How do you Prevent Unauthorized Access to ePHI?

That’s a million dollar question. No, really, it could literally cost you millions not to know. In doubt? Fresenius isn’t. It’s cost the dialysis chain a $3.5 million settlement for data breaches in 2012. The resolution agreement cites instances of unauthorized access and “impermissible disclosure.” So how do you stop it from happening?

5 Ways to Stop Employees from Unauthorized Access

1. Training. The most obvious prevention method is to be sure every employee understands both the definition of privacy and of sensitive data. To understand that it’s a serious privacy breach to share information, including photographs, screenshots, etc. amongst fellow employees who have no authorization to view the ePHI.
2. Access controls. Assure the person(s) accessing ePHI only sees what is absolutely necessary to perform their role. The person scheduling appointments doesn’t need the same access as a medical records clerk or claims administrator.
3. Device controls. Implement the policies and procedures necessary to assure you know where and when the data moves regardless of device (hardware or electronic media), internally and externally.
4. Encryption. How do you assure that the devices leaving the building are secure? If a tablet or thumb drive is stolen or lost, can you prove it was encrypted and ePHI kept secured? Ensure that you have adequate encryption in place. 
5. Password protection. Stress how important it is to protect login and other password information that could breach ePHI privacy. Login credentials are tied to a specific person. If that person shares the information with someone else, it’s not just a policy violation, they’re putting their job at risk along with ePHI security.

The ePHI data breaches that list Unauthorized Access/Disclosure on the 2018 “Wall of Shame” tell the story.  Curiosity is no reason to jeopardize privacy, nor is lack of asset inventory a valid excuse for not knowing if a lost or stolen device is encrypted. Employees can either be top notch protectors of personal health information or place it at risk daily. It’s top-down percolation, senior management to entry-level employee, that assures everyone knows how even seemingly insignificant actions of sharing a screenshot of an x-ray, violate ePHI’s privacy and security.

How do you maintain your ePHI’s integrity? Do you have a straightforward way to run internal audits on privacy and security activities? To find out how MyVCM can support your ability to protect ePHI from unauthorized access, contact Ostendio today.