Fully understanding all the PHI you have, where it is stored, what processes touch it, and how it is used in your organization is critical to enabling a business to properly handle and secure PHI.
*This article was taken from our HIPAA Guide. For more information on this topic, download our free HIPAA Guide.
“Fully understanding all the PHI you have, where it is stored, what processes touch it, and how it is used in your organization is critical to enabling a business to properly handle and secure PHI.”
One of the first steps in protecting PHI is determining how much of it you have, what types you have, where it can be found in your organization, what systems handle it, how it is transmitted, and to whom you disclose it. You should take time to interview personnel to document those systems/processes and who has access to them.
You are probably not aware of every task and situation that your workforce members encounter daily. Interviewing personnel is one of the best ways to get further insight into how you’re interacting with and using PHI on a regular basis. It may help you discover uses, access to systems, or certain disclosures of which you were not aware.
For example, we often see large data storage areas where patient data lies around unprotected while it is “being worked on,” and staff members commonly create copies of patient data and leave the copies unattended on the printer.
When IT staff don’t fully understand which system components ePHI is stored on, they don’t properly protect the data, which can and does lead to large breaches.
Fully understanding all the PHI you have, where it is stored, what processes touch it, and how it is used in your organization is critical to enabling a business to properly handle and secure PHI.
Make sure that your staff accurately understands how you use PHI/ePHI and is trained on how to properly handle it.
.svg)
