4 steps to safeguard patients’ health information


All healthcare organizations should have a plan for how they will protect patients’ electronic health information. But for medical practices, many of them without the resources available to large healthcare systems and hospitals, it’s an even bigger challenge.

With increasing numbers of healthcare data breaches and cyber attacks in the news, there are steps physician practices should take to safeguard patient data, according to Medical Economics. They include:

  • Start with a security risk assessment. It’s required by Health Insurance Portability and Accountability Act (HIPAA) regulations and mandated by the Meaningful Use program. If you don’t know where your vulnerabilities are, how can you fix them? Hiring a security consultant can be expensive, but you may need that expertise. There are online risk assessment tools available from the Health Information Management and Systems Society and the Office of the National Coordinator for Health IT that can get you started.
  • Secure remote access to your system and have a policy for use of mobile devices. Doctors may need to connect to the office network from home or other locations, so if you allow remote access take measures to make sure connections are secure such as use of a virtual private network. Mobile devices, such as iPads and smartphones, have created a major vulnerability for many healthcare organizations. Address questions such as whether employees can use their own devices and if they are storing patient data on those devices.
  • Pay attention to business associate agreements. HIPAA requires them with all third parties that share protected health information. Federal regulators have been cracking down on agreements that fall short of regulations, as FiercePracticeManagement reported.  
  • Be ready for the worst. Address data backup. How will you retrieve data in the case of a power outage or natural disaster? Have a disaster recovery plan in place. Create a security incident response protocol that outlines what steps your practice will take if a security incident occurs.

You can find more details on how to accomplish these steps in the Modern Economics article.