Protected health information could be more likely to be breached than digital records. Here are some tips to keep that information secure.
I've written about HIPAA compliance from a few angles recently; copier hard drives, restricting and monitoring access to the copier, and using document management software or an EHR to help keep patient records secure.
I haven't written about paper yet. And as much as many of us might like to go 100% digital in our business processes, most of us aren't there yet. And I know when I go to the doctor, I still see the color-coded manila folders containing patient files on the sliding file cabinets behind the reception desk.
In 2012, there were more breaches involving medical records on paper covered by HIPAA than electronic records – 45 from mid-May to mid-June. “Hacking” information doesn't just happen to digital information. Paper records and electronic records need to be treated the same – don't forget about the paper!
Security and Paper
Security around paper revolves around access – just like it does for digital documents. So whether you have an electronic health record system and are only printing occasional copies or are still using paper filing, these tips will help you remain HIPAA compliant by ensuring restricted access to PHI:
- Control access.
- Filing cabinets should be locked.
- Records shouldn't be left on desks when not in use.
- No open shelves – ESPECIALLY in open areas accessible to patients
- Offices, storage rooms, etc. should be locked with keys, ID swipes, alarm keypads, etc.
- Keep paper files together. Unless making a copy of pages from a file, don't separate individual documents from the file.
- While audit trails aren't as easy with paper as with digital document management, it's a good idea to create a process for tracking the location of records – along with dated receipt and check-ins while outside of storage.
- Minimize the risk of accidental exposure by covering, turning over, closing, or otherwise hiding the information from view.
- Shred paper documents – don't throw them in the trash. This is especially important to prevent identity theft,so any documents that contain personal, financial, or PHI. Cross-cut shredding is a good option.
- Paper records can be thrown into a dumpster accessible to the general public or unauthorized persons IS permissible if reasonable safeguards, such as shredding, are taken. For larger volumes of documents, keeping an area secure for documents containing PHI to be picked up for proper shredding or destruction by a disposal vendor is also acceptable.
These basic, common sense tips will keep your patients' data secure – and you out of trouble.
While it's hard to go entirely paperless, it's certainly possible to use less paper. Read about document management and electronic health records here.
Following these instructions will help to prevent you from ever having to report a breach. For complete guidance on being HIPAA compliant, hhs.gov contains everything you need to know.