Data Security Best Practices for Fundraisers
Photo by Petter Lagson on Unsplash
As we continue the move to a more digital world, data breaches have become increasingly common in all industries over the last decade, including healthcare. According to the HIPAA Journal, between 2009 and 2020, 3,705 healthcare data breaches of 500 or more records have been reported to the HHS’ Office for Civil Rights.
What’s more, those breaches resulted in the loss, theft, exposure, or impermissible disclosure of 268,189,693 healthcare records. To put that into perspective, that equates to over 81% of the population of the United States. Healthcare foundations have not been immune to this threat.
While those statistics are shocking and might feel overwhelming, there are some easy things that you and your team can do to protect your donors data. But first, let’s take a step back and make sure you understand the basics.
How does HIPAA and PHI relate to fundraising?
In an effort to protect people’s healthcare data, the Health Insurance Portability and Accountability Act, better known as HIPAA, was established. HIPAA is a federal law that established a national standard to protect sensitive patient health information from being disclosed without the patient's consent or knowledge.
Of the 2,200 pages of regulations under HIPAA, there are a total of 10 paragraphs on fundraising. The most important fact for fundraisers to know is that HIPAA allows covered entities, which includes hospitals and their institutionally related foundations, to use and disclose some patient information for fundraising activity.
Patient healthcare information has additional rules for what’s called protected health information or PHI. PHI is any information either given to, or provided by a clinician about a patient’s medical history or care. Certain aspects of PHI may be used for fundraising purposes, for example contact information like the patient name and address. But things like a patient's social security number are not allowed to be used.
So all of that means that you and your team probably regularly access sensitive information that needs to be handled appropriately. Here are a few recommendations that your organization can implement to keep your data secure:
Train staff thoroughly and frequently
The biggest security risk to an organization is its staff. It’s easy to click a phishing link or download a suspicious attachment that redirects you somewhere you don’t want to go. It’s important to be cautious when clicking on links, going to different websites, or downloading things. These are all avenues to invite people into your system or onto your server.
Training staff when they onboard and then at least on an annual basis is a way to ensure they remain vigilant. But make sure to evaluate training needs as they make sense. If there are significant changes in your system around the types of data you receive, you probably wouldn't want to wait till next year to make sure that people understand what their obligations are and what the risks are.
Having staff be able to recite the HIPAA law isn’t necessarily going to have any type of impact on potential data breaches. It’s more important to highlight to staff how they could potentially pose a risk to the organization and what actions to be wary of.
Retain the minimum data necessary
This is a simple, but important one. Don’t keep extraneous data. The less data you retain, the lower the risk. If the information isn’t helpful to you or your team, then it’s not worth the headache of the potential problems that it could bring.
Sometimes you might feel like you need to hold onto old information just in case, but in reality, you probably won’t need to access that old excel file or that campaign you ran 5 years ago. Let the pros store the sensitive information and you can reach out to them if you need something specific later on down the road.
Have a plan in place
You probably don’t want to think about what happens if your organization has a data breach, but it’s crucial to have a plan in place just in case. This applies to all ends of the data breach spectrum, including as soon as you realize you’ve improperly used or disclosed PHI.
You don’t want to be caught in a situation where a breach has occurred and you don’t know the right steps to follow to report it. Should you notify the privacy officer? Or the CTO? Or both? You want to be able to react quickly to prevent further damage.
Along with a reporting plan, you should have a communication strategy for internal and external communications. Hopefully you never have to break that proverbial glass, but you’d rather have something outlined and not need it, than add to the chaos of a crisis.
Unfortunately, even if you have all the right steps in place, preventing a data breach entirely is probably not possible. There’s probably not much you can do to stop a truly dedicated cyber criminal. What you can do, is demonstrate that you did everything you could, within reason, to prevent a data breach from happening.
For more on this topic including additional best practices, check out this webinar.