FAQ: Guide to Patient Privacy and Security Best Practices

Patient privacy and data security are critical elements of our healthcare system at large, but smaller practices may struggle to know where to turn for information that helps keep their businesses safe. This FAQ provides a quick reference for gynecology practices looking to run an efficient but secure electronic office.

1. How do I choose an EHR before beginning EHR implementation? Your electronic health record, or EHR, serves several purposes — to store, back up and retain your patient data — but it needs to do so securely, and while integrating with your existing equipment as much as possible. Before implementing an EHR, list out your wants and needs, see what options come with which systems and decide which one checks the most of your boxes.
2. Is medical records management the same for small private practices and large hospitals? Is a small practice held to the same standards as large hospitals for protecting against ransomware attacks? Physicians are required to protect the same information under HIPAA regulations, but the government knows private practices do not have the same operating capital as hospitals, and it allows them differing levels of cybersecurity. Though cybercriminals may be more likely to attack hospitals, smaller practices are still held to the privacy regulations. All private practices should regularly conduct a HIPAA risk assessment to ensure they continue to adhere to privacy laws.
3. How can you protect patient information from hackers? Patient data is appealing to cyberhackers in two ways. First, most of the data can be sold on the dark web. Second, hackers expect healthcare organizations to have security flaws that can be easily exploited. You can reduce the likelihood of falling victim to a cyberattack by following best practices for encryption and security and by making sure your systems are up to date.
4. What healthcare security best practices should I be following? Following best practices will help you avoid being vulnerable to ransomware and recover if an attack occurs. These best practices include keeping your computer and medical equipment systems up to date and backing up files securely. You should also have an established set of security rules for your practice, conduct regular audits and know how to react if a ransomware attack does occur.
5. How do federal healthcare cybersecurity guidelines apply to my gynecology practice? The Health Industry Cybersecurity Practices published by the U.S. government in 2018 outlines how to protect patient data and privacy. Though the practices are voluntary, they are intended to help medical practices of any size mitigate the threat of cyberattacks.
6. How can I adopt telehealth communication in my practice? Patients are becoming more and more open to telehealth services. Practices that use telehealth appropriately can be reimbursed, potentially see more patients, and even consult with other physicians securely and efficiently. Telemedicine has some privacy and security challenges, but it can be done seamlessly with forethought and the right technology.
7. Can I correspond with patients by email if I use HIPAA-compliant email encryption? The federal government allows physicians who don't have a secure online patient portal to use email to correspond with patients, but always with "reasonable safeguards." Two of these safety measures include using encrypted email and not using protected health information (PHI) in the subject line. If you are not using encryption, you should omit all PHI.
8. Do voice search devices like Alexa meet HIPAA requirements for patient privacy? Although digital assistants make life easier in some respects, they are not appropriate for use in a medical practice — and they could lead to security breaches. Assistants like Alexa were not built with privacy in mind, and they are not HIPAA-compliant.

Practices are required to know and follow their obligations under the law. However, protecting patient privacy is also about maintaining trust with clients. Following proper security protocols and ensuring that systems are protected will help a practice maintain both their lawful obligations and patients' peace of mind.