HIPAA Q&A: PHI in Microsoft products
HIPAA Weekly Advisor, May 10, 2010
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Q. How should we manage the tracking/logging of PHI data that may be stored in standard Microsoft products, such as Outlook® calendars or SharePoint® lists? Our electronic medical record application has built-in PHI audit trails/log reports.
Increasingly, our end users create appointments and lists in standard Microsoft applications. If these lists contain PHI, does a method of tracking these data to assist in monitoring breaches exist? Am I overreacting or should I be concerned about PHI and HIPAA security requirements in such applications?
A. You need to be concerned about protecting PHI wherever it exists in your organization.
The level of PHI that Outlook® calendars may include is probably minimal. Employees who meet to discuss something pertaining to a particular patient probably include the patient’s name in the meeting request, but they probably don’t include any additional information.
Other applications, such as Word® or Excel®, may contain greater amounts of PHI, depending on the individual user’s responsibilities. Tracking or logging PHI in these applications would be very difficult, so limiting access to computers or other devices on which this information is stored is the best approach.
All devices containing PHI should be password-protected at a minimum. Encourage PC users to store their files on network drives rather than their local hard drives to protect data and ensure periodic backup.
Editor’s note: Mary Brandt, president of Bellaire, TX-based Brandt & Associates, LLC, answered this question. This is not legal advice. Consult your attorney regarding legal matters. Brandt is president of Brandt & Associates, Inc., a healthcare consulting firm in Bellaire, TX. She is a nationally recognized expert on patient privacy, information security, and regulatory compliance, and her publications provided some of the basis for HIPAA’s privacy regulations. She is also the former director of policy and research for the American Health Information Management Association.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Identify potential Medicaid RAC target areas
- HIPAA Q&A: Level of encryption needed for email
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- OB services: Coding inside and outside of the package
- QA:Coding multiple initial infusions
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- Q&A: Follow CMS' coding guidelines when using modifier -25
- What does case-mix index mean to you?
- Catch up on what's new with injections and infusions
- CMS has reformulated payments for some bilateral procedures
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- ED-to-inpatient transfers are flawed with safety gaps
- Searched