Health Information Management

Know where patient information goes: Map the flow of your PHI

HIM-HIPAA Insider, August 13, 2012

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

If you don't know where all of your PHI is, how can you ensure that you protect it?

Linda Sanches, OCR senior advisor and health information privacy lead for the audit program, suggests mapping the flow of PHI movement internally and externally to and from third parties. It was one of the strategies she ­recommended during a recent presentation focusing on the HIPAA compliance audits.

With audits ­under way, healthcare organizations want to know what they must do to become compliant, says Sanches. "[Mapping PHI] is another way of asking, 'What are your uses and disclosures?' " Sanches says. "How do you use PHI? Is it consistent with your minimum necessary policy? Is it consistent with the safeguards you have in place?"

Sanches also recommends that organizations find all of their PHI. If organizations wrote their policies and procedures 10 years ago, and they have implemented new technology, they must address those changes, she says.

Time to revisit an old idea

These are valuable recommendations, says Phyllis A. Patrick, MBA, FACHE, CHC, founder of Phyllis A. Patrick & Associates, LLC, in Purchase, N.Y. "Mapping of PHI was something that we talked about a lot when the HIPAA rules first came out, but the idea has lost some steam in the intervening years," Patrick says. "It is still a critical step to understanding where an ­organization's PHI resides and consequently possible risks ­associated with these areas." However, people often forget about mapping PHI. Alternatively, organizations might not maintain inventories of where their PHI resides, she says. "This goes back to the basics," Patrick says. An effective risk assessment includes identifying processes and locations where you store, receive, maintain, and transmit PHI.

Many organizations first inventoried the use and ­disclosure of PHI as part of their HIPAA Privacy Rule compliance, even though it was not a direct ­requirement. Later, the HIPAA Security Rule required organizations to complete a risk analysis to identify potential risks and ­vulnerabilities to the confidentiality, availability, and ­integrity of ePHI they ­create, receive, maintain, or transmit.

Read more in the August issue of Briefings on HIPAA.

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Most Popular