Protected Health Information (PHI) exists in many forms. The HIPAA Privacy Final Rule concerns itself with permissable and proper use and disclosure of all forms of PHI, including electronic PHI (ePHI). It’s important to not lose track of the requirements to safeguard all PHI. Learn more about what you and your company should be doing…to protect yourself and your stakeholders…
Treat Paper Records & Electronic Data Equally
Sensitive information on paper is the same as sensitive information on a computer. Both need to be protected from unauthorized access and should be treated with caution and discretion. In particular, protected health information (PHI) in all forms (e.g., verbal, fax, paper, electronic) is covered by the HIPAA privacy regulations. Electronic PHI (ePHI) is specifically covered by the HIPAA security regulations.
Sometimes, it may be necessary to print out sensitive electronic information on paper and make copies. Do not leave these copies lying around in open areas within your workspace, as this information may be seen or even taken by unauthorized parties. If you would not want someone to read that information on your computer, you probably would not want them to read the same information on paper.
Keep printouts of sensitive information such as medical records in a secure location, such as a locked desk, locked filing cabinet or a safe. Avoid leaving sensitive documents unattended, especially in high traffic areas.
Always shred copies of sensitive information when disposing – do not simply toss them in the trash. Cross-cut shredders are very useful in making printed sensitive information both unreadable and unusable. Remember to shred any printouts containing any information that would be useful to identity thieves, an ever-increasing problem. This includes documents containing any personal, financial or protected health information.
In Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals, there is a description of the technologies and methodologies that can be used to render PHI unusable, unreadable, or indecipherable to unauthorized individuals. This creates “secured” PHI. Unsecured PHI is PHI that has not been rendered unusable, unreadable, or indecipherable. Under the Breach Notification Interim Final Rule, CEs and BAs must only provide the required notification if the breach involved unsecured protected health information.
While covered entities and business associates are not required to follow the guidance, the specified technologies and methodologies, if used, create the functional equivalent of a safe harbor, and thus, result in covered entities and business associates not being required to provide the notification otherwise required by section 13402 of The HITECH Act in the event of a breach.”
More HIPAA HITECH Resources:
The complete HIPAA Privacy, Security and Breach regulations are here.
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis Tip – How Comprehensive Must Your HIPAA Security Risk Analysis Be? - April 25, 2017
- HIPAA Risk Analysis Tip – Does OCR really use the “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”? - April 23, 2017
- HIPAA Risk Analysis Tip – May 3rd Webinar with Leon Rodriguez – What OCR Expects in Your HIPAA Risk Analysis - April 9, 2017