• E-mail
• Print
• RSS

Secure three common media types under HIPAA

HIM Connection, July 16, 2003

Want to receive articles like this one in your inbox? Subscribe to HIM Connection!

TOPIC: Secure three common media types under HIPAA

HIPAA requires that you keep files containing protected health information (PHI) away from prying eyes. Consider the following tips for protecting three common media types:

Copies and unused media: Original or retained copies of media must have appropriate access controls, accountability, backup and storage protections. These are necessary to provide privacy protection, but also to ensure data integrity and availability. For example, the medical record file area usually has appropriate environmental protections to guard against fire, flood, etc. There are formal procedures for who may remove records, affording accountability.

However, many file rooms have vulnerabilities, including unlocked back doors or other access points. Special holding areas for records to be processed, incomplete records, or records to be viewed, may have fewer physical protections than the man file area, making them especially vulnerable.

Shadow records: Shadow records are copies of original medical records (generally retained on paper, but sometimes scanned onto disks or downloaded from primary information systems). Usually, organizations don't officially support this type of record because they are incomplete, or they contain original information that causes the official record to be incomplete. Both scenarios pose a threat to quality patient care.

However, organizations frequently keep shadow records, especially when the organization occupies more than one facility, or in settings with significant volumes of research. Records maintained outside of official custodial responsibility generally do not require as much protection for integrity and availability, but they are equally in need of protection for confidentiality purposes. For example, if shadow records do no have a formal sign-out process, the records could be removed without anyone's knowledge, and without any staff member held accountable.

Laptop or notebook computers: Laptop or notebook computers and PDAs are not only media, but systems that can process and transmit PHI. Some computers require hardwire connectivity to the organization's network, and others use wireless connectivity. They may be used in official capacity for data entry, including physician order entry. As such, laptop or notebook computers generally fall under the custodial jurisdiction of the information systems department, and tend to be subject to more security rigor.

However, they may also be personal systems not subject to the organization's general security measures. Many organizations are debating the merits of owned versus non-owned personal devices. Non-owned devices are generally not safeguarded to the same extent as owned devices and are often not backed up in the same manner as owned devices.

This week's HIM Connection was excerpted from the book, HIPAA Made Simple:

A Guide to Fast-Tracking Compliance, Second Edition.

Go to http://hcmarketplace.com/Prod.cfm?id=1402&s=EHIMC for more information or to order your copy.

Sincerely,

Laura Motta
Editorial Assistant
lmotta@hcpro.com

Want to receive articles like this one in your inbox? Subscribe to HIM Connection!

• E-mail to a Colleague
• Print
• RSS
• Archive