Protected Health Information (PHI) exists in many forms.  The HIPAA Privacy Final Rule concerns itself with permissable and proper use and disclosure of all forms of PHI, including electronic PHI (ePHI).  It’s important to not lose track of the requirements to safeguard all PHI.  Learn more about what you and your company should  be doing…to protect yourself and your stakeholders…

Treat Paper Records & Electronic Data Equally

Sensitive information on paper is the same as sensitive information on a computer. Both need to be protected from unauthorized access and should be treated with caution and discretion. In particular, protected health information (PHI) in all forms (e.g., verbal, fax, paper, electronic) is covered by the HIPAA privacy regulations.  Electronic PHI (ePHI) is specifically covered by the HIPAA security regulations.

Sometimes, it may be necessary to print out sensitive electronic information on paper and make copies. Do not leave these copies lying around in open areas within your workspace, as this information may be seen or even taken by unauthorized parties. If you would not want someone to read that information on your computer, you probably would not want them to read the same information on paper.

Keep printouts of sensitive information such as medical records in a secure location, such as a locked desk, locked filing cabinet or a safe. Avoid leaving sensitive documents unattended, especially in high traffic areas.

Always shred copies of sensitive information when disposing – do not simply toss them in the trash. Cross-cut shredders are very useful in making printed sensitive information both unreadable and unusable. Remember to shred any printouts containing any information that would be useful to identity thieves, an ever-increasing problem. This includes documents containing any personal, financial or protected health information.

In Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals,  there is a description of the technologies and methodologies that can be used to render PHI unusable, unreadable, or indecipherable to unauthorized individuals.   This creates “secured” PHI.  Unsecured PHI is PHI that has not been rendered unusable, unreadable, or indecipherable.  Under the Breach Notification Interim Final Rule, CEs and BAs must only provide the required notification if the breach involved unsecured protected health information.

While covered entities and business associates are not required to follow the guidance, the specified technologies and methodologies, if used, create the functional equivalent of a safe harbor, and thus, result in covered entities and business associates not being required to provide the notification otherwise required by section 13402 of The HITECH Act in the event of a breach.”

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.

More HIPAA HITECH Resources:

The complete HIPAA Privacy, Security and Breach regulations are here.

Join our AboutHIPAA LinkedIn Group:
Follow us on Twitter
Subscribe to our eNewsletter
Attend a live educational webinar.

Series Navigation<< HIPAA Privacy and Security Reminders – Avoid Medical Identity TheftHIPAA Privacy and Security Reminders – Protection Against Identity Theft >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.