Potential HIPAA Breaches can be Found Everywhere

Hidden HIPAA Breaches in the Workplace

By Bob Grant Chief Strategy and Compliance Officer for Compliancy Group LLC

Look around you there are potential breaches everywhere, and some are hidden.

It is getting to the end of the year, and for many, it means end of leases on office equipment and the decision to upgrade, renew, or turn it back in.  These leases can be on a total office package of chairs, cubicles, and desk, along with computers, copiers, and fax machines.

BEWARE healthcare friends, your ePHI is about to walk out the door and you are probably not even aware of it.  Before we delve into how the ePHI is walking out, let us talk about what is ePHI.  Under the HIPAA Privacy Rule, protected health information (PHI) refers to individually identifiable health information.  Individually identifiable health information is that which can be linked to a particular person.  Specifically, this information can relate to:

  • The individual’s past, present or future physical or mental health or condition,
  • The provision of health care to the individual, or,
  • The past, present, or future payment for the provision of health care to the individual.

Common identifiers of health information include names, social security numbers, addresses, and birth dates. When you store it electronically it becomes Electronic Protected Health Information or ePHI. So on to the compliance story.

Those fax machines, those computers and some of those printers are harboring ePHI and if you do not take the appropriate steps to remove that ePHI before it goes back to the leasing company, you could be facing public humility, an audit, and most likely a fine.

Why you ask, well, the computer is clear, it has a hard drive and ePHI may be stored on it, but the fax and copier may have storage devices on them also that you will need to wipe clean according to standards that were established by the department of defense.  Wait, you’re now asking how I would have known about this.  Well your Technical IT Risk Analysis should have identified the devices that store ePHI and your policy on Device and Media Controls should direct you how to wipe them clean.  Please watch for these type of hidden breaches everyday in you workplace, it could save you a lot of time, headaches, and money.

The Compliance Group will be hosting an upcoming webinar on November 19, 2 pm Eastern.  The Most Wonderful Time of Year for Health IT…NOT. Hear the experts talk about today’s HIPAA, HITECH, The Omnibus Rule and Meaningful Use Core Measure 15 compliance issues. Learn more or register.