The Key to Safeguarding Electronic Protected Health Information (ePHI) is Knowing Exactly Where It Is
The expanding use of Electronic Health Record (EHR) systems and the dangers that accompany the electronic transporting and remote access to ePHI is growing and ever present. Consequently, this makes it very important that anyone in an organization accessing ePHI be made acutely aware and periodically reminded about the serious HIPAA compliance requirements regarding breaches, and the growing computer hacking security risks that may accompany the transporting and accessing of private healthcare information. Also, it puts the onus on an organization’s management and professional IT staff to put protective measures in place to prevent breaches.
A recent breach at the University of Massachusetts Amherst that resulted in the university having to pay the U.S. Department of Health and Human Services (HHS) $650,000 provides a good backdrop for healthcare organizations to step back and look at their own situation with regard to remote access. It seems that the private health information of 1,670 persons was found on an unprotected workstation that was infected by a “Trojan Horse” virus called “Generic.” This virus allowed computer hackers remote access to the clinic’s ePHI files. The question to consider here is this – How did the ePHI files get on an unprotected computer in a large, HIPAA knowledgeable, competently operated, healthcare facility? The answer is found in remote access.
Even though a facility encrypts the ePHI of its residents and uses a state of the art, firewall protected database on its mainline computer system to store them in, it does not mean that is the only place where ePHI can be found. This age of Electronic Health Record Systems (EHR) and remote access allows physicians, staff, and even patients/residents themselves to access ePHI, from their personal computers and a variety of other mobile devices. This opens the door to a myriad of places where ePHI can be stored. For example, when someone accesses an attachment to an email from a remote access device, a copy of that file is downloaded and stored. The file may be opened, edited and closed, but the ePHI remains in the device’s download folder. Also, newer email systems allow attachments to be viewed by passing the downloading step, but a copy of whatever is viewed remains on the mail server. It is somewhat exponential how many places ePHI can be found. Just placing a few files onto a thumb drive or on a “cloud” account creates more copies and creates more potential exposure.
The security of any remotely accessed ePHI information is only as good as the security on the device (PC, laptop, mobile phone, i-Pad/tablet, or ISP’s email server) where it gets stored. So, healthcare facilities need some control over how the PHI in their care are accessed. One way this can be done is through a controlled download site that allows staff to e-mail a link outside the system. This allows that user to download the record through a secure server controlled by the organization, and is safer than sending the record as an e-mail attachment, even when the e-mail is protected.
Data mapping is a way to identify where ePHI resides and how it flows internally and externally to individuals and third parties. It can also point out the important aspects needed to develop and implement an effective compliance strategy to manage the risk that is associated with ePHI breaches and data leakage. It bears consideration whether protected health information (PHI) data mapping techniques should be an essential component in protecting not only the ePHI in an organization’s database, but to also guard against the costs that can come from HIPAA breaches. Employers and employees alike must make protection of PHI a primary focus in all they do.
