3 MORE Ways to Protect Personal Health Information

In my last discussion on Protection of personal Health Information. I discussed a recent G2 Compliance Advisor article which presented steps that may be taken to prevent Personal Health Information (PHI) breeches by laboratory employees.  Today I will review some of the other ideas they presented.

1) A password creation and protection policy is essential.  First item on this list is the password must be strong.  Passwords like “Password” or the employees name should not be allowed.  Ideally, there needs to be the insistence that a password have at least 12 characters, which should be a mixture of letters, both lower and upper cased, numbers and characters.

In addition, there needs to be a policy of regularly changing/updating passwords and not permitting the reusing of a password.  Change of passwords can lead to its own set of problems.  Often, after a password change, an employee will write the new password down to serve as a reminder and leave this new password in computer proximity.  It is essential to have a policy that prohibits this practice and also includes a prohibition of sharing of password or inclusion of password in any communication. 

2) Downloading of PHI into devices needs be closely controlled and monitored and there must be provision to protect any downloaded information.  Policies governing downloading of PHI into personally owned devices must be closely examined because if these devices are compromised, lost or stolen, PHI can be communicated to unauthorized parties.  If allowed, it is essential that employees obtain permission, and policies should include requirements for appropriate security of approved devices including use of passwords and encryption.     

3) Finally, a policy needs be in place defining steps to take in the event of a data breech, requirement that employees immediately notify management of any breeches and provision for rapid response to the problem.

I recognize all our laboratories have a multitude of policies and procedures but a policies and procedures for Personal Health Information security need be in place both for the protection of the patient and for the potential consequences that can occur to the laboratory if such an event occurs.