connected networks

The Risks of Hidden Protected Health Information

Maintaining the privacy of patient information is critical for quality patient care. It’s also central to a strong HIPAA compliance program. To comply with HIPAA, covered entities and business associates must not use or disclose protected health information (PHI) without authorization. But they need to go further, to do everything possible to maintain the security of information that is held or transmitted electronically.

Those who follow a strong HIPAA compliance program are ahead of the game, but the problem is that PHI can be hidden in places you might not expect. Even if you have the right policies, you’ve done a Risk Analysis, follow a Risk Management Plan and have trained the workforce, you might be overlooking places where PHI ends up, hidden and forgotten.

Hidden PHI Can Be Costly

If PHI is hidden, you don’t control it. You won’t know if it’s at risk for theft or loss, or what measures should be taken to keep it secure.

In 2020, the average total cost of a data breach in a healthcare organization is $7.13 million, and the trend is going up – this is a 10.5% increase over 2019, according to the IBM Cost of a Data Breach Report 2020. The cost of data breaches in healthcare is the highest among the 16 industries evaluated in the IBM Report.

In addition to investigations and fines from the Office for Civil Rights, the agency that enforces HIPAA, a growing risk is the threat of lawsuits  from enterprising lawyers helping patients sue healthcare organizations for negligence, or breach of contract when their PHI is breached. It’s not a HIPAA lawsuit per se, since HIPAA does not provide for a private right to sue, but HIPAA rules are often held up as an example of how healthcare organizations should act, and failure to follow the HIPAA basics can be costly when a judge or jury is deciding the case.

HIPAA Checklist Should Include Finding Hidden PHI

While each category below includes more details, the top three items on a HIPAA checklist are:

The Risk Analysis, among other things, should require an inventory of all PHI locations. Obvious locations are easy: office files, office computers, the server, laptops and other electronic devices that an organization owns and issues to staff. Less obvious ones are the office printer, personal devices owned by employees but used for work, business associates’ computers and other electronic devices. And when you locate the PHI, you need to establish measures to secure it.

Common Risks of Hidden PHI

  1. Copy machines/printers with memory storage
  2. Mobile Phones – when a workforce member leaves
  3. Business associates
  4. Affiliates and partners
  5. PHI on a home computer and other personal devices
  6. Medical devices
  7. Disgruntled employees
  8. Is there a strict Bring Your Own Device Policy?
  9. Expert sanitization of hard drives

The compliance manager should review the Risk Analysis, and be sure all the less obvious locations are accounted for.

One of the biggest risk areas is PHI under the control of business associates. Billing and collection companies handle enormous amounts of patient data in order to perform their functions in support of healthcare organizations. The largest healthcare breach of 2019 affected over 25 million people and occurred at American Medical Collections Agency (AMCA), a business associate of Quest, LabCorp and many other companies.

Covered entities that use business associate vendors must perform “due diligence”. Find out whether they follow HIPAA. When did they last perform a Risk Analysis? If you are a covered entity, do you have a Business Associate Agreement in place; if you are a business associate and have subcontractors supporting your work, the same obligations apply – due diligence, and a subcontractor BAA are required.

Electronic devices owned by employees are permissible under HIPAA, but make sure you have a Bring Your Own Device policy. At a minimum, employees must agree to follow all HIPAA policies of the organization, and if they leave, should allow their devices to be scrubbed of PHI before they go. The HIPAA E-Tool® has a BYOD policy, and recommended steps to secure patient data on employee devices.

The HIPAA E-Tool® Has it All

The step-by-step guide to the Risk Analysis module in The HIPAA E-Tool® is the best checklist you’ll find to make sure nothing remains hidden. Guidance from the Security Rule and NIST is included, to complete every task required for a thorough security risk assessment and a robust Risk Management Plan. It’s the most complete solution.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2023 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU