Keeping Patient Information Safe: Data Privacy and Security for Med Spas
Is your Med Spa HIPPA compliant? Keep reading to learn about what HIPPA compliance entails and how you can ensure your Med Spa stays in compliance—and what to do in case of a security breach.
What Is a Med Spa?
According to the American Med Spa Association: A medical spa is a medical facility where elective, non-invasive medical and non-medical aesthetic procedures are provided.
According to American Society of Plastic Surgeons: A med spa is a combination of an aesthetic medical center and a day spa that provides nonsurgical aesthetic medical services under the supervision of a licensed physician.
Compliance Programs for Med Spas
Every med spa must have a healthcare compliance program
Culture of compliance starts at the top of the organization
Active and robust policies and procedures – not a dusty binder on the shelf
Must be tailored to size and nature of organization and reflect operations
Compliance Officer (including HIPAA Privacy and Security Officer)
Focus on most significant risk areas
Are Med Spas Subject to HIPAA?
Med Spas are governed by federal, state and local laws and regulations. The data privacy and security requirements differ on a state-by-state basis. HIPAA is a minimum floor for healthcare data privacy and security, and patients fully expect their personal data protected. Compliance with HIPAA mitigates legal risk and avoids scrutiny by state and federal government (e.g., OCR and state AGs) and patient private causes of action.
What Is HIPAA?
PRIVACY:
To ensure that patient held information is kept confidential
SECURITY:
To ensure compliance with the HIPAA Security Rule and the confidentiality, integrity and availability of electronic patient health information (ePHI)
To protect against any reasonably anticipated threats or hazards
To protect against any reasonably anticipated uses or disclosures of ePHI that are not permitted or required under the Privacy Rule
What Is Protected Health Information? (PHI)
Any information, transmitted or maintained in any medium, including demographic information
Created/received by covered entity or business associate
Relates to/describes past, present or future physical or mental health or condition; or past, present or future payment for provision of healthcare; and
Can be used to identify the patient
Types of Data Protected By HIPAA
Written documentation and all paper records
Spoken and verbal information including voice mail messages
Electronic databases and any electronic information, including research information, containing PHI stored on a computer, smart phone, memory card, USB drive, or other electronic device
Photographic images
Audio and Video recordings
What Is a Breach?
Breach is defined as the unauthorized acquisition, access, use, or disclosure of unsecured PHI which compromises the security or privacy of the information. Impermissible use or disclosure is presumed to be a breach unless the facility or business associate proves that there is a low probability that PHI has been compromised.
What Constitutes a Breach?
Accessing more than the minimum necessary:
Failing to log off when leaving a workstation
Unauthorized access to PHI
Sharing confidential information, including passwords
Having patient-related conversations in public settings
Improper disposal of confidential materials in any form
Copying or removing PHI from the appropriate area
Why?
Curiosity…about a co-worker or friend
Laziness…so shared sign-on to information systems
Compassion…the desire to help someone
Greed or malicious intent…for personal gain
Responsibility to Report Promptly
When receiving a privacy complaint, learning of a suspected breach in privacy or security, or noticing something is “just not right,” we must work together. Compliance is everyone’s responsibility. If you notice, hear, see, or witness any activity that you think might be a breach of privacy or security, please contact the Privacy Officer immediately. It is much better to investigate and discover no breach than to wait and later discover that something did happen.
Example 1:
Is it ok to have a patient sign in sheet? Isn’t it a HIPAA violation for people to know that the individual is a patient of our practice or has an appointment?
No – this is not a HIPAA violation.
Example 2:
My neighbor is a patient and I am very concerned about her. I know she had an appointment today. Is it ok to reach out on Facebook or text her after her appointment?
No matter how well-intentioned you may be, patients have a right to privacy. You should avoid asking patients about their appointments, test results, etc. And you should NEVER access a patient’s medical records unless you have a need to know.
Example 3:
My ex-husband recently had some tests run. I want to assure my children that everything is ok. Can I review his test results?
This would be a HIPAA violation. In this scenario, the employee does not have a need to know this information. Accessing the test results would violate HIPAA.
Do’s and Dont’s
Avoid conversations involving PHI in public or common areas such as hallways or elevators.
Keep documents containing PHI in locked cabinets or locked rooms when not in use.
During work hours, place written materials in secure areas that are not in view or easily accessed by unauthorized persons.
Do not leave materials containing PHI on desks or counters, in conference rooms, on fax machines/printers, or in public areas.
Do not remove PHI in any form from the designated work site unless authorized to do so by management.
Never take unauthorized photographs in patient care areas including audio and video.
Med Spa HIPAA Compliance for Social Media
Posting information on social media (such as a Facebook post, YouTube video or blog post) or any Internet or app-based source that discloses PHI or “individually identifiable health information” traceable to the patient is impermissible.
HIPAA Security Standards
HIPAA security standards ensure the confidentiality, integrity, and availability of PHI created, received, maintained, or transmitted electronically (PHI –Protected Health Information) by and with all facilities.
Protect against any reasonably anticipated threats or hazards to the security or integrity or such information.
