Organizations are, quite rightly, concerned about the safety of the Electronic Protected Health Information (ePHI) of their clients and employees. Despite best efforts to secure this information, recent surveys have highlighted multiple cases in which organizations have violated HIPAA compliance mandates. In addition to attracting penalties, these violations can be damaging to reputation and expose the potentially sensitive, private information of users.
It is therefore important, for a number of reasons, to ensure you prevent ePHI leaks that could lead to HIPAA violations. This post highlights key questions many organizations have about ePHI and attempts to answer them in a way that would be compliant with HIPAA.
Do you have patient’s authorization?
They are paying me; why do I need their authorization?
Appropriate authorization has to be obtained from the patients to store their information. The patients must specify which information they want the organization to release and to whom it will be released.
HIPAA forms have to be duly signed by the patients and you must also be aware that their authorization has an expiry date.
How do you release the information?
I just send an email or print a document.
The organization has to release the protected information to the patient directly or to users listed by the patient in the authorization form. The information cannot be released to those whose names are not listed. If the patient is a minor, then prior consent of the parents is required to release the information.
It is also the organization’s mandate to check the accuracy of the information before releasing it.
Is it ePHI?
I am not running a hospital so I do not have ePHI that has to be bound with HIPAA.
Any information relating to name, age and health of your clients/employees falls in the category of Electronic Protected Health Information. This information is also usually stored in the properties of the Active Directory Users.
Is it encrypted?
I am sure the information is encrypted.
The methods to store and transmit health information should adhere to encrypted mediums. The keys to decrypt the data should only be provided to those users who have been granted authorized access by Administrators.
What about user access?
User accesses are fine, so we do not need auditing.
Access should only be granted to the user of the record. Any other access should be restrained. There should be a mechanism to audit attempted access and any unauthorized access should be dealt with appropriately.
How do you dispose of data?
Do I just delete the old data if I do not need it anymore?
The data containing health information cannot be simply deleted. An appropriate plan to dispose of the data has to be implemented. You should store the data in a compressed, encrypted format in a backup medium and then delete it from the main storage.
What are your data backup plans?
Why should we backup, we haven’t needed to yet?
Data backup should not be taken lightly or ignored altogether. It is mandatory to have a system in place that lets you back up information periodically. The backups should be encrypted and stored in a safe medium. Access to the backup files should be both maintained and audited for safety purposes.
Whether or not your organization specializes in health services, the information you store regarding employees and clients can often include their health information. This means that you need to be compliant with HIPAA regulations. Ensure that you are not making any of the mistakes listed in this article and you will have no problem meeting HIPAA compliance mandates.