Mid-Atlantic Health Law TOPICS
Where Is Your ePHI?
Instinctively, you may think that ePHI, or electronic protected health information, is where it always is, in a computer server somewhere within your office, with sufficient electronic and physical safeguards to prevent disclosures of your patients' medical histories.
In actuality, your health care practice may be storing ePHI on recently acquired portable electronic gadgets that can be found both in the security of your office, but also "exit" your office frequently. Personal digital assistants (PDAs), smart phones and laptop computers often exit offices with their owners. Storage devices like USB flash drives that attach to key chains, and unlabeled CD-ROMS that are stored in briefcases, are also subject to theft and the inadvertent disclosure of ePHI. Email and electronic prescribing also increase the risk of unauthorized disclosures.
The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities, including health care providers that bill electronically, to safeguard PHI, and to review and to modify safeguards "as needed."
Many covered entities may have last reviewed their administrative, physical and technical PHI safeguards in 2003, when the HIPAA Security Rule went into effect. However, even if a covered entity believes that it was compliant with the HIPAA Security Rule in 2003, that covered entity should consider conducting a review of its ePHI safeguards in 2007. The rapid spread of electronic technologies, such as PDAs, smart phones, Blackberries, USB flash devices and remote access, almost assuredly means that new safeguards and new employee training should be added.
March 20, 2007