Best Practices

Does a ‘HIPAA Compliant’ Seal Make You Compliant?
Best Practices, HIPAA

Does having a ‘HIPAA Compliant’ Seal Make You Compliant?

March 3, 2021 Comments Off on Does having a ‘HIPAA Compliant’ Seal Make You Compliant?

March 3, 2021 Short answer? Nope. Long answer, having a ‘HIPAA compliant’ seal can actually get you in hot water – just ask SkyMed International, Inc., who was hit with a 20-year corrective plan – no, not by the Office for Civil Rights, but by the Federal Trade Commission (FTC).  FTC? What? That’s right, this recent HIPAA related event actually got a business in trouble for displaying a ‘HIPAA Compliant’ seal, when the organization falsely advertised their ‘compliance’…except that they ended up experiencing a massive data breach exposing the sensitive information of over 130,000 individuals and after investigation were found to be anything but HIPAA compliant.   So, when it comes to those ‘seals of compliance’ you’ve probably heard about or seen around, in most cases they don’t mean anything – and could actually wind up getting a practice in trouble for false advertising. There’s no industry certification around HIPAA – trust us, we would be first in line if there was! – and having a certified statement is also a no-go, since there’s no legitimate organization that offers those certifications to back it up.   If you DO have a HIPAA seal or badge of some kind, don’t panic! That doesn’t mean you’re in trouble – depending on what your seal proclaims. Where the FTC raises the red flag is if there’s any statement of ‘compliance’ included. On the flip side, consumers can get peace of mind when they know their healthcare provider has a compliance program (note, program, not statement OF compliance) in place. So if you indicate that you follow HIPAA best practices, carry on! If, however, your website states that you ARE compliant, you may want to double-check your verbiage before the FTC gets involved.  As much as we wish HIPAA could be as simple as just following a checklist once and receiving a nice shiny badge of compliance that your practice’s website could wear proudly, it’s not. HIPAA compliance is an ongoing process and requires constant review and updates for ANY organization, regardless of their size or specialty. So while a compliance seal isn’t an option – maintaining a complete compliance program is (and a required one at that!)

OSHA Workplace Violence Prevention Checklist
Best Practices, HIPAA

When & Why You Need a HIPAA Authorization Form

February 18, 2021 Comments Off on When & Why You Need a HIPAA Authorization Form

February 18, 2021 If you’ve been managing your HIPAA program manually, maybe even using an old HIPAA binder, you probably associate HIPAA with a lot of paperwork. While most of your HIPAA program can now be tackled digitally (and with a time-saving partner, hint hint), there are some papers that are 100% still relevant – like the HIPAA Authorization Form.  What is a HIPAA Authorization Form, and when do I need one?  Having a signed HIPAA Authorization Form is one of the many requirements under the Privacy Rule. The authorization form (sometimes called a patient HIPAA consent form), essentially serves as a handy dandy permission slip allowing a practice or business associate to use or disclose protected health information (PHI) in the ways a patient wants their data used.  Now, just to clear things up, there ARE times you can disclose PHI WITHOUT an authorization form – namely, for regular healthcare payment, treatment, and operations. This means that patients can be treated without an authorization form and that you can share their data as necessary to conduct business without penalties under HIPAA. There are some additional specific scenarios where you don’t need a signed authorization form to share PHI, but most important to note are when you DEFINITELY should have a consent form signed. This includes when PHI is used or disclosed: Without getting the green light from the patient (in writing) in any of these circumstances, your practice can get into some pretty big trouble.  What should be included on the HIPAA Authorization Form itself? If you’re thinking of a lengthy legal document, you’re actually in for some good news – the Authorization Form can be short, sweet, and to the point as long as it covers the following key pieces:    In addition to the specific elements that must be included within the document, there are also a few statements that should be outlined including:   How long does the authorization remain valid? The Authorization form remains in effect until the listed expiration date or event that was listed when the patient signed the form. We recommend reviewing your authorization forms every few years or so however, to confirm none of the data has changed and anytime an outside event would require a new form (such as a name change, patient who turns 18, or other scenario). The patient also has the ability to change their mind at any time, and can revoke their authorization (in writing) whenever they choose. Why do I need one? You don’t have to be an expert on the ins and outs of HIPAA to know that it’s main focus is to protect the privacy and security of patient information. The authorization form helps to do just that – limit patient information to the organizations or individuals designated by the patient to receive their health conditions, insurance information, and any other sensitive data housed within your practice. By getting a form signed from each patient, you’re protecting both the patient and your practice to best disclose information as designated and without any surprises.      After last year’s enforcement trend centered around patient right of access along with the recent proposal to modify the HIPAA Privacy Rule (with some specific changes related to patient authorization and the Notice of Privacy Practices), giving your practice a head start on meeting important HIPAA standards now is key. If you aren’t using an authorization form, there’s no better time like the present to start implementing a form that fully complies with the Department of Health and Human Services requirements.

What is the Breach Notification Rule?
Best Practices, HIPAA, Legislation

What is the Breach Notification Rule?

February 12, 2021 Comments Off on What is the Breach Notification Rule?

February 12, 2021 Don’t shoot the messenger, but HIPAA breaches continue to skyrocket over the last few years – making your practice increasingly likely to experience a breach related to cyberthreats, human error, or other means. While we wish we had better news, we CAN at least help make sure that if a breach were to occur you’ve got the low down on one of the less common, but very relevant, aspects of HIPAA – the Breach Notification Rule. Any type of breach of patient data (verbal, technical or paper-based) counts as a breach of information. The OCR has some specific requirements for you to follow in the event of a breach – namely, what types of notifications are required and who needs to be alerted if the worst should occur. So while we’re not wishing a breach on anyone, let’s walk through the key aspects of what to do next – just in case – when it comes to responding to a breach.  Step One: Assessing a Breach First, whether your breach is suspected or pretty much a done deal, you need to assess the breach and determine the who, what, when, where and how of the incident. This is essential to finding out whose data is affected as well as what the likely ramifications are of the breach, and will inform how you handle breach notifications. Step Two: Notifying the Right Parties Once you’ve finished assessing a breach, you’ve only explored the tip of the iceberg. You know you have a major issue on your hands – so now what? Your first step is to get the right people – affected patients – informed as well as notify the Department of Health and Human Services (HHS) in all cases where a malicious or unknown breach has occurred. You may also have some state-specific parties that need to be notified as well, though this varies by your specific practice location. Step Three: Providing the RIGHT Information There are quite a few specifics that must be included in your apology letter, and just to make things even more complicated, states have different requirements here as well. A few of the basic elements include a brief description of what happened, the suspected or confirmed dates of the incident, and a description of the type(s) of protected health information (PHI) involved, any steps individuals should take to protect themselves from any potential harm, and a description of what the covered entity involved is doing to investigate the breach, mitigate harm to individuals, and to protect against any further breaches. You’ll likely also need to include contact information for affected parties to reach out to for additional questions. Step Four: Providing TIMELY Information We’re sure it’s no surprise that your practice doesn’t have carte blanche control over when you provide breach notifications. The OCR actually lays out some pretty specific timelines here, including that:  Either way, reports should always be done through the HHS breach portal, and we highly recommend submitting those breaches as soon as possible to proactively correct and mitigate any threats (and any resulting HIPAA fines you might be up for as well). Additional Steps While data breaches are usually out of anyone’s control, the way your practice actually handles the incident is the important part – and will help you avoid a resulting HIPAA fine. This is probably the never several steps in our book – not only handling the breach notification rule requirements but also mitigating the threat(s) and preventing future violations. There are likely other specific requirements you need to meet as well (by state again…seriously, don’t shoot the messenger!) and having a complete HIPAA program, including breach notification policies and procedures, will help you get the right information for your specific scenario and check all requirements off your list.

2020 HIPAA Breaches Reporting Deadline
Best Practices, HIPAA, Legislation

2020 HIPAA Breaches Reporting Deadline is March 1st

February 5, 2021 Comments Off on 2020 HIPAA Breaches Reporting Deadline is March 1st

