When it comes to patient data, healthcare professionals have a sacred duty to protect and store it responsibly. Chiropractors and other healthcare professionals are now expected and required to keep an even sharper eye on potential HIPAA violations due to recent updates of the HIPAA Security Rule, primarily pertaining to preventing cybersecurity breaches of electronically held patient records. What should chiropractors, chiropractic staff and similar professionals do to improve cybersecurity in their practices?

New HIPAA Requirements

Chiropractic Economics provides a comprehensive overview of need-to-know basics regarding this issue in their article “Your cybersecurity checklist: What you need to know”. The updated HIPAA Security rule now only allows 15 days for a practice to respond to a concern regarding a data breach or if a patient requests a copy of their records. Therefore, agility and responsiveness in recordkeeping is essential.

If adapting to changes in technology is a challenge of your practice, it is probably time to invest in additional training and/or technical support. Encryption is a mandatory precaution for all protected health information, regardless of the medium used. Multi-factor authentication is also included in this, so staff will have a code sent to a trusted device or email at each login.

Patients also have expanded rights, such as to ask for health records to be sent to personal health apps, as well as to take pictures of their records during a visit. Reproductive health information protection, in particular, has undergone significant changes, so make sure your privacy notices and practices are in accordance.

Communication Monitoring

When it comes to communication, is protected information treated like it’s Fort Knox, or are bits and pieces floating around that shouldn’t be? The more casual the communication tools used, the easier it can be to let vital information slip through the cracks. Yet emails, texting, appointment reminders and mobile apps all require proper HIPAA security standards. Whatever method you are using to transmit patient data, encryption and secure access must be present.

If you work with a third-party vendor, that professional responsibility must be scrutinized. When was the last time you spoke with your electronic health records (EHR) provider? It would be prudent to do so and to see if their security protocols are sufficient. Is your data encrypted at rest (when not being accessed) and in transit (during access or traveling between sites or servers)? Is multi-factor authentication enabled? Are access logs maintained? If your EHR cannot say yes to these questions, it may be time to update your service or find another provider. New regulations now require annual verification of security measures. Make sure to keep documentation as a protection in the event of an audit.

Smaller practices might not necessarily think that the new requirements are needed for their size practice, but HIPAA still applies regardless of size. There is some flexibility, in that a small outfit doesn’t need the same framework as a hospital, but reasonable safeguards are still expected. Every device used for patient data needs secure logins and encryption.

Phones, tablets and computers need secure lockdown procedures when not in use. Make a point to regularly remind your team of the importance of patient data protection. Have refreshers to help avoid common mistakes like clicking a suspicious link or leaving a screen open in public view.

Cybersecurity in check

Here is a checklist to help guide you as you stand as first defense of valuable patient data:

  • Ensure all patient data is encrypted at rest and in transit.
  • Enable multi-factor authentication at all patient data access points.
  • Update your policies to inform about new response timelines and patient rights
  • Train staff to understand the new rules and document its implementation
  • Review all vendors for HIPAA compliance
  • Document all relevant efforts, such as training sessions, vendor information and system updates.
  • Consider a third-party penetration test. Penetration testing is when a cybersecurity expert is authorized to attempt to legally “break into” your system to identify vulnerabilities before a hacker can do so for real. It is not a HIPAA requirement, but it is highly recommended and provides a clear view of weak points and how to fix them.

Trust is key in the healthcare field. Patients are trusting you with not only their physical well-being but also their private, personal patient information. It must be a top priority to provide complete care from all factors.