Privacy vs. security

As a healthcare practitioner doing their best to comply with HIPAA, the terms “privacy” and “security” may seem to blur together into one general concept of protection. However, while the terms are occasionally used interchangeably, and even though there is some overlap of their intent to protect personal information, the terms have very different meanings. If you’re a healthcare professional, it’s important that you understand these differences so you can successfully follow the HIPAA rules that have been put in place to protect your clients. Today, we’re taking a closer look at security and privacy and the integral role they both play in keeping your clients’ protected health information (PHI) safe. 

What is privacy?

When the term “privacy” is used in the context of the exchange of information online, it refers to an individual’s right to control personal information and how it’s used. 

HIPAA Privacy Rule

The HIPAA Privacy Rule sets the standards for who may have access to PHI. It covers all PHI, not just electronic, and specifies the scenarios in which the transmission of personal data is appropriate. 

Without the HIPAA Privacy Rule, PHI could be passed back and forth online regardless of who might be viewing, mishandling, or stealing it. The rule requires healthcare practices to give careful thought to how PHI is transferred and provides some recourse when it’s mishandled. 

Privacy and your practice

One of the best things you can do to ensure that your practice is protecting your clients’ privacy is to familiarize yourself with the HIPAA Privacy Rule. In the rule’s summary, you’ll find an explanation of what constitutes PHI, what does and does not qualify as a permitted use or disclosure, what “limiting uses and disclosures to the minimum necessary” means, as well as the penalties if you don’t protect your clients’ privacy, properly explain your policies in a Notice of Privacy Practices, and support your clients’ right to access their records. It’s worth the time to sit down and read through the summary to fully grasp your responsibilities when it comes to privacy.

Some simple best practices you can put in place right now to protect your clients’ privacy include the following:

• When responding to emails, be wary of email addresses you don’t recognize. If you receive an email requesting information that might be PHI, and you aren’t sure where the email is coming from, confirm who the person is and the purpose of the email. 
• Make sure you’re sending email to the right recipient. When your email application automatically fills in a name, it’s easy to mistake a John Smith with a Jean Smith. The solution is to slow down when sending an email and take the time to carefully select the correct address.
• Don’t put sensitive information in the subject line. Subject lines are not private and are displayed when listing emails and can be seen in notifications on some devices. Be sure to place any private or identifying information in the body of the email, not the subject line. 
• Don’t send group emails. If the email implies information about the recipients, such as an email welcoming new members to a support group, then it’s considered to be PHI and under the protection of HIPAA. If you must send group emails, make sure they contain only very general information.
• Don’t respond publicly to reviews. Due to privacy concerns, publicly responding to reviews with anything more than a carefully worded “thank you” is a definite HIPAA violation. Even acknowledging the relationship is a disclosure of PHI. 

What is security?

While “privacy” has to do with the right to keep personal information safe and confidential, “security” has to do with the safeguards that are put in place to actually protect that information.

HIPAA Security Rule

The HIPAA Security Rule sets the standards for ensuring that only those who should have access to electronic PHI (ePHI) will have access. According to the HHS’s summary of the Security Rule, “the Security Rule's confidentiality requirements support the Privacy Rule's prohibitions against improper uses and disclosures of PHI.” The HIPAA Security Rule only covers ePHI and requires practices to have certain administrative, physical, and technical safeguards in place to protect PHI from leaks, breaches, cybercrimes, and other web vulnerabilities.

Security and your practice

Just as with the HIPAA Privacy Rule, one of the best things you can do to ensure your practice is implementing adequate security safeguards is to familiarize yourself with the HIPAA Security Rule. You’ll find plenty of information about who is covered by the rule, Business Associates, what information is protected, and general rules for maintaining “reasonable and appropriate administrative, technical, and physical safeguards for protecting ePHI.” 

One of the safeguards required by the Security Rule is a risk analysis, which we discussed in our last blog post, followed by risk management. A risk analysis will give you a clear picture of what needs to be protected, and a risk management plan spells out what must be done to provide that protection. Once you’ve conducted a risk analysis, you may find you want to include some of the following safeguards in your risk management plan:

• Encryption is the gold standard when it comes to securing ePHI. Hushmail has a proven track record of providing industry-standard OpenPGP encryption to protect the contents of email and web forms, ensuring security and privacy. 
• Strong passwords are easy to generate and use if you have a reliable password manager. The most important thing is to use unique passwords that are difficult to guess. Using the same password for multiple accounts opens the door to security breaches.
• Two-step verification requires you to verify your identity using two different methods when signing into an account. In most cases, the first method is with a password, and the second method is a separate security code that's sent to a second device via text message, another email account, or an app such as Duo Mobile or Google Authenticator. 

Support privacy and security with encrypted email and web forms

Privacy and security are both important to the integrity of your practice and necessary for achieving HIPAA compliance. Hushmail for Healthcare provides HIPAA-compliant services that support both.