February 5, 2021 2020 was certainly not the year anyone planned, and despite your best intentions, the transition to remote operations and reliance on new technologies may have led your practice to experience a (hopefully minor) HIPAA breach last year. If you had a major breach (500+ patients affected) you’re a little late to the reporting party (breaches affecting over 500 patients should be reported within 60 days, or sooner depending on your state). If fewer patients were affected and you only had a minor breach on your hands, mark your calendars for the upcoming small breach reporting deadline on March 1st.  What types of incidents are HIPAA breaches, and how do I know if I have to report it? Any instance in which protected health information (PHI) was exposed in violation of the HIPAA Privacy Rule or HIPAA Security Rule counts as a breach of HIPAA. This could be as small as sending an email containing PHI to the wrong person, or as big as a hacking incident affecting hundreds of patient records. While we wish there was a ringing alarm to signal a breach has occured, many breaches aren’t as easy to detect. If you just aren’t sure, first assess the scenario to help make that determination – particularly what the risk is that the PHI possibly exposed would be used for ‘malicious intent’. We’re big believers in the “better safe than sorry” mentality, and recommend reporting any incident that could be a breach to meet all the necessary reporting requirements.    What qualifies as a ‘small’ HIPAA breach? HIPAA classifies minor breaches as incidents impacting 500 individuals or less. Even if the breach only involved a single patient, it still counts as a breach and should be reported no later than 60 days after the end of the calendar year (aka, March 1st). The ONLY case in which a breach of this kind might not need to be reported is if you can determine with absolute certainty that the data exposed won’t be misused or has been permanently deleted. (P.S., if your breach fell into that 500+ patients bucket, while you’re a little behind we still recommend submitting a late report, instead of no report at all, to reduce the penalties you might face.) What if my business associate experienced the breach, do I have to report it?  While the Office for Civil Rights (OCR) does encourage business associates to report breaches themselves, the responsibility of getting the report in correctly and on time ultimately falls on the practice. If one of your third-party vendors experienced a breach in 2020, it’s best to check with them to ensure that the breach was reported or report the breach yourself to make sure you’re covered (again – better safe than sorry!). Even if you have a Business Associate Agreement (BAA) in place with the vendor and an incident is completely out of your hands, failing to report the breach by the deadline can still result in HIPAA fines.      Reporting HIPAA breaches of any kind is extremely important to avoiding further fines and penalties. If you do have to make a report – you’re not alone. Only 44% of healthcare organizations actually meet cybersecurity standards, meaning a LOT of organizations wind up with data breaches even if they have solid HIPAA programs in place. There is some good news however with the new HIPAA Safe Harbor Law. You could qualify for reduced HIPAA fines if and only if you can prove that your practice has had the necessary technical safeguards and HIPAA requirements in place for 12 months before the breach. So, the short version? Make sure you report ANY possible or confirmed small breaches that occurred in 2020 by March 1st to avoid further penalties. If you DON’T have a HIPAA program in place but still have a breach to report we highly recommend getting a program in place ASAP to help reduce possible fines or other penalties.  

HIPAA Compliance FAQs
Best Practices, HIPAA

Compliance FAQs: Get Answers to Your Top HIPAA & OSHA Questions

January 7, 2021 Comments Off on Compliance FAQs: Get Answers to Your Top HIPAA & OSHA Questions

March 11, 2024 Let’s be honest: compliance can be complicated. With all the regulations, sometimes it feels like you’re making mistakes you don’t even know.  But with Abyde, it doesn’t have to be.  We have an A-list Customer Success team, ready to answer your questions. This week, we’re rolling out the red carpet for these compliance experts We’re interviewing our CS celebs on the HIPAA and OSHA questions they receive the most. Read below to get the inside scoop on what you need to know for your practice.  A child on a parent’s insurance just turned 18, while I know they have to sign consent forms, do the parents need consent to see or request their records?  Sorry, new grown-ups! Parents do not need consent to see their child’s records, they can do so for the purposes of insurance, or payment. It has to be the minimum information shared. Oh no! An employee was poked with a contaminated needle and needs to be tested. Who is responsible for paying for the tests?  The employer! It is the employer’s responsibility to take care of their employee in this situation. Whether it be through their insurance or Workers’ Compensation, or paying it directly, it is the employer’s responsibility.  Why do I need a Business Associate Agreement, aren’t they already HIPAA compliant? First, Business Associate Agreements are a requirement of HIPAA, and outline the rights and responsibilities of a Business Associate (BA) and a Covered Entity’s (CE) partnership. The BA agreement keeps both parties on the same page and protects your practice if there is a breach on their end, having this documented expectation of a BA’s responsibilities.  Why do I need to ask my employees if they’ve received their Hepatitis B vaccination?  Well, if the employee has the potential to be exposed to Bloodborne Pathogens (BBP) or Other Potentially Infectious Materials (OPIM), the employer has to give them the option to be vaccinated. Depending on the state, your employees must be vaccinated against Hepatitis B.  Do the doctors have to do HIPAA/OSHA Training? They own the practice.  Yes, even if doctors own their practice, they still need to ensure compliance with HIPAA. All employees must complete training, even the owner of the practice.   HIPAA regulations are designed to protect patients’ sensitive health information, regardless of whether the provider is part of a large institution or an independent practice.  Therefore, doctors who own their practice must undergo HIPAA training to understand their responsibilities and ensure that their practice adheres to HIPAA regulations. Do I need to report my breach to the OCR?  Just like a fender bender doesn’t require the same reporting as a 10-car pile-up, not all breaches need to be reported. For instance, breaches that affect 500 or more patients must be reported to the OCR.  However, you will want to log ALL incidents in your Abyde Breach Log, even if OCR reporting isn’t necessary. As you can see, our compliance experts are here to clear up any compliance confusion for you. At Abyde, we want to simplify compliance for your practice or business, and our awesome CS team is a testament to that. To learn more about how Abyde is the solution for all of your compliance worries, email us at info@abyde.com and schedule a compliance consultation here for Covered Entities, and here for Business Associates. 

