Don’t share accounts or passwords
HIPAA requires individual accountability and audit trails for access to digital PHI. It can be extremely convenient, and sometimes even seem necessary, for staff to share an account, but there’s almost always an equally functional option that doesn’t violate this most basic requirement.While we’re on the subject of accounts and passwords, this is a great time to mention multi-factor authentication. Whether it’s handled via text messages, authenticator apps, push notifications, or physical security keys, MFA is a great way to defend against both account sharing and account compromise, and help ensure a one-to-one relationship between people and accounts.
Ensure PHI is encrypted
This requirement causes many headaches in medicine and keeps faxes relevant today. Email often fails HIPAA compliance because it can revert to insecure delivery. Simple tools can ensure encrypted, compliant email. However, many healthcare offices still use faxes. A digital office can maintain fax capabilities without a machine, as most internet providers offer secure fax services and can sign a BAA for PHI.
It's important to remember that patient information must always be encrypted when in a covered entity's possession. Unlike the past, where encryption required special software and long boot times, modern computers have built-in encryption. BitLocker on Windows (Professional editions and above) and FileVault on Mac OS provide seamless, free solutions to meet this requirement.
Know your vendors
Ensure your vendors understand your requirements. Every covered entity must verify that any party handling their information complies with encryption standards (both in motion and at rest) and signs a Business Associate Agreement (BAA). These agreements clarify privacy obligations during and after the contract. Many HIPAA-compliant vendors have ready-made BAAs, but if you need one, the Department of Health and Human Services offers a free example BAA for download.