term rehabilitation, and mental health services: ePHI can lurk
in a variety of places, including hard drives and mobile devices of
employees who work from home, and with business associates or
their downstream third-party vendors. Pay attention as well to disgruntled employees who could be a source of breach if they have
access to ePHI and a motive to share it inappropriately.
Reiher: Describe the potential risks—financial, operational, and reputational—of not uncovering these types of PHI
Temple: In 2018, the Ponemon Institute reported2 that the average cost of a data breach in a healthcare organization is $408
per record, with an aggregate total estimate of breach costs at
$3.6 million. So there is a devastating out-of-pocket expense for
a healthcare institution in the form of fines, credit monitoring,
and other expenses. That doesn’t even include the loss of goodwill and trust in the community where the hospital operates.
The reputational loss is incalculable in dollars and cents. Trust,
once lost, is very hard to regain.
Grady: Failure to turn over every rock is like agreeing to bab-ysit without knowing how many kids are in the house. A large
breach could mean a loss of independence or autonomy, even
if it does not take a healthcare organization completely under.
In a recent case, Hancock Health in Indiana3 managed to protect its branding following a ransomware attack by hackers who
accessed the hospital’s data via a third-party vendor’s remote
connection. Hancock paid the $47,000 ransom and was able to
retrieve patient data. The situation was not enviable, but the approach is definitely worth considering.
Pesci: The risk is huge to our reputation as a valued healthcare provider, jeopardizing our commitment to those entrusted
to our care, the community, and our mission.
Reiher: What role does HIM play in data privacy at your
organization? Are they part of a broader governance and advisory group?
Temple: In our organization, HIM plays a leading role in data
privacy. They spearhead our compliance with data retention re-
quirements, and are closely involved with our committees that
oversee privacy and security. HIM works with both our compli-
ance department (privacy) and with our information systems
(IS) department (security). HIM professionals are critical and
knowledgeable partners in both realms.
Grady: Our privacy officer works directly with HIM to elevate
data privacy issues to our governance committee.
Pesci: HIM plays a huge role in privacy for our organization.
The director of HIM serves as the privacy officer who creates
policies, monitors regulations, reviews subpoenas and court
orders, controls access to records, and participates in perform-
ing risk assessments. We have implemented BA accountability,
requiring the completion of a questionnaire regarding HIPAA
compliance programs. We then assign risk.
The privacy officer, in coordination with the security officer,
conducts HIPAA rounds. The privacy officer also serves on the
corporate compliance team, monitors potential breaches, and
educates employees, volunteers, and vendors using a variety of
tools. In addition, the privacy officer maintains, updates, and
posts the notice of privacy practices. HIM is the hub of the release of information.
Reiher: Describe a success story in which your organization
was able to uncover hidden PHI and mitigate risk.
Temple: We have a strict policy in place with employees who
are granted access to our email server through their mobile devices. When they terminate employment with our organization,
Top 10 PHI Vulnerability Assessment Questions
TO HELP UNCOVER hidden PHI, the following questions are recommended:
Does your organization:
1. Have a policy and process to lock down user workstations based on an analysis of risk and operational need?
2. Encrypt ePHI on portable devices such as laptops, tablets, USB/flash drives, external hard drives, and other electronic
3. Know which controls are in place to protect ePHI that is stored in remotely hosted databases?
4. Secure/encrypt the wireless transmission of ePHI within your facility?
5. Encrypt remote access transmission of ePHI?
6. Have policies and procedures in place for secure, complete destruction of any hard drive that contains ePHI?
7. Receive a certificate of destruction if using an external resource for disposal?
8. Have physical and technical safeguards in place for the patient portal?
9. Have a BAA in place with any telehealth vendors?
10. Have cybersecurity technology and processes in place to secure your internal network from intrusion?
Continued on page 55
Quiz ID: Q1929008 | EXPIRATION DATE: SEPTEMBER 1, 2020
HIM Domain Area: Privacy and Security
Article—“PHI Hide and Seek”
Review Quiz Questions and Take the Quiz Based on
this Article Online at https://my.ahima.org/store
Note: AHIMA CE quizzes have moved to an online-only format.