December HIPAA Requirements
Best Practices, HIPAA

Meeting December HIPAA Requirements: What Your HIPAA Program is Probably Missing

December 3, 2020 Comments Off on Meeting December HIPAA Requirements: What Your HIPAA Program is Probably Missing

December 3, 2020 Who doesn’t love the whole “new year, new you” excitement but before you press fast forward on the month of December there’s a few key pieces of HIPAA you are probably missing – but can still catch up on before December 31 HIPAA deadlines hit. You may be thinking “I did my Security Risk Analysis, I’m good!” or even “we did training that one time, we’re fine!”. Don’t shoot the messenger, but there’s a LOT of other pieces that go into your HIPAA program besides annual HIPAA training and the Security Risk Analysis. Before you panic, you aren’t alone – on the latest round of OCR audits, they found that only 17% of practices had performed a Security Risk Analysis, and only 6% had a security risk management program (the documentation, policies, and additional HIPAA pieces required) in place.  What do I need by December 31? So what do you actually need in place, and how do you get this new checklist completed before the end of the month? First, let’s cover what you need to have at a minimum: 1. Your Security Risk Analysis (SRA) We call this the first step in HIPAA compliance for a reason. The SRA sets the baseline for your practice by assessing all physical, technical, and administrative areas of risk and determining where your HIPAA program stands. Your SRA must be updated annually, and should be more than a generic checklist – it should cover all the aspects of your practice most at risk, and should provide you with actionable insights to your high, medium and low risk areas.  2. Annual HIPAA Training If your practice has the first requirement down, you may also have HIPAA training somewhere on your radar. Some practices either do training once, instead of annually as required, or fail to document training correctly. You should have a certificate or other record of completion for each staff member, dated within 2020, to meet this requirement. The easiest way to do HIPAA training? Using an automated system lets staff take training individually, without having to shut down your practice or hire an outside trainer for a day.  3. Documented Policies & Procedures This is where practices might start to miss the mark. You may have a few policies, or an older HIPAA manual perhaps, but documentation to the government standards is key to meeting this requirement. That means having updated, current and specific documentation that accurately reflects your practice operations today (instead of an outdated manual from 6 years ago) and touches on all HIPAA requirements – not just one or two areas.  4. Updated HIPAA Logs If you have all of the above (major kudos if you do), having the right logs of all HIPAA related access, assets and possible breaches is still a commonly missed area, and is key to documenting how your practice handled HIPAA incidents in the past year.  All of these pieces should be completed on an annual basis, and tie into the many other requirements that go into a complete HIPAA program.  How do I do it by the end of the year? If any of the above sound scary or completely left-field to you – don’t panic! Taking one piece at a time, starting with your SRA, will help you chip away at these requirements. Odds are you probably have a piece or two, but may be missing additional aspects of your HIPAA program. There’s a few ways you can tackle these requirements, including: No matter what you do, leaving HIPAA to the last minute may leave you in a bit of a time crunch, and failing to complete these requirements will leave your practice open to hefty fines. Thankfully, there is an easy solution that will check everything off your list with plenty of time left to enjoy the holidays instead of stressing about HIPAA! Schedule a quick consultation with a HIPAA expert and see where you might be missing the mark, and how Abyde could help you breeze through these requirements before December 31.

