That’s a million dollar question. No, really, it could literally cost you millions not to know. In doubt? Fresenius isn’t. It’s cost the dialysis chain a $3.5 million settlement for data breaches in 2012. The resolution agreement cites instances of unauthorized access and “impermissible disclosure.” So how do you stop it from happening?
5 Ways to Stop Employees from Unauthorized Access
- Training. The most obvious prevention method is to be sure every employee understands both the definition of privacy and of sensitive data. To understand that it’s a serious privacy breach to share information, including photographs, screenshots, etc. amongst fellow employees who have no authorization to view the ePHI.
- Access controls. Assure the person(s) accessing ePHI only sees what is absolutely necessary to perform their role. The person scheduling appointments doesn’t need the same access as a medical records clerk or claims administrator.
- Device controls. Implement the policies and procedures necessary to assure you know where and when the data moves regardless of device (hardware or electronic media), internally and externally.
- Encryption. How do you assure that the devices leaving the building are secure? If a tablet or thumb drive is stolen or lost, can you prove it was encrypted and ePHI kept secured? Ensure that you have adequate encryption in place.
- Password protection. Stress how important it is to protect login and other password information that could breach ePHI privacy. Login credentials are tied to a specific person. If that person shares the information with someone else, it’s not just a policy violation, they’re putting their job at risk along with ePHI security.
The ePHI data breaches that list Unauthorized Access/Disclosure on the 2018 “Wall of Shame” tell the story. Curiosity is no reason to jeopardize privacy, nor is lack of asset inventory a valid excuse for not knowing if a lost or stolen device is encrypted. Employees can either be top notch protectors of personal health information or place it at risk daily. It’s top-down percolation, senior management to entry-level employee, that assures everyone knows how even seemingly insignificant actions of sharing a screenshot of an x-ray, violate ePHI’s privacy and security.
How do you maintain your ePHI’s integrity? Do you have a straightforward way to run internal audits on privacy and security activities? To find out how MyVCM can support your ability to protect ePHI from unauthorized access, contact Ostendio today.