Tea Buzz



Data Security Download: Third Parties’ Security

Posted April 30, 2018

If you follow the media at all, then you’ve likely heard about the massive Facebook fallout. Millions of people across the United States were made aware that their personal data (in most cases unknowingly) had been shared with the political data firm Cambridge Analytica. The news has caused consumers to have a much deeper concern around data security and sharing practices.

In no industry is data security more important – and more scrutinized – than in healthcare. As breaches continue to occur, complying to the rules and regulations around personal health information (PHI) can’t be stressed enough. Patient data is an extremely sensitive matter, and how you handle it can make or break your organization.

Having diligent data security practices in place is critical in order to foster trust and loyalty with patients. Real people are behind the data, and breaches greatly affect both the individuals whose private information has been compromised, as well as the reputations of the healthcare institutions involved.

At Tea Leaves Health, we pride ourselves on our hyper-secure process to protect our clients’ patient information. Below are 10 data security best practices we follow – and recommend you follow – to prevent an incident:

  1. Evaluate all third parties’ security
  2. Make passwords complicated and change them often
  3. Use firewalls and Anti-Virus software
  4. Control physical access to PHI
  5. Protect information on portable devices
  6. Protect the network by limiting access
  7. Secure wireless networks
  8. Eliminate unnecessary data
  9. Educate staff members and create a security culture
  10. Have data backup, recovery and breach response plans in place

Over the next few months, we’ll elaborate on each of these points in our Data Download Blog Series. If you’d like more detail on each point now, download our white paper on Data Security Best Practices. For purposes of this post, we’ll elaborate on the first point.

As data breaches become more and more commonplace, we’ve seen many of our clients shift their marketing dollars back to print – a much more secure avenue over digital marketing – when it comes to the protection of patient data. Consumers are appreciating direct mail marketing more than ever as they become weary of how their online activities are being mined, sold and used by retail marketers.

If you’re also considering this shift, then it’s important to take into account the way your patients’ data is handled by third parties – such as your printer. Your organization isn’t the only one that needs to secure patient data – anyone you work with that handles that data also needs to remain HIPAA compliant.

Putting your patients’ information into the hands of a third party can create a number of new risks. Therefore, be sure to diligently vet the security of vendors or any other third parties you contract with.

Your print vendor is considered a Business Associate and they are required by law to secure and manage access to any and all PHI data that is delivered to them (i.e. any list that is generated from patient data). You should have a signed Business Associate Agreement (BAA) between you and any vendor you work with that will handle PHI. If you are unaware of what the requirements are for print production (or if you’re unaware that downloading a list of patient information and sending it to a printer can put you at risk for a HIPAA violation), we strongly recommend you review your BAA chain and ensure that everyone in your chain is complying to all regulations.

You are required by law to send all information to your Business Associates through secure channels. Sending information across an open network can be disastrous, so be sure you are always sending the information over an encrypted channel. Do not ever store unencrypted PHI unless it needs to be unencrypted for a very specific reason. PHI should be either be delivered as an encrypted list to the end user (and that user should have the proper role permissions to receive such a list), or the information should be rendered as a complete mail piece and delivered to the printer/mailer with the contact information already within the indicia of the piece.

These, among hundreds of other controls, are put in place by Tea Leaves Health to ensure all PHI is protected within our networks, systems and partners. We have followed all of the necessary steps to guarantee that our print vendor is compliant with all HIPAA requirements, so your patients and prospects stay educated about their healthcare choices and your data stays secure.

If protecting your patients’ data is of the utmost importance to your organization, then contact us to boost your data security.