How Protected Health Information hides in your network, and how to stop it.
One of the primary goals of a HIPAA compliance Risk Assessment is to document where PHI is stored for your organization. More often than not, our analysis software discovers it’s in far more places than our clients realize. There can be a number of reasons why this happens, let’s consider the three most common causes.
Where’s my PHI?
First, most web browsers have a default path for storing downloaded documents, and it’s commonly into a folder named “Downloads”. In a typical scenario, a user will access a web-based application like the CARES database, and download a patient record. For many users, the PDF file will download and then open in their default PDF viewer, where they will then save it to it’s intended, proper folder. However, what is overlooked in this scenario is a copy of the downloaded file still remains in the Downloads folder, and the name is usually not identifiable as a medical record. The two recommendations we make for this case is to 1, change the download destination folder in the browsers you use to a protected folder where you save PHI. And 2, purge the Downloads folder on a regular basis. Depending on how your network is configured, it’s possible to do this second step automatically.
Second, scanners and fax machines are notorious for saving PHI either locally on their own device, or, for networked systems, on a network folder in a path unique to the device. Here again, this is a configuration issue, and unless you have manually configured every instance of the printer/scanner/fax software, then it’s being saved in places you may not be aware of. The two recommendations we have here are 1, manually configure every workstation where the software is installed, or 2, install a server based version of the software where all of the stored documents are pathed to the same central folder.
Third, and most difficult for smaller offices to troubleshoot, are cached folders where PHI files may reside. A typical example of this would be a temporary folder where open documents are stored. Quite often, these files don’t get fully erased when closed, and while the file names may not be recognizable, they are accessible and readable by novice users. Resolving this is knowing where the software you use stores it’s temporary files, and purging that folder periodically. Again, this is a process that can be managed automatically by a professional IT management company, or you can do it manually.
Keeping PHI secure is a constant process that requires vigilance. It’s required that you document where your PHI is stored and that it’s encrypted when at rest. If you aren’t sure where your PHI is on your network, we can help lock it down for you.
Click safely as the holiday season approaches.
If you have any questions or if you are concerned about your organization’s cybersecurity, give us a call at (949) 474-7774. We’ll be happy to help.
For more HIPAA information, download our ebook – The Ultimate HIPAA Compliance Handbook.
The enforcement of the HIPAA Security Rule necessitates the establishment of a comprehensive security awareness and training initiative for every member of the workforce, encompassing management personnel as well. We strongly recommend that your team actively engage in the weekly subscription to Compliance Connection newsletters, which are designed to facilitate ongoing compliance efforts.