Live Webinar | Operations and Other Technology
Live Webinar | Patient Financial Communications
Live Webinar | Costing and Managerial Accounting
How To | Privacy and HIPAA

5 ways to drive patient privacy law compliance from within your organization

How To | Privacy and HIPAA

5 ways to drive patient privacy law compliance from within your organization

  • Start from the inside to mitigate top healthcare data risks.
  • Protecting patient data in a dynamic healthcare environment is replete with unique challenges.
  • From accidental data leaks to malicious theft, insiders account for the vast majority of healthcare-related data breaches.

When healthcare organizations fail to protect patient personal information, they may face damage to their reputation and lose patients to other healthcare providers viewed by the public as more responsible and reliable. In addition, when privacy laws are violated, financial penalties and other sanctions may ultimately make it more challenging for these healthcare providers to deliver quality patient care.

While it makes sense to protect patients’ health-specific data, social security numbers and home addresses from external bad actors, the most significant threats are on the inside. From accidental data leaks to malicious theft, according to a HIPAA Journal April 3, 2018 article, insiders account for the vast majority of healthcare-related data breaches.

Healthcare providers need to develop plans for protecting patient information. Unfortunately, there isn’t a silver bullet that ensures 100% security under every circumstance, but every organization can do a better job of protecting patient data.

Here are five steps that every healthcare provider should take to guard against insider threats in 2020.

1. Detect and prevent insider threats. Insider threats are more than just an abstraction, and they occur with frightening regularity both from accidental data disclosures and malicious theft.

According to Verizon’s 2018 Insider Threat Report, more than half of all healthcare companies were impacted by an insider threat, and carelessness is one of the main culprits. Everything from ubiquitous access to mobile technology to the blurring lines between personal and professional data creates an environment that’s poised for data misuse.

For example, nearly 30% of all healthcare team members use personal devices to transmit patient information, a practice that creates data privacy concerns on many levels, according to an article in JMIR Human Factors.

In this dubious digital environment, IT administrators can’t be expected to protect what they can’t identify. Fortunately, there are many indicators of an insider threat, and software solutions, like robust monitoring software, that can detect those bad actors while preventing them from misusing personal health information (PHI) and personally identifiable information (PII).

Regardless of an employee’s intent, healthcare companies have a responsibility to detect and prevent data misuse, and deploying the right tools is the first step in the process.

2. Provide guidelines and policies for data mismanagement. If employees are expected to protect patients’ data, then healthcare organizations need to provide clear guidelines and policies to help prevent data mismanagement. These might include:

  • Specifying the devices that can be used to access patient data
  • Identifying appropriate time and place of data access
  • Maintaining a need-to-know posture toward healthcare data
  • Prioritizing discretion when transmitting patient information
  • Utilizing approved communication channels for professional discourse

At the same time, healthcare leaders need to provide employees with real-time awareness to execute this priority.

Protecting patient data in a dynamic healthcare environment is replete with unique challenges. Even the most well-
intentioned employees can violate HIPAA privacy regulations, so checks and balances such as real-time alerts to promote data awareness are both helpful and necessary.

In addition, automated technical safeguards that control access to PHI can significantly reduce patient data exposure while lessening the possibility of a compliance violation.

3. Data-driven training and retraining.  HIPAA requires that companies handling PHI and PII prepare their employees to handle this information. While the HIPAA regulation requires companies to “train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions,” the tangible expression of this training is largely left up to individual entities.

Regardless of the methodology, data security and privacy training should be consistent, clear and accountable. First-day orientation and annual meetings are not enough to protect PHI and PII.

It needs to be baked into the company’s ethos, and that only occurs with repetition and regular instruction.

Other training-related keys include:

  • Data security training should be specific and data-driven, ensuring that employees are prepared to protect patient data.
  • Healthcare companies can leverage their monitoring software to address specific shortcomings within an organization.

For example, it’s estimated that nearly 500,000 records are compromised every day because of mobile devices, according to HIPAA Journal. If a company finds that its employees routinely access patient data from a mobile device, they can target their training to restrict or prioritize data access from these devices.

4. Endpoint data loss prevention. Whenever possible, preventing a data loss event is a top priority for healthcare IT administrators, and software is the best weapon in this ongoing battle. Employee monitoring software can provide real-time notifications to suspicious data activity. This can reduce response time from hours or days to minutes, potentially preventing a data disaster before it starts.

To put it simply, identifying possible threats is important, but stopping them from stealing or revealing sensitive data is the goal.

5. IT forensics in the aftermath of a data breach. Of course, data security is an evolving threat with many manifestations, and, when something does go wrong, healthcare providers need to learn from the episode and demonstrate a burden of proof.

Today’s employee monitoring software allows hospitals and other healthcare providers to produce detailed incident reports derived from session recordings, access logs and other data points. This information can be shared with privacy officers and can be analyzed to improve best practices going forward.

Meanwhile, IT forensics allows companies to hold perpetrators responsible, ensuring that malicious data theft is detected and appropriately punished.

To adequately protect patient data, healthcare companies need to turn their attention to potential insider threats, implement guidelines and policies for data mismanagement, focus on employee training and retraining, prevent data loss in the first place and enable IT forensics to manage and analyze data breaches. 

About the Author

Isaac Kohen

is VP of research and development at Teramind (

Sign up for a free guest account and get access to five free articles every month.


Related Articles | Privacy and HIPAA

Blog | Enterprise Risk Management

Healthcare News of Note: More Office for Civil Rights funding could boost HIPAA enforcement

Healthcare News of Note for healthcare finance professionals is a roundup of recent news articles: Cybercrime against healthcare organizations overwhelms the federal Office for Civil Rights, the cost of health inequities could reach $1 trillion, and primary care physicians need more hours in the day to provide recommended care.

Blog | Healthcare Legal

CMS says EMTALA covers situations in which terminating a pregnancy is medically necessary

Even in situations that don’t qualify as life-threatening, the Biden administration says patients have the legal right to receive any type of stabilization measure at the discretion of their physician.

Blog | Coronavirus

HHS policy update: Recent developments include an extension of the public health emergency and notable progress in reducing the Medicare appeals backlog

HHS Secretary Xavier Becerra signed a 90-day extension of the COVID-19 public health emergency, ensuring the PHE will last until at least mid-July.

Blog | Enterprise Risk Management

Fitch describes the heightened risk posed by cyberattacks on not-for-profit hospitals

Cyberattacks on NFP hospitals increased substantially during the COVID-19 pandemic and show no signs of abating, Fitch says.