The Importance of HIPAA Compliance Officers
Best Practices, HIPAA

Behind Every Complete HIPAA Program, There’s a HIPAA Compliance Officer to Thank

November 5, 2020 Comments Off on Behind Every Complete HIPAA Program, There’s a HIPAA Compliance Officer to Thank

November 5, 2020 If you aren’t already aware of how much goes into a complete HIPAA compliance program, we’ll give you a hint – it’s a lot. How much is a lot? Estimates are that it takes the average practice (on their own) 80+ hours per year. So who do you thank for all those hours, headaches and (probably) tears? Your friendly neighborhood HIPAA Compliance Officer.  A HIPAA Compliance Officer, or HCO, is essentially responsible for ensuring your practice meets requirements outlined in HIPAA law – which is as complicated as it can get. Their role is pretty crucial to avoiding a HIPAA violation (not to mention required under HIPAA) and involves quite a list of tasks for the lucky winner of the HCO title. HCO responsibilities include: If you are a smaller practice, your practice administrator or office manager might serve as your HCO (on top of all their existing responsibilities – seriously, they must have superpowers), or if a larger organization, you may be lucky enough to have a separate compliance staff member. Regardless of how your practice operates, the HCO deserves a major round of applause for all they do to keep your practice – and patients – safe, secure and compliant.  Every great hero has a side-kick, and for your HCO a HIPAA compliance software solution is just that. Rather than manually updating each policy, creating training materials, conducting ongoing risk analyses, AND keeping up with changing HIPAA regulations, a software solution like Abyde does it all with just a few clicks – and with a lot less time and stress involved. Whether you have a software side-kick or not, making sure you have all the right pieces of the HIPAA puzzle is a crucial role for your HCO to fill.  Don’t have an HCO? Or have someone that was responsible that one time, but never actually had the opportunity to get started on HIPAA? First, figure out where your program is at by reviewing what you may be missing, then assign an HCO and get them some help to manage their new HIPAA responsibilities.

Information Blocking
Best Practices, HIPAA

What Does ‘Information Blocking’ Mean?

October 15, 2020 Comments Off on What Does ‘Information Blocking’ Mean?

October 15, 2020 If you’re at all familiar with the 21st Century Cures Act, you may have heard the term ‘information blocking’ tossed around. Even if you’re not, you may be familiar with the ongoing healthcare battle to prevent information blocking and more effectively share patient information. If you’re not familiar with any of these things…well…keep reading anyways, if you’re an independent practice we promise this is going to be increasingly important information to know.  A major goal of the Cures Act is to break down the barriers currently erected to interfere with, prevent, or discourage the access, exchange, or use of electronic Protected Health Information (ePHI) within the healthcare industry – otherwise known as information blocking. HIPAA outlines the specific ways information can be shared (and these rules still apply) but the statement of “sorry we can’t share that information because of HIPAA” is often applied incorrectly, and part of what the Cures Act hopes to correct. Deliberately blocking information that should be shared with patients and other appropriate covered entities, such as with Health Information Exchanges (HIE’s), can prevent or delay proper treatment and ultimately reduces the effectiveness of patient care. Before the Cures Act rules go into effect (November 2, 2020), organizations must reevaluate or remove any barriers currently in place that constitute information blocking. Not 100% what that really means? You aren’t alone, which is why the Office of the National Coordinator for Healthcare Technology (ONC) has created a helpful cheat sheet for what does and does not qualify as information blocking. There are some exceptions to what falls under the “information blocking” umbrella, including:  All of these exceptions are only permissible provided certain conditions are met. In general, think of information blocking as refusing to share data even when there is no reason not to – i.e., none of these exceptions or regular privacy concerns apply. Where it gets tricky is when information sharing might – though the situation makes it unclear – violate HIPAA compliance regulations (really violate them, not just as an excuse). It’s always helpful to ask the experts in these circumstances – such as your HIPAA compliance program provider (*cough cough*). 

Requesting Access to Medical Records and HIPAA
Best Practices, HIPAA

Your Patient Requested Access to their Medical Records, Now What?

September 18, 2020 Comments Off on Your Patient Requested Access to their Medical Records, Now What?

