When most people think about Protected Health Information, PHI, they normally think of it in the practice itself. However, there are many ways that PHI might be found outside of the practice. Office staff often take records out of the office with them in the form of paper records on mobile devices. However, when taken out of the office, this data no longer has the protection that the office provides. Because of this, extra care should be given to PHI when it is taken out of an office.
All mobile devices should be encrypted. HHS has issued multiple fines to Covered Entities that had devices stolen that contained PHI on them. Some were quite expensive.
In 2020, Lifespan Health System paid $1,040,000 to settle a case concerning an unencrypted stolen laptop. This was a single laptop and the fine was massive. You can read about this case here.
Keeping devices encrypted is easy to do as Microsft Windows includes this feature. It will prevent a lost or stolen laptop from becoming an HHS HIPAA investigation for your practice. For mobile devices such as phones and tablets, use a strong password on the device. Most modern devices are already encrypted and using a strong password ensures that any PHI contained on them will be secure. However, most users choose easy or no passwords at all. This will make any encryption on the device useless. Be sure to use a good password on all mobile devices that store PHI.
Paper records should be kept in the control of the person who takes them out at all times. HHS has issued fines to practices that had paper charts stolen from cars because records were left overnight in the parked car. In addition, when disposing of medical records, do not throw them away in dumpsters. All records need to be destroyed in a secure manner such as shredding.
Cornell Prescription Pharmacy was fined $125,000 for disposing of medical records in a dumpster. You can read about the case here.
The care that you take with records inside the practice needs to be extended outside the practice as well. You can allow a costly breach to happen just because your unprotected laptop was stolen from your car.