Understand What Constitutes PHI
Any health information that is “individually identifiable” is considered PHI and falls under the protections of HIPAA. This typically covers virtually anything that is contained in the medical record, whether it is stored digitally, on paper or spoken, such as:
- Health histories
- Test results
- Insurance and billing information
Individual health identifiers are protected data too. Demographic information is not usually safeguarded under HIPAA rules, except when it is associated with health information. Common identifiers are:
- Contact information, such as email addresses and telephone numbers
- Social security numbers
- Medical record and account numbers
- Driver’s license numbers
Always use unique passwords for your accounts.
One of the biggest mistakes that people across all industries make is using the same password for multiple accounts. This means that all of your accounts should have unique passwords. This prevents hackers from using the same password to access multiple accounts in the event that one of your accounts becomes compromised. Nurses should have their own passwords and logins for devices and systems that contain PHI. These credentials should never be shared with others since they are used to authorize access to patient data as well as track your activity. Notify your information technology or security department immediately if your passwords or login credentials become public or compromised.
Never plug personal devices (or unauthorized devices) into workstations or work devices.
If a device has previously been plugged into another device infected with malicious software, then you could inadvertently infect your workstation with the same malware. This gives hackers direct access to your network. Secure Electronic Devices. As the digitization of medical records has advanced, a number of electronic devices are used in daily practice and at different points of care. Tablets, laptops and cell phones may contain sensitive data that must be protected. Nurses should exercise extreme caution when accessing patient information on any device and always use password protection.
Don’t click on attachments or links in emails without first inspecting the messages.
Check to see if the sender’s name and email match, and if any links are legitimate. If the name and email don’t match, or if the link is from some unknown web address, that should send up a red flag. For example:
- If you normally get emails from your boss (email@example.com) but suddenly receive an email from an email address like firstname.lastname@example.org or email@example.com, that would be suspicious.
- If there’s a link embedded in the email, hover your mouse over the link (without clicking on it!) and it should display the true web address where the link would take you.
- If you receive an email from a suspicious address that contains a PDF, Excel file, or Word doc, don’t click on it. It’s possible that the file may contain malware.
If you receive an unusual or urgent request, call to confirm.
A common tactic that cybercriminals use to get you to do something or to provide information is to create an urgent situation. If you get an email or phone call from someone asking (or demanding) that you send them sensitive information, tell them you’re going to call them back to confirm. Use the contact information that’s provided through your organization’s official contact directory—never respond using an email address or phone number provided by the person who reached out to you!
Be aware of what’s going on around you.
Not all data breaches occur because of cyber-attacks. Sometimes, they come in the form of physical security breaches. Is there someone hanging around the nurses’ station that you don’t recognize or who doesn’t belong there? Ask them if they need help. This proactive approach can help to prevent cybercriminals from gaining physical access to records and other data by accessing computers at those stations or stealing portable devices from the area.
Learn About Proper PHI Disposal Methods.
Nurses should be aware of their employer’s policies regarding proper disposal of paper records and electronic media that contain PHI, such as depositing papers into a dedicated receptacle for shredding or burning and using software to periodically clear devices of sensitive data.
Report All Inappropriate Disclosures ASAP.
While inappropriate disclosures of PHI are sometimes unintentional due to brief lapses in judgement or faulty safeguards, the consequences are still dire. A HIPAA violation may prompt loss of patient trust, damage the facility’s public image and lead to potential fines and imprisonment for the offenders. No matter how minor the violations or breaches, you should report them through the appropriate internal chain of command.