When embarking on a HIPAA Risk Analysis (HRA), per “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”, the first step to be taken is to define the scope of the analysis by identifying all of the systems within your organization that create, receive, maintain, or transmit electronic protected healthcare information (ePHI). While many of these systems, such as Electronic Health Record applications, email programs, network file shares, and picture archiving and communication systems (PACS), are easy to identify, some others are not so obvious.
Here are 5 systems which are, in our experience, frequently overlooked, even though they may be creating, receiving, maintaining, or transmitting ePHI:
1. Closed-Circuit Television (CCTV) Systems – If you are a provider and you use a CCTV system to record patients entering your office, than the device storing that video is, in fact, storing ePHI , and needs to be included in your HRA. An image or photograph of a person is considered “personally identifiable information”, and when combined with the fact that they are entering an office providing healthcare services, constitutes protected healthcare information, and when stored digitally, constitutes ePHI. However, if your CCTV system is merely used to monitor who is at your office door, and is not being recorded, then it need not be included.
2. Voicemail Systems – If you are using a voicemail system on which either other healthcare providers (including pharmacies and labs) or health plans may leave messages regarding patients, than your voicemail system contains ePHI. However, if the voicemail system is merely used to record patient phone calls requesting to reschedule an appointment or asking for a drug to be refilled, the voicemail system need not be included, as these requests are not protected healthcare information.
3. Multi-function Printers, Scanners, and Copiers – Large-capacity printers, scanners, and copiers often contain hard drives or non-volatile random access memory (NVRAM) that may be used to cache documents that are printed, scanned, or copied on them. This is especially true when they allow documents to be emailed or faxed from the device. If they are used to print, scan, or copy patient records, and if they have the capacity to store those records, even for a short while, then they should be included in your HRA.
4. Secure Email Appliances or Servers – If you are using a secure email appliance or server to either automatically or manually encrypt outbound email containing ePHI, either in the email or in an attachment, then it is likely that this device or server is temporarily storing the “secure” email until it can be picked up by the recipient, and as such, should be included in your HRA. This would not apply to systems that only use opportunistic Transport Layer Security (TLS) for encryption, but rather to systems that require the use of a secure web connection (i.e. HTTPS) to enable the user to view their “secure” email in their browser.
5. Overdue Bill Collection Services – After a certain number of attempts have been made to collect on a patient account, most providers will forward the overdue accounts to a collection agency for further action. The information they forward to these agencies will most certainly contain ePHI, so providers should always obtain a Business Associate Agreement with them. As a service to their clients, many of these collection services provide them with a Software-as-a-Service (i.e. Internet-based) application that allows clients to view the agency progress. Since these web-based programs will contain the same ePHI sent to the collections agencies to begin with, they need to be properly safeguarded, and so, should be included in your HRA, as well.
While not specifically systems that “create, receive, maintain, or transmit” ePHI, we strongly advise our clients to also include their network directory management system (e.g. Microsoft Active Directory, Novell eDirectory, LDAP, etc.) in their HRA, as this system serves as a gateway to virtually all of the other ePHI systems in use in most organizations.
If any of this seems confusing, or if the whole process of conducting a HIPAA Risk Analysis seems daunting, feel free to reach out to us for help, or sign up for one of our many online webinars on How to Conduct a Bona Fide Risk Analysis.
 See 45 CFR § 164.515(b)(2)(i)(Q)
 See 45 CFR § 164.308(b)(1) – Business associate contracts and other arrangements; and 45 CFR § 164.314 – Organizational requirements.