Let’s start with a story.
Back in February 2011, a well-intentioned employee of Massachusetts General Hospital took various files home with her so that she’d be able to continue working over the weekend. Come Monday, she bound the files back up with a rubber band, put them in her bag, and hopped on the subway to start another week.
Somewhere along the line, the employee pulled these files out of her bag and set them on the seat next to her. When she reached her destination she stood, filed out of the train car, and left the files behind.
These files contained Protected Health Information for 192 patients, including medical record numbers, insurance information, and their diagnoses. Massachusetts General Hospital was slapped with a $1 million HIPAA violation penalty and was forced to complete a 3-year corrective plan to get their compliance back on track.
This incident is now known as the “million-dollar subway ride,” and it paints a pretty clear picture of what it can cost an organization to improperly secure their sensitive client data. You can imagine, then, that our clients come to us with plenty of questions about how they can avoid similar situations.
To help you stay on the right track as far as securing any Personally Identifiable Information (PII) or Protected Health Information (PHI) your organization may have, we’ve outlined the best ways to make sure that this data stays contained and controlled.
What are the best ways to secure PII/PHI?
There are several steps to follow when it comes to securing your sensitive client data:
1. Risk Analysis. First, assemble a risk matrix to identify where your organization has issues with confidentiality, integrity, and availability of data. This is an absolute must when it comes to HIPAA compliance—if your data is compromised and you don’t have any sort of risk analysis completed, you are all but guaranteed a fine. Here’s a helpful tool from the Department of Health & Human Services to help get your analysis together.
2. Policy. Who has access to what kind of data? What can be done with this data? Can it be moved? Can you dispose of it? How does it need to be disposed of? What do you do if you find out that there’s been a breach of some sort? These are the questions that you need to not only anticipate, but that you need to address with written, formalized policies. These policies will then dictate the sort of solutions you’ll need to live up to the requirements you’ve outlined.
3. Rule of Least Privilege. This is very common practice when it comes to meeting HIPAA compliance. This means that you only give certain data access rights to the people who absolutely need them. In other words, you give each person in your organization the least amount of rights necessary to complete their daily tasks.
4. Encryption. Here we’re talking about encrypting your data both while it’s at rest, and while it’s in motion. If part of your service involves responding to your clients with sensitive information, you need to have an encrypted email system in place so that any intercepted message is unintelligible to anyone but the intended recipient. If your data is physically leaving your office by way of laptops or other mobile devices, the actual hardware should also be encrypted. If you’re accessing PII or PHI within an application, make sure there is database encryption inherent to that application. Notice the trend here?
5. Training. This is the kicker. You can put up as many walls as you want with different technology solutions and published policies, but your people can find their way through them (whether it’s accidental or otherwise). You should plan on having a comprehensive training program that all new employees are required to work through during their orientation. This will make sure that security is top-of-mind from the outset. Wash, rinse, repeat on an annual basis. Track it. Make it a standard part of your operations.
Above all else, you must keep in mind that your responsibility is, first and foremost, to your clients. But know that there is generally an inverse correlation between security and usability; the more policies and technology solutions you implement, the more hoops your people are going to have to jump through to accomplish their daily tasks.
This is why it’s so important to work with the affected staff members when you’re devising your security policies. Not only will this make sure that you are mindful of how your people need to operate in order to be successful, but involving them in the process will make it much easier for them to adopt the procedures once they are implemented.
Finally, be sure to monitor, reinforce, and update your policies even after initial training. Create a culture of security, and you’ll be on your way to keeping your PII and PHI in your hands—and your hands only.