How to Prevent Medical Record Theft

Step-by-Step Guide

1. 1

   Step 1: Secure your electronic data.

   Your data must be secure, which means that you must store electronic data behind a firewall and use passwords to access it.If you don’t, then you are vulnerable to breaches of confidentiality.
   
   You can secure hard copy records in similar fashion.
   
   Lock them up in filing cabinets and make sure that only approved personnel have a key.
2. 2

   Step 2: Audit who accesses patient records.

   You should keep close track of who in your office accesses patient records and the reasons for that access.
   
   If you keep electronic medical records, then you should create usernames and passwords for anyone who needs to gain access to the information.
   
   You should keep an audit log and track the following:the record a user accessed when the record was accessed what the user did with the record (such as update the information) , Under HIPAA, an employee can see only the “minimum necessary” amount of information that allows them to perform their jobs.To limit access, you should decide who needs to see what information.
   
   For example, a receptionist only needs to see the patient’s name and billing information, whereas a nurse would need to see more information.
   
   If an employee works with only some patients, then they should have access to only that information.
   
   Creating tiers is probably easiest when you have electronic records.
   
   However, you could also restrict access to physical records.
   
   For example, you could keep all of the patients’ files for a doctor in a locked cabinet.
   
   Each doctor could have their own cabinet and one person could have a key to all. , Sometimes, a person who is not authorized to access information nevertheless needs it.
   
   For example, several people with authorization in your office might be out at the same time.
   
   If you create an “override” function, then other people can access the information so that they can help treat patients.However, you need procedures in place so that you can review each use of this override function.
   
   If you don’t, then people could abuse it and patient privacy could be compromised.
   
   You can program software so that several people are emailed whenever the override function is used.
   
   You can then ask your employee why they used it and confirm that it was necessary. , Today, many patients want to access information electronically.
   
   They are happy to receive medical records in an email or as an attachment to an email.
   
   However, you must carefully secure these communications.
   
   You are violating HIPAA if you don’t.
   
   To secure your email communications, you need to use encryption technology.
   
   See Make Email HIPAA Compliant for more information. , You can protect yourself from a lawsuit by having patients authorize how you use their information.
   
   For example, you want a signed authorization allowing you to transmit information by email.
   
   Make sure the form includes an expiration date for the authorization, and follow up to make sure the patient continues to agree to particular communication methods., To comply with HIPAA, you must back up all of your information.
   
   Often, this means storing it in more than one place or in more than one format.
   
   Check with your vendors.
   
   For example, all paper records in your office should have copies stored off-site.
   
   Alternately, you could create digital scans.
   
   Electronic data must be electronically backed up.Accordingly, if you use your own servers, then you should find out what back up policies are in place. , Any vendor or associate who accesses your patient records/information needs to agree to protect the data and follow your office’s procedures.
   
   Have them sign a “Business Associate” agreement.You can find a sample contract at the Health and Human Services website here: http://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.
   
   Ask your lawyer to review the contract and revise it to suit your needs. , Don’t dump old documents into a dumpster and hope no one combs through and takes the information.
   
   Instead, make sure that records are properly shredded.
   
   You can hire companies to come to your office and shred large quantities of paper documents.
   
   Remember to shred more than just paper documents.
   
   You should also shred electronic records, hard drives, and X-rays.Also properly destroy any electronic equipment that can store patient information, such as CT scanners. , Federal law has specific notification requirements whenever patient data is breached.
   
   Depending on your circumstances, you may need to notify the following:
   Notify affected patients whenever there is a breach of their information.
   
   Contact the Secretary of Health and Human Services to promptly notify of any breach.
   
   Notify the public and the media if the breach affects 500 patients or more.
3. 3

   Step 3: Develop tiers of access.

4. 4

   Step 4: Provide access in an emergency.

5. 5

   Step 5: Secure your email communications.

6. 6

   Step 6: Obtain authorization to communicate electronically.

7. 7

   Step 7: Back up your information.

8. 8

   Step 8: Require business associates to protect patient data.

9. 9

   Step 9: Shred old documents.

10. 10

    Step 10: Report breaches of patient information.

Detailed Guide

About the Author