EHR and practice management for mental / behavioral health

Do You Know Where Your PHI Data is Hiding?

by Donna Koger, 2.11.18

Where is your PHI hiding?Hidden PHI Data = Hacker Candy. If you’re not sure where your PHI data is hiding, check out these locations that may surprise you and could compromise your data security:

USB Drives

Users often forget about PHI data they have incorrectly placed on a vulnerable thumb or flash drive. If lost or stolen, these drives can pose a tremendous threat to your company’s security and HIPAA compliance. Even in cases of “innocent intentions,” there is no protection for your clients, providers or company.

Text Messages

They may be fast and convenient but users often transmit PHI via this unsecure way. Be sure all of your staff understands the danger of relaying private information in text messages. Actually, texting non-secured ePHI is a HIPAA violation and can expose your data to hackers. If audited, your company can be fined up to $50,000 for each insecure text containing ePHI.” Also, be sure your staff is not using their device in a public place with unsecured WIFI connections.

Email Accounts

Your company should use a secure email service, such as Email Pros or others, to secure email transmissions that contain PHI. The safest way to ensure protected PHI via email is to provide all staff with secure email accounts.

Hard Drives on Office Equipment

When your staff scans, copies or faxes documents with PHI, those documents are saved to the hard drives of the equipment used. It can be very dangerous for your company security when people are not aware of the storage on office equipment.

Voice Files and Recordings

Do your providers use recording software such as Dragon for their notes or other PHI? Do clients, staff or providers leave messages on voicemail? Your providers may even keep tapes or other records of PHI in their home or office. These recordings must be protected just as any computer or other storage device.

Previous EMR Systems

What happens to your PHI data once you have completed your migration to a new EMR system? If your company retains copies of old records on a legacy system, the PHI on these backup computers must have the same security in place as the new EMR system.

Medical Device Hard Drives

Speaking of hard drives, what about the CT scanner, MRI machine, dental x-ray device and other medical equipment in your office? Did you know the data on these machines is considered PHI and as such, must be protected by encryption or uploading to a secure cloud storage location. Consult with your IT person or team for details on how to ensure the storage is properly handled by your company.

PHI and Third-Party Providers

It is likely that your company works with third-party vendors, such as an answering service. These vendors need to demonstrate their understanding and implementation of HIPAA compliance (for Business Associates) because your PHI could be found in their possession and not protected.

Faxing PHI

Your company may be sending and receiving PHI via fax, which can present many unintended and unauthorized PHI data dissemination. There are some fax services, such as eFax, that provide a secure method for sending and receiving documents and there are many reasons for using a secure fax service. Bottom line, any healthcare organization should move from “on-premises [physical] fax equipment to a hosted, cloud fax model.” And, as always, you should be able to obtain a Business Associate agreement with all third-party vendors who have even limited access to your secure data (PHI).


More Details

For more details about maintaining HIPAA compliance for your mental health practice, check out the complimentary tools available in our HIPAA Resource Center.

Donna Koger is the HIPAA and Security Compliance Director of PIMSY EHR. For more information about electronic solutions for your practice, check out Mental Health Practice Management.

Donna Koger is the HIPAA and Security Compliance Director of PIMSY EHR. For more information about electronic solutions for your practice, check out Mental Health Practice Management.

Author: pehradmin

Kudos from Clients

Seth H.

“PIMSY more than pays for itself by streamlining my office, improving efficiency and reducing billing times. I would recommend PIMSY to anyone looking for a good EMR company that will help you implement its program and help you with any questions you have along the way.”

~ Seth H., Business Owner