthcare workers are not prohibited from signing up for and using a social media account, extra care must be taken to avoid revealing any patient’s PHI in the process. Also the company’s reputation can be harmed if a user posts offensive statements or photos of themselves performing inappropriate activities.
“Cloud computing” is using some one else’s computer resources online to leverage your own capabilities. Data must remain encrypted when stored in the cloud.