Here at SOS Software, we talk to lots of people each day — current customers as well as new prospects — and frankly, we are often surprised by what people say. Maybe you have heard comments like these, too.
- “I always communicate with my clients by email. Who is going to see my email?”
- “I definitely want to use a cloud product for my records. That way I don’t have to worry about security or backup. The company says they are HIPAA compliant and will sign a BAA. They must be okay.”
- “I am the only one in my office. It would be silly to encrypt my laptop.”
Every time I hear such comments, I get concerned for the clients of the person speaking. After all, their understanding of their responsibility to secure and keep private the Protected Health Information of their clients is limited, at best. Finding secure ways to maintain and to safely share the PHI of clients is what the Health Insurance Portability and Accountability Act (HIPAA) requires of Covered Entities.
What steps and tools will help you do this? Let’s go through comment by comment.
- “I always communicate with my clients by email. Who is going to see my email?”First, please understand that email is not secure. At the foot of every email I send to a customer is the following statement: REMEMBER: Typical email is not secure. Never include sensitive financial, personal, health, or account credential (eg. password) information in unencrypted email communications!
SOS President, Seth Krieger, uses the analogy of a postcard when talking about email. You should only send information that you would be comfortable mailing on a postcard — an open, totally unsealed document. That is because email is so easy to hack. It may be unlikely, but it is very easy.
The solution? Encrypted email. We use a product called Virtru when necessary. This morning I got an email from them detailing new and updated features in their Pro product. One of these was right on target: HIPAA Compliance Rule Pack. In fact, they have a white paper called HIPAA Compliance in the Cloud that you might find useful. There are certainly other companies that provide encrypted email services, some free of charge. Please find one for your organization. (SOS has no relationship with Virtru except that we subscribe to their product.)
2. “I definitely want to use a cloud product for my records. That way I don’t have to worry about security or backup. The company says they are HIPAA compliant and will sign a BAA. They must be okay.”
Cloud products can make it easy for you to login from anywhere that you have an internet connection. If they are providing a hosted product, they keep the software up to date for you and certainly back things up. But just because a software provider or cloud storage company says you do not need to worry about anything does not mean that is so.
As the Covered Entity, you are responsible for doing due diligence on any provider of services you use. You need to be sure that the methods they say they are using and the places they say they are storing your data are what they actually do. Signing a BAA does not guarantee that their line staff know what handling PHI actually means.
In fact, you need to understand that a product or a company cannot be HIPAA compliant and cannot guarantee that you will be HIPAA compliant. They are merely providing a tool for your use. If you misuse the tool, you are not behaving in a compliant fashion. For example, you need a login and password to get to your account on their system. But when you get up to take care of your crying infant and your four year old sits down at your computer, your client information is exposed and you are not using the software tools in a HIPAA compliant fashion.
HIPAA requires that you have policies and procedures to secure and keep private the PHI entrusted to you — and that you follow them. No one else can do that for you.
3. “I am the only one in my office. It would be silly to encrypt my laptop.”
Being the only one in your office is no guarantee of security. A disturbance in your waiting room while you are with a client will certainly result in your leaving for a few moments. Your computer is likely exposed to your client during that time. Being a solo provider surely does not prevent you from leaving that unencrypted laptop on the subway. Lost or stolen unencrypted computers are among the largest source of breached health information.
An encrypted computer is called a “safe haven” in HIPAA-speak. If the machine is encrypted, you are protected from charges of willful neglect and your clients’ sensitive information is shielded from prying eyes and from identity thieves intent on making big money from stealing health records.
The bottom line is that you are responsible for following the requirements of HIPAA. Do you know what they are? How are you handling your responsibilities? Are your employees properly trained and updated often?
Please share your comments in the section below.