Protect against any reasonably anticipated uses or disclosures of such information that are not permitted.
Rules for Access
Access to computer systems and information is based on your work duties and responsibilities.
Access privileges are limited to only the minimum necessary information you need to do your work.
Access to an information system does not automatically mean that you are authorized to view or use all the data in that system.
Different levels of access for personnel to PHI is intentional.
If job duties change, clearance levels for access to PHI is re-evaluated.
Access is eliminated if employee is terminated.
Accessing PHI for which you are not cleared or for which there is no job-related purpose will subject you to sanctions.
Rules for Protecting Information
Do not allow unauthorized persons into restricted areas where access to PHI could occur.
Arrange computer screens so they are not visible to unauthorized persons and/or patients; use security screens in areas accessible to public.
Log in with password, log off prior to leaving work area, and do not leave computer unattended.
Close files not in use/turn over paperwork containing PHI.
Do not duplicate, transmit, or store PHI without appropriate authorization.
Storage of PHI on unencrypted removable devices is prohibited without prior authorization.
Encryption of PHI
Electronic protected health information must be encrypted when stored in any location outside the EHR including desktops, laptops, and other mobile devices (thumb drives, CDs, DVDs, smart phones, email, cloud storage devices, etc.).
Use of other mobile media for accessing and transporting PHI such as smart phones, iPads, Netbooks, thumb drives, CDs, DVDs, etc., presents a very high risk of exposure
Use of personal computers or other personal electronic equipment (non- Med Spa owned equipment) is not allowed to store protected health information. Any exceptions must be approved by the Compliance Officer.
Due to a lack of infrastructure and control of delivery, the use of unencrypted text messaging of any protected health information is strongly discouraged. Text messaging of medical orders is prohibited.
Password Management
Do not allow coworkers to use your computer without first logging off your user account.
Do not share passwords or reuse expired passwords.
Do not use passwords that can be easily guessed (dictionary words, pets name, birthday, etc.).
Should not be written down, but if writing down the password is required, must be stored in a secured location.
Should be changed if you suspect someone else knows it.
Disable passwords or delete accounts when employees leave.
Protection from Malicious Software
Malicious software can be thought of as any virus, worm, malware, adware, etc.
As a result of an unauthorized infiltration, PHI and other data can be damaged or destroyed.
Notify the Compliance Officer immediately if you believe your computer has been compromised or infected with a virus—do not continue using computer until resolved.
Ensure virus and other security software is installed on all computers and should not be disabled. Any personal devices used for access to PHI must have appropriate anti virus software.
Do not open e-mail or attachments from an unknown, suspicious, or untrustworthy source or if the subject line is questionable or unexpected—DELETE THEM IMMEDIATELY.
Ransomware
Ransomware is malicious software that denies access to data, usually by encrypting the data with a private encryption key that is only provided once the ransom is paid.
Presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident.
Whether it results in an impermissible disclosure of PHI and/or a breach depends on the facts and circumstances of the attack.
When ePHI is encrypted due to a ransomware attack, a breach has occurred because the ePHI was acquired.
Once the ransomware is detected, we must initiate our security incident response and reporting procedures.
If computer with encrypted data is powered on and the operating system loaded, the data is decrypted and breach notification may need to occur.
Notification of a breach of unencrypted or decrypted data must occur unless there is a “low probability the PHI has been compromised”
Maintaining frequent backups and ensuring ability to recover data from backups may show low probability (if no exfiltration of PHI).
Beware of Suspicious Emails
Be very cautious of suspicious emails that request information such as email ID and password, or other personal information claiming that you need to verify an account, or you are out of disk space, or some other issue with your account.
Always check the following:
From Address: after the @
URL Link: If you can see the URL in the message, review the website before the first slash (/)
Hover trick: If you can’t see the URL, you can hover your mouse pointer over the link without clicking, and a box with the URL will appear.
Use of Technology
Use of other mobile media for accessing and transporting PHI such as smart phones, iPads, Netbooks, thumb drives, CDs, DVDs, etc., presents a very high risk of exposure and requires appropriate authorization.
Email, internet use, fax and telephones are to be used for Med Spa business purposes.
Fax of PHI should only be done when the recipient can be reliably identified; Verify fax number and recipient before transmitting.
No PHI is permitted to leave the Med Spa in any format without prior approval.
Where technically feasible, email should be avoided when communicating unencrypted sensitive PHI - follow your organization’s email policy for PHI.
No PHI is permitted on any social networking sites (Twitter, Facebook, etc.) without appropriate authorization.
No PHI is permitted on any texting or chat platforms.
If a situation requires use of email or text, appropriate encryption techniques must be used.
Reporting Security Incidents
Notify the Compliance Officer of any unusual or suspicious incident.
Security incidents include the following:
Theft of or damage to equipment
Unauthorized use of a password
Unauthorized use of a system
Violations of standards or policy
Computer hacking attempts
Malicious software
Security weaknesses
Breaches to patient or employee privacy
If you need additional help with HIPAA compliance for your med spa or other medical practice, contact me and see how I can help your business.