Jeannine LeCompte, Publishing and Research Coordinator
All healthcare providers are legally obligated to have a secure system in place to safeguard protected health information (PHI) as part of the organization’s compliance and ethics program. An overall policy should be developed which fits the structure and operation of a particular organization, and there is no real “one-size fits all” template which can be applied.
Nonetheless, there are some basic practical steps which should be common to all organizations. These can include, but are not limited to, the following:
- When PHI is discussed verbally, all reasonable steps should be taken to ensure that discussions occur in a place where unauthorized persons do not overhear such conversations.
- All physical PHI documents must be stored in conditions which make it impossible for unauthorized individuals to gain access to them.
- Computer access to digitally-held PHI must be limited only to need-to-see staff who are equipped with unique logins and secure passwords.
- Computer passwords should be changed regularly, and all staff must be under an obligation to completely log off at their workstations at the end of their workday.
- All staff with computer access at any level must receive full training regarding phishing and hacking tactics, particularly with regard to spoofing emails and unexpected email attachments.
- Computers must be physically located where unauthorized persons will not be able to easily view data which appears on the screen.
- Printers, copiers, and fax machines must similarly be located in areas not easily accessible to unauthorized persons. All PHI documents printed out must be immediately removed from the printer, copier, or fax machine and placed in an appropriate and secure location.
- All physical PHI documentation no longer needed must be immediately destroyed by shredding.
- Any IT equipment being replaced or otherwise disposed of, must be thoroughly checked by qualified experts to ensure that no PHI is easily accessible on hard drives or other data storage devices.
Finally, it must be made clear to all employees that any breach of rules such as those outlined above, will result in severe penalties.
