In keeping with the federal government's renewed emphasis on privacy and security safeguards for patient records, the U.S. Department of Health and Human Services has announced an auditing program that may involve the random selection of health care providers to be audited for compliance with HIPAA privacy and security rules. Among the most important of these rules is the "breach notification rule," which requires that any breach of unsecured protected health information be reported to the patient and the federal government.
The Rush Privacy Office recommends taking the following steps to decrease the risk of a privacy breach:
- Be discreet. Never discuss sensitive patient information or leave sensitive documents (such as X-rays or lab results) in common areas.
- Use secure communications. If you must email personal health information, use Outlook encryption, ensure that the recipient is authorized and add the communication to the patient record.
- Fax documents only when absolutely necessary. If other options, such as FedEx, truly are not available, double-check the recipient's fax number, use a cover sheet and direct the recipient to respond with questions.
- Make sure your office has shred bins and that all staff members use these bins to discard paper documents. Shredding is the only secure method of securely destroying paper records.
- Secure all mobile devices, whether used in the office or while traveling. Minimize the amount of information you store on such devices and report lost or stolen devices immediately to security services, whether they belong to you or to Rush.
- Remind staff that it is never acceptable to discuss patients or patient information or to “friend” patients on social networking sites such as Facebook or Twitter. Photos of patients should never be taken or shared through social networks or by any other means.
If you are concerned that a privacy breach may have occurred, call the Rush Privacy Office immediately at (312) 942-4416. If you have questions or concerns about privacy or security issues, call the same number or email firstname.lastname@example.org.