Tea Buzz

.

Feb
16

Data Security – HIPAA Compliant Lists

Posted February 16, 2017

Data Security - HIPAA Compliant

Data breaches are on the rise, and it’s more important than ever to ensure your clients’ protected health information (PHI) is secure. But data security within your organization is only the first step to prevent a breach. Your organization needs to ensure that anyone you work with that handles patient data is also remaining HIPAA compliant.

Putting your patients’ information into the hands of a third party can create a number of new risks, but it’s sometimes necessary. So, be sure to diligently vet the security of vendors or any other third parties you contract with. For healthcare organizations working with CRM vendors who execute direct mail campaigns on a regular basis, the perfect example of a third party is your print vendor.

Your print vendor is considered a Business Associate and they are required by law to secure and manage access to any and all PHI data that is delivered to them (i.e. any list that is generated from patient data). You should have a signed Business Associate Agreement (BAA) between you and any vendor you work with that will handle PHI. If you are unaware of what the requirements are for print production (or if you’re unaware that downloading a list of patient information and sending it to a printer can put you at risk for a HIPAA violation) we strongly recommend you review your BAA chain and ensure that everyone in your chain is complying to all regulations.

You are required by law to send all information to your Business Associates through secure channels. Sending information across an open network can be disastrous, so be sure you are always sending the information over an encrypted channel. Do not ever store unencrypted PHI unless it needs to be unencrypted for a very specific reason. PHI should be either be delivered as an encrypted list to the end user (and that user should have the proper role permissions to receive such a list) or the information should be rendered as a complete mail piece and delivered to the printer/mailer with the contact information already within the indicia of the piece.

 


To learn more about Data Security Best Practices, download a copy of our white paper here.