Ann & Natalie's Compliance Corner
Welcome back to Ann & Natalie's Compliance Corner! This month, we report on the recently published Department of Health and Human Services (DHHS) guidance on accessing Electronic Protected Health Information (ePHI). Missed last month's announcement of the DHHS program that will provide monetary incentives for states to support innovative systems to get more value out of Medicaid dollars? Click here.
Recently, we have heard several news stories about security violations related to Electronic Protected Health Information (ePHI). The incidents involved the loss or improper use of laptops and other portable devices that contain (or are used to access) ePHI.
In response, DHHS has issued guidance on protecting PHI when it is accessed or used outside the organization. This guidance applies to you if you check patient records, or access test results or any other protected information while away from the hospital or clinic (or wherever the information is stored), and if your organization hosts patient information that can be accessed from other locations.
How can you protect PHI when it is accessed or used outside the organization?
First, use extreme caution in allowing remote use of PHI. DHHS concedes that there are situations that warrant offsite access. If this is the case, and your organization is responsible for protecting ePHI, be diligent in ensuring that policies, procedures, and workforce training effectively shield sensitive information in accordance with the requirements of HIPAA.
Here are several areas that should be addressed by all covered entities' security policies:
- Access. Organizations should designate which users are authorized to access data. Like onsite access, remote access to PHI should be granted to authorized users based on their role in the organization and their need for access.
- Storage. Storage policies and procedures should address security requirements for any devices containing PHI that are used outside the organization's physical control.
- Transmission. Transmission policies and procedures should deal with maintaining the integrity of PHI sent over networks.
In addition, make sure training addresses the risk areas specific to the covered entity's needs and provides clear instructions for storing, transmitting, and accessing PHI. Covered entities should ensure that employees are aware of policies that prohibit leaving devices unattended in cars, transmitting PHI over open networks, and downloading PHI to public computers.
If you access ePHI and you do not receive training or information on how to protect the data, warn the organization hosting the information that it may not be appropriately protected. Direct the organization to the DHHS guidance, and consider any vulnerabilities that may be specific to the covered entity when developing steps to protect sensitive information.
What happens if you suspect or confirm a security breach? DHHS encourages organizations to implement "incident procedures" that specify the actions to be taken to minimize loss. Procedures may include:
- Securing and preserving evidence
- Managing the effects of improper use or disclosure
- Notification to affected parties
Of course, the guidance advises all covered entities to implement these strategies to minimize the risk of loss or unauthorized use and disclosure of sensitive information, but stresses that entities must also evaluate their own unique needs in developing a risk management strategy.
For more information on the guidance document from CMS, click here.
Disclaimer: The content of Compliance Corner is for general informational purposes only and should not be interpreted as compliance guidance or advice. Consult your compliance advisor or attorney for compliance or legal advice on specific issues related to your practice or compliance program.
