Lately, my inbox is flooded with warnings, reminders, and webinars about cybersecurity. Rightly so: cyberattacks are on the rise, and healthcare remains the #1 target. At MPA, we recently updated our HIPAA Security Risk Analysis, and we carefully documented every source of electronic PHI.
But: Paper still counts.
With so much of our efforts focused on cybersecurity and electronic PHI, we can’t lose sight of the risks posed by paper PHI. For example:
- A patient went to the emergency department at a hospital to get her blood pressure checked. While there, her nurse wrote down the blood pressure result on a piece of paper. The patient noticed that the other side of the paper listed another patient’s name, number, address, and positive HIV status.
- A health system “became aware of a break-in to an off-site storage facility where certain limited patient records were housed. Six boxes of paper documents were removed from the facility without authorization.”
In the HIPAA world, paper PHI still counts! Make sure your HIPAA security risk analysis and mitigation plan include paper PHI in addition to electronic PHI.
- Remember: There is no such thing as secure paper PHI. Your goal should be to get to a paperless environment where all PHI is encrypted. Until that goal is a reality, make sure paper PHI is secured and is as burglar-proof as possible.
- If you use an off-site storage facility, ask the facility about their HIPAA security program. Signing a Business Associate Agreement is required – but it does not guarantee that your records are safe. Ask what security protections are in place to protect your records and prevent burglaries.