When working in occupational health services, it’s legally and ethically imperative to understand the complexities of the Health Insurance Portability and Accountability Act (HIPAA). Technology adds new elements of concern to HIPAA that can be difficult to keep track of, especially in remote and challenging areas of the world.
Here at Remote Medical International, we ensure all digital information about our patients follows HIPAA standards and we care about your patients, too. Here are some steps we take to protect patient information that can help keep track of HIPAA in the digital world.
WHAT IS PROTECTED HEALTH INFORMATION (PHI)?
HIPAA protects the privacy and security of Protected Health Information (PHI). Anything from written documents, spoken word, data shared on the computer, telephone conversations, and information transferred on data networks is PHI.
If you are working with patient records, you should designate a privacy and security officer that maintains all PHI to abide by HIPAA privacy regulations. Having a single point of contact means that there is a centralized source to respond to questions if an issue occurs.
HOW SHOULD YOU HANDLE ONLINE SECURITY?
You can promote the security of PHI by training all employees that have access to any records on how to keep passwords secure, change passwords every 120 days, and how to select strong passwords. Security officers should also check the security of passwords to make sure they are secure.
All users must also be authenticated before they are allowed access to PHI and each user must have his or her own personal password and username. It is not good practice to allow the sharing of passwords under any circumstances.
Along with password security, reviewing IT records and incident tracking reports can help make sure the PHI is secure, and the online security process is effective.
Access to the server where PHI electronic records are stored is only granted to persons who need medical information. This also includes medical personnel providing treatment.
HOW SHOULD YOU HANDLE MOBILE FRIENDLY DEVICES?
All mobile devices must have the same security as the desktop servers. However, on mobile devices, you must require two forms of ID, including an individual’s thumbprint to access PHI.
The most important tool to protect PHI on mobile devices is education. Training all personnel on the best ways to secure their mobile devices will help keep PHI safe.
HOW SHOULD YOU HANDLE EMAILS REGARDING PHI?
When it comes to emails, it is important to never copy multiple people to a distribution list if the email contains PHI. The best policy is to only send records containing PHI to actual need-to-know persons following the permitted disclosures under HIPAA.
Often used in telemedicine, images sent of injuries or wounds to a medical provider for diagnosis should not contain imagery that identifies the person injured or their PHI. Telemedicine often requires medics to share information digitally because it is sometimes difficult to diagnose an injury with just a written description.
SHOULD YOU FAX INFORMATION?
If the original record or mail-delivered copies cannot reach a recipient, you can send information by fax. The best practice is to notify the recipient in advance that the fax will be transmitted and request that the recipient wait by the fax machine for receipt of the documents. You can also fax information if the patient urgently needs their information or third party payor needs the PHI for a patient that is hospitalized.
While you can send PHI by fax in these situations, you should require fax machines to be in secure areas and have a security officer limit the access to the fax machines that are used for transferring PHI.
Do not send documents through fax that contain PHI, which includes mental health and developmental disability information, alcohol and drug abuse information, and sexually transmissible disease information without written authorization from the patient.
WHAT SHOULD YOU DO WITH REUSABLE MEDIA?
Reusable media includes thumb drives, or hard drives and you should make sure to erase or destroy each reusable media before it is discarded to ensure all PHI is protected.
All hardware and software must be current and documented so it can be rebuilt in case of emergency.
In all these cases, your team should also be aware of not sharing PHI while traveling abroad. Although international areas may have different policies, we recommend treating each incident the same under HIPAA guidelines, no matter where you’re operating.
To learn more about how Remote Medical International can fulfill your healthcare needs for government contracts, please call us at +1 (206) 686-4878 or send a note to government@remotemedical.com.