HIPAA Privacy Rule Guidelines for Sharing or Disclosing an Individual’s Personal Health Information (PHI) – Part 2
Continuing along the lines of last month’s newsletter article regarding HIPAA privacy rule guidelines, this article will address the use of personal computers, laptops and other electronic devices.
The convenience and portability of laptops, mobile devices and external data storage devices are the very thing that makes them vulnerable to HIPAA breaches if they have private health information on them. They can be lost, stolen or hacked.
It is our facility’s policy that no private health information (PHI) in the form of electronic files may be stored on the hard drive of any personal computer, laptop, cell phone, or any other type of device that has the capability of storing data, e.g., CDs, DVDs, and USB Flash Drives. Electronic files containing private health information should only be stored on network drives accessible by an ID and a password. 
As a reminder, here is a list of what constitutes private health information in relation to an individual, their relatives, employers, or household members:
- Name
- Geographic subdivisions smaller than a state; (street address, city, county, precinct, zip code, and equivalent geocodes)
- All elements of dates (except year) including birth date, admission and discharge dates, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age
- Telephone numbers
- Fax numbers
- Electronic mail address
- Social security number
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate / License numbers
- Vehicle identifiers and serial numbers including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locator (URLs)
- Internet protocol (IP) address numbers
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images. Any other unique identifying number, characteristic, or code, except as allowed under the re-identification specifications.
Along with observing our policy of not storing PHI on portable devices, here are eight common HIPAA violations to avoid and guard against:
- Employee Dishonesty – It is natural to trust coworkers, but employee dishonesty can violate HIPAA policy, e.g., accessing a patient’s file when not involved in the treatment process.
- Gossip – Casual chatting about patients with anyone who is not specifically allowed access to those records is a HIPAA violation.
- Hacking – There are people who seek to steal protected health information for nefarious purposes. Use appropriate measures to protect networked systems.
- Improper Disposal – Periodically wipe the hard drive of devices like photocopiers and cross-shred documents.
- Lack of Training – Be sure that every employee is kept up-to-date on HIPAA policies, and document that they have been trained in case of an OCR audit.
- Lost or Stolen Devices – The best policy is to encrypt devices to protect them in case they get lost or stolen.
- Third Party Disclosure – Make sure that any third party coming in contact with patient information is HIPAA compliant.
- Unsecured Records – Make sure that all electronic and paper documents or other files containing PHI are kept in a secure area.
Any questions about our facility’s policies and procedures regarding the use of portable devices should be directed to the Compliance Officer or the Administrator. And remember, it is every employee’s responsibility to report concerns to their supervisor, department manager, Compliance Officer, or Administrator, or to the hotline if those options do not meet their needs.
