Safeguarding Employee & Practice Data: Tips for the Healthcare Administrator
by John V. Pettrone, SPHR, Practis HR

Technology has driven the need for practices to develop internal policies and procedures around the handling of confidential employee and practice information. 

So what is a data security breach, what can be done to minimize the risk, and what should be done if your practice suffered a security breach. A security breach occurs when an unauthorized person(s) acquires or accesses an employee’s or organization’s sensitive information. 

There are technical and employee safeguards that your practice can adopt to help prevent a security breach.

Technical Safeguards

Technical data safeguards are centered on access controls such as firewalls, encryption, and password protection. 

Firewall. A firewall is a system designed to prevent unauthorized access to or from a private network and can be implemented in both hardware and software, or a combination of the two. Firewalls are frequently used to prevent unauthorized internet users from accessing private networks connected to the internet. All messages and data entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.

Encryption. Encryption is the translation of data into a secret code. It is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to read it. There are two main types of encryption: asymmetric encryption (also called public-key encryption) and symmetric encryption. 

Password Protection. Password protection is a secret series of characters that enables a user to access a file, computer, or program. A user must enter his or her password before the computer will respond to commands. The password helps ensure that unauthorized users do not access the computer, data files and or programs. Ideally, the password should be something that nobody could guess. In practice, most people choose a password that is easy to remember, such as their name or their initials. 

Employee Safeguards

According to privacy experts, when it comes to keeping data secure, the weakest link is often the very employees who access the information,. In many cases of a data security breach, it comes down to people following internal procedures.

There are many actions your practice can take to minimize employees from unintentionally to unlawfully committing data security breaches. 

• Give employees access to data only needed to do their job.

• Hard copy confidential employee and patient information should be in lockable files.

• Create a contractual obligation for employees to maintain the confidentiality of your employee and practice data.

• Limit internal and external access to data.

• Develop a written data security policy and breach notification policy.

• Train all employees and contractors on the data security policy.

• Designate an employee who will take ownership of the data security and breach notification process/policy. 

What to do if there has been a data security breach 

• Notify the appropriate law enforcement authorities.
• Notify legal counsel.
• Initiate an investigation into the data security breach.
• In the event of an employee data security breach, notify employees within the required time frame.

The breach in the security of employee and practice records can come at a high price for a practice and its employees.

To contact John Pettrone, Practis HR, please call 800-238-0095 or email jpettrone@practisinc.com.