Breaking Compliance News Blog

Dumpster diving: Why you need a HIPAA PHI inventory

Posted by Margaret Scavotto, JD, CHC on 7/29/21 9:30 AM

Find me on:

Patient specimens thrown out with the trash

Recently, a dermatology provider discovered that it was inappropriately discarding empty specimen bottles (which list patient name, DOB, specimen date, provider, and part of the body where the specimen was taken). How were the specimen bottles disposed? In the trash – for ten years.

When the organization realized this practice was improper, it self-reported the potential HIPAA breach to the OCR, and revisited its practices.

Hospital employee puts patient meal tickets in the garbage

For more than four months, a hospital employee put patient meal tray tickets in the trash – rather than shredding them. As a result, more than 1,000 patients’ personal information was potentially breached. The meal tickets listed patient names, day and month of birth, hospital unit and bed number, and diet and menu information. 

Are you overlooking PHI?

inventory snip-1

Protected health information (PHI) exists beyond the medical record. It includes patient names written on a rounding whiteboard. It includes data surrounding your medical devices. It includes specimen bottles with labels containing patient information. And yes, it can include meal tickets.

How can we know if our HIPAA compliance program addresses ALL of our PHI?

Create a PHI inventory.

This process fits naturally with your HIPAA Security Risk Analysis. A PHI inventory is simply a list of every kind of PHI in your organization: electronic and paper, stored, transmitted, received, and created. The PHI inventory will include obvious sources like the EHR, computers, networks, and flash drives. The PHI inventory should include less obvious sources, too, like PHI handled by a business associate – and meal tickets.

When it comes to the PHI inventory, more heads are better than one. You might think of something I missed. Get your Compliance Committee together for a brainstorming session. Every time the Committee meets, ask again: do we have any new sources of PHI? Are we sharing or using PHI in a new way?

Like the HIPAA Security Risk Analysis, the PHI inventory should be updated regularly (and whenever you add a new form of PHI!). Likewise, HIPAA training should extend beyond clinical staff so that all employees are able to identify PHI, so it is not overlooked.

MPA can help you create a HIPAA PHI inventory, and complete a HIPAA Security Risk Analysis.

Margaret signature 2021-1

HIPAA tool



    Privacy Policy           Terms of Use