September 18, 2020 When it comes to medical records requests, you just hand over patient files – right? Wrong! The HIPAA Privacy Rule unequivocally provides individuals with the right to see and receive copies of their medical records upon request – but has some requirements when it comes to the who, what, and how of handing those records off. Appropriate patient access can be a fine line, and if you stray too far to either side you may end up in the next historic Office for Civil Rights (OCR) announcement of multiple access-related fines. Here’s the 411 on patient record access: Access is just for the patient, right? We hope it’s obvious that patients should be able to access their own records (who doesn’t want a hard copy of their dry eye disease diagnosis), but it’s not just patients that have the right to request records. In fact, the OCR levied two fines just this week for not providing access to an authorized personal representative of a patient. A ‘personal representative’ is someone with the authority under state law to make health care decisions for another individual. This may be the case if: How must access be requested? Making things easy (cough cough), HIPAA law does not specify any required method of requesting access. Patients may ask verbally, in writing, or by secure email or patient portal – really, whatever method suits the patient. Your practice CAN specify the way you want patients to request access, they just have to be informed first about this requirement (possibly as part of your onboarding forms). We do recommend making access requests written, just to document the date of the request. Do I need to verify the requester is authorized? Once you have a patient or their personal representative requesting access, you can just hand over the records, right? Not so fast. The HIPAA Privacy Rule requires practices to take reasonable steps to verify the individual making a request for access is who they say they are. While there’s no specific form of verification required, such as a copy of their driver’s license, it’s extremely important for your practice to use professional judgment when determining that a request is ‘legit’. Verification must also be done without adding unnecessary delays in fulfilling the request. What form must records be provided in? We’re long past the days of keeping everything on paper, and most practice’s manage their health records electronically. However, the Privacy Rule requires a practice to provide access to protected health information (PHI) in the format that it was requested in – either a paper or electronic copy. If the records are not readily producible in the requested format, you’ll need to agree on an alternative format instead. How quickly do records need to be provided? The phrase “ASAP” is nice and all until it comes to meeting specific HIPAA deadlines. When a request is made, the practice must provide access as soon as possible and at minimum within 30 calendar days (the federal law) or less depending on your specific state laws. If unable to provide access within 30 days, the practice can inform the individual of the reasons for the delay and can have no more than one 30 day extension period.  Timeliness is key when it comes to patient access. One practice in particular didn’t provide patient records until 9 months after the initial request was made. The patient filed a complaint to the OCR that resulted in an $85,000 fine along with a corrective action plan. If you thought 9 months was bad, just this week the OCR announced another fine for failing to provide medical records for almost 3 years.    Can I charge patients for copies of their records? Depending on the format requested or the time needed to collect records, there might be some costs involved. Thankfully HIPAA accounts for this, and lets your practice impose a reasonable, cost-based fee for requests. This fee can include:  There’s a lot more that goes into requesting records than simply handing them over. If you’re confused about all this – and we get it, we were too – having a HIPAA expert on deck to help sort out specific scenarios quickly can help your practice stay on top of requirements without unintentionally violating HIPAA. Don’t have an expert to help? Work with an outside HIPAA compliance provider (just picture us saying “pick me!”) who can help you manage the intricacies of access laws before winding up on the next OCR HIPAA settlement announcement.

HIPAA Compliant PHI Disposal
Best Practices, HIPAA

Disposing of PHI: Why, What and How

August 27, 2020 Comments Off on Disposing of PHI: Why, What and How

August 27, 2020 When it’s time to upgrade to that new wallet or purse you’ve been wanting, you probably take out all your sensitive information – credit cards, license, etc. – before tossing out the old one (we hope so at least). It should be no different when it comes to disposing of old devices or hard drives that contained sensitive ePHI, yet practices continue to miss the mark. It may be obvious that paper records require proper disposal – in most cases, shredding or recycling so that the information cannot be read by the wrong parties. Despite this being common knowledge, incidents continue to arise – such as the recent batch of medical records found unattended at an Odessa recycling center in Texas. Because the records weren’t shredded, their sensitive data was made easily accessible. Improper disposal is even more common when it comes to disposing of electronic protected health information (ePHI) properly. What data needs to be properly disposed of?  Anything that does or could have once stored PHI – some you may not even realize – should be properly disposed of to wipe any traces of patient information. This includes: Many devices unknowingly have stored patient information – in emails or text messages, documents accessed on your device web browser, pictures or screenshots, medical images, voicemails, or applications that stored PHI during use. Devices may contain their own storage drives, especially if IoT enabled (connected to your WiFi or internal network).    RELATED: So You Have PHI to Dispose of – Now What?  What is considered proper digital data disposal?  Unfortunately, clicking the ‘delete’ button does not completely remove digital data. Even if you overwrite files, they can still be recovered using software tools. The following are a few ways you can ensure your devices are disposed of properly: Now before you grab those hammers and start smashing up your Windows 7 PC, HIPAA law requires practices to store PHI for at least 6 years and potentially more depending on your state. Devices with data that falls within that 6 year timeframe should be backed up before they are wiped clean, and data should then be encrypted while being stored.  Regardless of whether the data is on paper or disk, or the destruction method you choose, it’s imperative to properly dispose of PHI – and make sure nothing retrievable ends up in the wrong hands.

Are you prepared for OSHA's Workplace Violence Prevention requirements? Learn what you need to do to be compliant.

DOWNLOAD CHECKLIST
X