Nurses and administrative staffers are no strangers to data security. After all, they receive mandatory compliance and security training when they're hired and then again annually.
But when the top priority is patient care — as it should be — data security can sometimes get the short end of the stick.
Yet according to a University of Phoenix College of Health Professions survey, registered nurses and administrative staff need more than an annual security checkup. Just 48 percent of RNs are highly confident that they can protect their patients' data, and 20 percent admitted that their organizations had been breached in the past.
Hospital staff members are the first line of defense against breaches of protected health information. Considering that 70 percent of healthcare organizations worldwide have experienced a data breach, according to a Thales and 451 Research report, once-a-year training sessions aren't enough. Something as innocuous as using email macros to save time can crack the door for data thieves.
Of course, staff training costs add up. Quarterly security and compliance training costs hospitals four times as much as mandatory annual training. So how can hospital executives better prepare staff and RNs to protect PHI without breaking the bank?
1. Only provide access to necessary information.
Most staff understand when to release PHI and to whom. But not everyone realizes that the Health Insurance Portability and Accountability Act's minimum necessary requirement forbids the disclosure of information that isn't necessary for a particular purpose. In a survey conducted by the American Health Information Management Association, one-third of respondents admitted to having no policies or training procedures regarding the minimum necessary standard.
While hospital staff want to be helpful by providing as much information as possible, releasing more information than what's necessary invites breaches. To avoid violating the minimum standard, track and identify the most common PHI requests. Create "if-then" templates or cheat sheets for staff with examples for denying non-required data to other staff and patients' family members.
2. Encrypt every e-storage and communication system.
When hospital staffers do need to access or share PHI, they need communication and storage solutions that are secure and easy to use. These systems need the right firewalls and permissions in place to prevent downloads by third-party programs and unauthorized users.
While infrastructural improvements can be expensive, they're a crucial piece in the data security puzzle. In the first half of 2017 alone, nearly 175 million people were affected by breaches governed under HIPAA rules, according to an analysis of Department of Health and Human Services Office for Civil Rights data. While breach sources varied widely, the leading two were hardware theft and server hacking.
Although situational awareness training can help, these sorts of breaches can be almost entirely stopped by encrypted storage and communication media. If a laptop with an encrypted hard drive is stolen, the data within it is safe as long as the encryption key is, too. And unlike Gmail or Outlook, an encrypted email platform ensures every piece of information your staff shares is safe. Even flash drives should be banned unless previously approved and encrypted.
3. Keep conversations away from eavesdroppers.
Encryption can protect digital exchanges of PHI, but verbal disclosures are another story. Unfortunately, HIPAA’s incidental uses and disclosures rule is one of the more difficult standards to navigate.
Last year, a Kentucky appellate court found in Hereford v. Norton Healthcare Inc. that staff members are not liable for PHI disclosures if they take reasonable care to restrict such disclosures. The court ruled that Hereford had committed a HIPAA violation by speaking loudly to other technicians preparing for a medical procedure on a hepatitis A-positive patient. However, Hereford would not have been in violation had she kept her voice down, according to the ruling.
In other words, hospital staff members don't need a soundproof room to discuss a patient's case, but they should do so discretely. Ask staff to restrict PHI discussions near waiting rooms, reception areas and other public places. Hang up reminders for staff to talk in low tones when such conversations have to happen.
The truth is, people are the weakest link in any data security system, and annual security and compliance courses aren't cutting it. With a little signage, some friendly reminders and a few IT system upgrades, nurses and administrative staff on the front lines can store, access and share patient data more securely. That way, they can worry less about compliance and more about their mission: providing the best care possible to every patient who walks through the door.
Hoala Greevy is the founder and CEO of Paubox, the leading provider of HIPAA-compliant email services. Paubox’s end-to-end email encryption works on any device without requiring additional apps, plugins, or logins. A serial entrepreneur, Hoala also founded Pau Spam, an email filtering software service.