Do You Know Where Your PHI Data is Hiding?
by Donna Koger, 2.11.18
Users often forget about PHI data they have incorrectly placed on a vulnerable thumb or flash drive. If lost or stolen, these drives can pose a tremendous threat to your company’s security and HIPAA compliance. Even in cases of “innocent intentions,” there is no protection for your clients, providers or company.
They may be fast and convenient but users often transmit PHI via this unsecure way. Be sure all of your staff understands the danger of relaying private information in text messages. Actually, texting non-secured ePHI is a HIPAA violation and can expose your data to hackers. If audited, your company can be fined up to $50,000 for each insecure text containing ePHI.” Also, be sure your staff is not using their device in a public place with unsecured WIFI connections.
Your company should use a secure email service, such as Email Pros or others, to secure email transmissions that contain PHI. The safest way to ensure protected PHI via email is to provide all staff with secure email accounts.
Hard Drives on Office Equipment
When your staff scans, copies or faxes documents with PHI, those documents are saved to the hard drives of the equipment used. It can be very dangerous for your company security when people are not aware of the storage on office equipment.
Voice Files and Recordings
Do your providers use recording software such as Dragon for their notes or other PHI? Do clients, staff or providers leave messages on voicemail? Your providers may even keep tapes or other records of PHI in their home or office. These recordings must be protected just as any computer or other storage device.
Previous EMR Systems
What happens to your PHI data once you have completed your migration to a new EMR system? If your company retains copies of old records on a legacy system, the PHI on these backup computers must have the same security in place as the new EMR system.
Medical Device Hard Drives
Speaking of hard drives, what about the CT scanner, MRI machine, dental x-ray device and other medical equipment in your office? Did you know the data on these machines is considered PHI and as such, must be protected by encryption or uploading to a secure cloud storage location. Consult with your IT person or team for details on how to ensure the storage is properly handled by your company.
PHI and Third-Party Providers
It is likely that your company works with third-party vendors, such as an answering service. These vendors need to demonstrate their understanding and implementation of HIPAA compliance (for Business Associates) because your PHI could be found in their possession and not protected.
Your company may be sending and receiving PHI via fax, which can present many unintended and unauthorized PHI data dissemination. There are some fax services, such as eFax, that provide a secure method for sending and receiving documents and there are many reasons for using a secure fax service. Bottom line, any healthcare organization should move from “on-premises [physical] fax equipment to a hosted, cloud fax model.” And, as always, you should be able to obtain a Business Associate agreement with all third-party vendors who have even limited access to your secure data (PHI).
For more details about maintaining HIPAA compliance for your mental health practice, check out the complimentary tools available in our HIPAA Resource Center.