From a legal perspective, cybersecurity means that all confidential information, including patient health information (PHI), in a healthcare provider’s database or server is protected, confidential, and completely compliant with the Health Insurance Portability and Accountability Act (HIPAA).
In order to do so, healthcare providers should:
- Conduct a risk assessment of their data;
- Develop and institute data security policies; and
- Test the effectiveness of those policies to make sure that they are running correctly.
In the first part of the risk assessment, the healthcare provider should identify sensitive data, including names, Social Security numbers, facial photographs, email addresses, health information, and anything that’s considered confidential and protected pursuant to the law. All PHI should also be encrypted, as mandated by HIPAA.
The next step is to assess the risk of exposure. For example, what’s the risk of data being exposed through a security breach or because someone inappropriately obtains access to private and protected information? Is there a technical risk? Is there a risk for human error? Is there a physical security risk, such as the place where the sensitive data resides in the office or storage unit? Or perhaps there is a virtual security risk from the network access controls or password protocols being utilized by the practice?
Healthcare providers must create policies that control these risks and define exactly how the confidential information is protected. It is recommended that these policies be drafted by an attorney in accordance with the relevant legal standards such as HIPAA. For example, a business associate agreement should be in place if an external tech company is collecting and maintaining the data. Policies should also ensure the proper training of employees and use of the right kind of tech company and software to protect data.
As part of cybersecurity, it is important to work with a tech company that has HIPAA and healthcare experience because they will be familiar with the software and safeguards. They will also be able to properly advise on what safeguards are necessary in order to protect the data.
Healthcare providers may want to consult an insurance broker about cybersecurity insurance to cover a data breach or other cybersecurity issues that may occur through no fault of the healthcare provider. This insurance safeguard is becoming more and more viable and worthwhile because of the prevalence of cyber-attacks, data breaches, and related issues.
HIPAA requires protection of the above-referenced confidential information and PHI and ensuring that said information is protected by placing the necessary cybersecurity policies. How will you stay on top of your practice’s cybersecurity? Contact me today with questions or comments.
Stephanie J. Rodin, Esq.
Rodin Legal, P.C.
Tel: (917) 345-8972
Fax: (917) 591-4428