Healthcare organizations know they must consistently maintain high standards for medical records security. The consequences of data breaches or HIPAA violations are severe and can include fines, sanctions, lawsuits, or even jail time, if criminal intent is determined.
Considering that most data breaches are due to unintentional employee action, it is critical that EMR reporting teams adopt practices to safeguard the privacy of patient data. Below are 5 best practices that we at Syntrix Consulting Group recommend for EMR reporting and analytics developers.
1. Limit or avoid the use of PHI in reporting content
PHI or Protected Health Information is defined as any healthcare information that can be linked back to an individual patient. More obvious examples include patient names, medical record numbers, and social security numbers. But, a combination of key data elements can also result in producing identifying PHI, example: the combination of age, gender and address. Including PHI in reporting content may be necessary when providing patient-specific data for providers to deliver effective care. It is not necessary when analyzing data for process improvement, showing trends, or overall utilization of resources.
So, systematically question the need for including PHI in reports, and reduce or eliminate PHI use when possible. If appropriate, use data anonymization and de-identification processes before sharing data.
2. Manage the risk of PHI data exposure
Employees who work remotely, or in an open environment, risk exposing healthcare data to unauthorized people. For example, working on a report in a public area raises the chances for PHI to be inadvertently exposed. Leaving data visible on a computer monitor, a desk, a printer, or disposing of printed PHI in a public area, also poses a risk.
Some solutions include:
- Using protective film or screen covers on monitors located in public areas.
- Ensuring reporting analysts consistently lock their computers when stepping away from their workstation, as well as lock-up their printed data and reports.
- Securing the disposal of printed PHI to ensure no public or other unauthorized access.
- Disposing of electronic media containing PHI appropriately.
- Implementing and enforcing a policy on the proper handling of PHI data used off-site.
3. Encrypt emails and files
When it’s necessary to distribute reports containing PHI, ensure the communication is encrypted. Encryption technology is readily available and EMR report developers must use them to their advantage in the quest for data safety.
Encrypting email attachments that contain healthcare data is a highly recommended practice, whether such files are perceived to include PHI or not – always err on the side of overprotection. When sending images or screenshots, redact any PHI and send a file format that does not allow the receiver to “undo,” and thus view the redacted data, (use a PDF version). Do not send PHI to personal email accounts.
4. Control data disclosure
A valuable feature of an EMR reporting system is the robust data analysis that is available. But, it is important to keep in mind that not every report consumer needs access to view all data.
Setting up controlled data disclosure is critical to meet the requirements for each user role within a healthcare facility. For example, a C-level administrator will have access to high-level financial reporting that a clinician or billing analyst will not.
Reporting analysts can use security groups to control data disclosure at a report level, or a more granular level if needed. Using this functionality, certain data elements within reports or dashboards can only be viewed by permitted users. This is another method for limiting the exposure of PHI, by an employee’s role in the organization.
5. Provide on-going staff training
Humans can be the “weakest link” in network security. This is often due to their password management, website browsing habits, or utilizing unknown links founds in emails or on websites.
In light of these risk factors, healthcare organizations should commit to providing ongoing staff training and feedback. Help your staff understand how they can be part of the security solution when it comes to properly accessing their EMR reports and data.
To learn more about implementing security best practices in your healthcare organization’s EMR reporting system – contact us today.