BEFORE ELEC TRONIC HEALTH records (EHRs) and digital technologies, patient information was stored on mainframe computers
located in secure rooms or recorded on paper charts and kept in
file folders. Shared access was limited. The monetary value of personal information was low, and so the risk of breach was low.
The technology storm of the past three decades has made access to electronic protected health information (ePHI) easier,
which benefits patient care in an ever-fragmented delivery
system, but is bad for information security. Protected health
information (PHI) can be found in virtually every corner of a
healthcare system, concealed in unlikely places. With each new
technology, acquisition, or merger comes new vulnerabilities
that may remain unseen until the right assessments are performed to uncover them.
I recently sat down with a panel of information and privacy
experts from three healthcare organizations to understand their
unique experiences with hidden PHI and how they’ve worked to
mitigate the associated risks.
Reiher: In your experience, what are some areas where PHI
can be hidden?
Rich Temple, vice president, chief information officer, and
HIPAA security officer at Deborah Heart and Lung Center in
Browns Mills, NJ, focused on cardiac, pulmonary, and vascular care: There are many subtle places that can contain ePHI
in a healthcare organization. Without proper monitoring, this
poses a serious risk that could cause a breach with devastating consequences. For example, consider mobile phones still
in use after a provider has left the organization. Though the
provider has been disconnected from the hospital network,
there may be circumstances where data that was downloaded
up until the time of the disconnection could still be accessible.
Even with the mandate that all emails containing PHI must be
encrypted, there is still potential exposure here for PHI or, at
the very least, sensitive business information being accessible
on the device.
I also recommend paying close attention to a hospital’s
business associates (BAs). Though all BAs are required to
sign a HIPAA business associate agreement (BAA), it is often
very challenging for a hospital to ensure the BA maintains the
highest security possible for its data. There have been many
documented cases1 of BAs inadvertently publishing PHI. Often, it is just a simple misconfiguration on the part of the BA,
but the hospital is ultimately liable for the mistakes of its BAs.
Yet another area that needs to be monitored is PHI downloaded by individuals or physicians via remote connection to the
hospital’s system from a home computer. Strict policies should
be employed to ensure this cannot happen. Once PHI is on a
personal home computer, it is highly probable that strong security safeguards, including encryption, are not present to protect
that sensitive PHI from unauthorized access.
Sarah Hodson Grady, CPHI, HCISPP, RYT-200, conversion
project manager/HIPAA security at Logansport Memorial
Hospital, a not-for-profit medical center serving north central Indiana: Some EHR systems use Microsoft products that
allow physicians to compose letters to, or on behalf of, patients.
Though the EHR may launch, store, and save the file appropriately, this does not prevent a provider from storing that file elsewhere, such as on a local device. No EHR demo would reveal
this behavior, but it does happen, and it’s a great example of
hidden PHI. Physician devices need to be audited frequently to
discover such issues.
Medical devices are another place where patient identifiers
could be readily available. It is important to ensure that patient identifiers are removed from the device. I recommend a
standard process to promptly transfer the information from
the record to the patient’s chart and remove it from the device.
This eliminates the possibility of filing a breach on anyone who
might have been on that machine.
Jamie Pesci, director of health information management
(HIM) and privacy officer for Christian Health Care Center, a
nonprofit, healthcare organization offering senior living, short-
From left to right: Ken Reiher, MBA; Rich Temple; Jamie Pesci (Not pictured: Sarah Hodson Grady, CPHI, HCISPP, RYT-200)