10 Tips for Protecting Health Data

At a recent SouthWest Benefits Association meeting, Ed Oleksiak, vice president of the law firm Holmes Murphy and Associates, and Randy Fickel, assistant general counsel for J.C. Penney offer these 10 tips for dealing with recently tightened rules for the Health Insurance Portability and Accountability Act (HIPAA).

  1. The law is a case of “legislating common sense,” Fickel said. If you come across confidential healthcare information, do not share it with others and do not use it against workers. Both lawyers said they represented clients who used personal healthcare information to fire employees. “The law is there to stop people like this,” Fickel said.
  2. Keep as much health information out of the office as possible.
  3. Employment records and health information disclosed by individuals are not protected health information (PHI) covered by HIPAA.
  4. Do not help employees with their health claims. Although it seems like the right thing to do, it puts the company in harm’s way of violating HIPAA.
  5. Use encryption methods to protect health data.
  6. Have policies about what data can and cannot be taken out of the office. “It’s not a matter of whether you will have a security breach. It’s when. If you have policies, you can at least show that your policies were violated. (With a breach) your name is published on a government website. It’s not a fun place to be. You don’t want to be negligent. That might mean you have policies, but no training,” Oleksiak said.
  7. Make sure your subcontractors are as careful as you are. “Penalties roll down to your subcontractors and follow the chain of evidence. There is a huge risk of breach when data is transferred. That is especially true if it goes offshore (where rules are less stringent),” Fickel said.
  8. Appoint a data privacy or security officer who can be informed when there are potential breaches and is responsible for training.
  9. Use locked cabinets and files, guard fax machines used to transmit health information and shield passers-by from overhearing conversations or seeing computer screens.
  10. Limit the use of health data to treatment, payment and healthcare operations such as quality assessment and health-plan performance.

New HIPAA rules, which were released by the federal government Jan. 17, are effective today. They expand HIPAA privacy and security coverage and liability to subcontractors, such as remote electronic health record vendors. Also, patients paying out of pocket for care can request that providers not share the information with their insurance companies.

Steve Jacob is editor of D Healthcare Daily and author of the new book Health Care in 2020: Where Uncertain Reform, Bad Habits, Too Few Doctors and Skyrocketing Costs Are Taking Us. He can be reached at steve.jacob@dmagazine.com.