Practice Data Security Policy and Standards

Every employee needs to understand his or her obligation in order to protect patient data. Employees also need clear expectations about behavior when it comes to their interaction with sensitive patient data. For that to happen, every practice should have a data security policy. The policy should outline policies and procedures that help safeguard employee, patient and third-party data, and other sensitive information.

The essential elements that form the foundation of a good privacy plan include:

Safeguard data privacy:

Employees must understand that your practice privacy policy is a pledge to your patients that they will protect confidential patient information.

Establish password management:

A password policy should be established for all employees or temporary workers who have access to confidential practice data.

Govern internet usage:

Most employees use the Internet without the thought of potential consequences. Employee misuse of the Internet can place your practice in a costly position.

Manage email usage:

Many data breaches are the result of employee misuse of email, which can result in the loss or theft of data, and the accidental downloading of viruses or other malware.

Govern and manage practice-owned mobile devices:

When practices provide mobile devices for their employees to use, a formal process should be implemented to help ensure that mobile devices are secure and used appropriately.

Establish an approval process for employee-owned mobile devices:

With the increased capabilities of consumer devices, such as smart phones and tablets, it has become easy to interconnect these devices to practice applications and infrastructure.

Govern social media:

A strong social media policy is crucial for any practice that seeks to use social networking to promote its activities and communicate with its patients.

Oversee software copyright and licensing:

Also, employees should not download or use software that has not been reviewed and approved by the practice manager or practice owner.

Report security incidents:

A procedure should be in place for employees to report malicious malware in the event it is inadvertently downloaded on to practice computers.