Covered entities often use technological devices such as laptops to house electronic protected health information. According to the U.S. Department of Health and Human Services, the HIPAA Security Rule requires covered entities to not only have policies to regulate these systems, but they must also regularly review and modify those security procedures and policies. Violations may occur if these reviews do not happen or if the policies are not up to HIPAA Security Rule Standards. Health care providers must account for a wide variety of risks, such as the loss or theft of a device that houses ePHI and the contamination of systems with a virus.
How HIPAA Help Center can assist in properly storing health information
Storing PHI on electronic devices is often a necessary method of ensuring that a practice runs efficiently. However, it can also raise covered entities’ violation risks, as media may be harder to manage than hard copy documents. The Risk Assessment module delivers an up-to-the-minute review of a covered entity’s risk rating, allowing practices to adjust their procedures as necessary. For example, having antivirus software, creating effective passwords and encrypting data will all lower a covered entity’s risk.
Health care providers can also use the Asset Inventory module to safeguard ePHI. This application feature keeps track of all network systems and applications and associates the access with specific workforce members. Practices can review whether their electronic devices are up to HIPAA standards at any time, a capability that is required by law.
Furthermore, a practice needs to maintain ePHI even when events occur that interrupt normal business. The Contingency Plan module walks users through a number of scenarios in which this could occur and instructs how practices can address each situation. This feature even allows health care providers to complete practice runs of these plans, something which an auditor would appreciate.
Frequently asked questions about storing ePHI:
Can covered entities violate HIPAA even without disclosing unauthorized health information?
Yes. The HIPAA Security Rule requires covered entities to regularly review their security measures. Not doing so would constitute a violation. Moreover, having inadequate policies to safeguard ePHI may also violate the law, even if a disclosure has not happened yet. For example, having a computer at the front desk with ePHI visible to other patients would not sufficiently secure patient information.
Can covered entities use mobile devices?
Yes. Health care providers often employ the practice of “bring your own device,” more commonly known as BYOD. However, covered entities must accompany such strategies with strict security regulations, such as the encryption of sensitive data.