Workstation Security

HIPAA Compliance is more than just about a patient’s right to access their information. Although the HIPAA Privacy Rule is how most of this began, it is so much more now! The HIPAA Security Rule outlines administrative safeguards, physical, and technical security. Most organizations are so busy trying to figure out how to protect themselves from the unknown (technical concerns) that they forget about the actual physical security. We are not just talking about building security systems, but how you secure the individual devices that are utilized within your facility and those who travel with portable devices.

Here are some helpful ideas to review with your particular situation:

  1. Although utilizing a security system that has motion sensors is better than nothing, using security cameras usually discourages theft.
  2. Conduct a walk through of your facility and create an inventory list of all devices that access or store ePHI. Knowing what you have, where it is located, and if it contains ePHI is essential in securing your data. This includes portable devices and small electronic media. Remember, printers, copiers, and scanners can store data as well.
  3. Review the location of all devices that access or store ePHI. Ensure they are not located in an area that could be easily accessed by an unauthorized person or utilize cable locks. If screens are viewable and cannot be relocated, the use of privacy screens are highly recommended. Encryption is recommended on any device that contains ePHI. If the devices are transported they should be encrypted even if they do not contain ePHI. If they are ever lost or stolen and the encryption is engaged, it would not be a reportable breach.
  4. If your USB drives are not used, locks should be installed. This is an inexpensive method to protect the network. If your workstations utilize CD/DVD drives, these should be disabled as well. Another option would be to configure this through a Microsoft Group Policy.
  5. Make sure paper PHI is not left in areas that could be accessed by another as well. This includes where you store your excess paper charts. These areas should be locked when not in use. It is also recommended to utilize signage instructing “Employees Only”.
  6. Employees can be your biggest asset or your largest liability. Training your employees on computer security is an ongoing process. Annual HIPAA training should include the HIPAA privacy rule and HIPAA security rule. Also, add monthly security reminders to keep HIPAA fresh in their minds. Continuing education is the key to safety.
  7. HIPAA Policies and procedures are the backbone of an organization. Properly trained employees know and understand what is required and needed. The data that a health care provider has in its possession is priceless. This data must be secure physically and technically. All of this is necessary to avoid a data breach.

If an organization fails to secure patient information the Office for Civil Rights (OCR) will open an investigation and the organization can end up with massive fines. These fines have ranged from $250K to $3.5M. Although the fines are based on the organization’s ability to pay, the days of receiving just a $50K fine seems to be over. Best practices would be to review your HIPAA risk analysis and make sure it is thorough. Some online risk assessments unfortunately do not uncover all of your vulnerabilities. The OCR could consider this as willful neglect even though you didn’t know. Make sure you update your risk management plan and mitigate those vulnerabilities. Small oversights could cost you a fortune.

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467.

“Simplifying HIPAA through Partnership, Education, and Support”

About Suze Shaffer

Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome.

Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas.

She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation.

Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance?

All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!

Share This HIPAA Blog

State law data breach notification updates

June 7, 2018

Software Patches and Updates – Why they are so important.

July 17, 2018
©2022 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC