Washington Health System (Greene) notified 4,145 patients that their PHI is at risk after a hard drive disappeared. The drive was used with a bone densitometry machine. The health system does not know whether the device was stolen – or simply misplaced. Patients were notified.
Many providers fear burglars and hackers – but overlook the HIPAA security risks of misplacing unsecured PHI. What about you? Do you track portable devices? Do you know, with confidence, where your portable devices are at this moment? Where they will be after hours? Whether they are encrypted? Locked up – or in an area with restricted access? If a device went missing, what steps would be taken to locate it?
Lost in the shuffle?
Franciscan Physician Network of Illinois and Specialty Physicians of Illinois LLC cannot find payment records kept in a storage facility. File boxes could not be located during a standard records request. Neither the providers nor the storage facility knows whether the 40 missing boxes were stolen or lost. Patients were notified.
When it comes to paper files, ignorance is not bliss – at least not when a box goes missing. If you use a storage vendor, what steps do you take to verify that your records are accounted for? When selecting a records storage vendor, what can you ask to evaluate the risk of loss? How about (as a starting point):
- Will you sign a business associate agreement?
- What access restrictions are in place?
- Do you use security cameras?
- How do you protect against theft?
- What is your organization and inventory system? (In other words, how do you know all records are accounted for and can be easily tracked/located)?
- Have you conducted a HIPAA security risk anlaysis?
- How do you mitigate security risks?
And of course, don't forget to screen the vendor - conduct reference checks, check for federal and state healthcare program exclusion, etc.