From CAPAdvantage partner, Acentec
One of the primary goals of a HIPAA compliance risk assessment is to document where PHI is stored for your organization. More often than not, it’s in far more places than most realize. There can be several reasons why this happens. Let’s consider the three most common causes.
Where’s My PHI?
First, most web browsers have a default path for storing downloaded documents, and it’s commonly into a folder named “Downloads.” In a typical scenario, a user will access a web-based application like the Cardiac Arrest Registry to Enhance Survival (CARES) database and download a patient record. For many users, the PDF file will download and then open in their default PDF viewer, where they will then save it to its intended, proper folder. However, a copy of the downloaded file remains in the Downloads folder, and the name is usually not identifiable as a medical record. To avoid this often-overlooked scenario:
- Change the download destination folder in the browsers you use to a protected folder where you save PHI.
- Purge the Downloads folder on a regular basis. Depending on how your network is configured, it’s possible to do this second step automatically.
Second, scanners and fax machines are notorious for saving PHI either locally on their own device, or, for networked systems, on a network folder in a path unique to the device. Again, this is a configuration issue, and unless you have manually configured every instance of the printer/scanner/fax software, then it’s being saved in places you may not be aware of. Practices should:
- Manually configure every workstation where the software is installed; or
- Install a server-based version of the software where all of the stored documents are pathed to the same central folder.
Third, and most difficult for smaller offices to troubleshoot, are cached folders where PHI files may reside. A typical example of this would be a temporary folder where open documents are stored. Quite often, these files don’t get fully erased when closed, and while the file names may not be recognizable, they are accessible and readable by unauthorized users. Practices can resolve this issue by knowing where the software you use stores its temporary files and purging that folder periodically. Again, this is a process that can be managed automatically by a professional IT management company, or you can do it manually.
Keeping PHI secure is a constant process that requires vigilance. It’s required that you document where your PHI is stored and that it’s encrypted when at rest.
This article is presented by Acentec, a participant in the CAPAdvantage program, CAP’s suite of no-cost or discounted practice management products and services.
Acentec provides dedicated IT support to help manage and monitor your IT infrastructure. They also offer a complete HIPAA compliance program that includes required documentation, a risk assessment, and annual training for employees. If you have any questions or if you are concerned about your organization’s cybersecurity practices, contact Acentec at (949) 474-7774.