.st0{fill:#FFFFFF;}

Podcast

Ep 42: PHI Locations In Your Organization 

 February 26, 2016

By  Donna Grindle

Share0
Tweet0
Share0

Defining PHI locations in your organization is the first step to completing a risk analysis.  It is also the only way to be sure you are protecting the information with proper safeguards.  PHI locations can seem obvious at first thought, but once you begin to consider all the different areas of your organization where you may be creating, receiving, maintaining, or transmitting PHI, you will be surprised at what comes up.

Audit Protocol Instructions for Risk Analysis
Inquire of management as to whether formal or informal policies or practices exist to conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Obtain and review relevant documentation and evaluate the content relative to the specified criteria for an assessment of potential risks and vulnerabilities of ePHI. Evidence of covered entity risk assessment process or methodology considers the elements in the criteria and has been updated or maintained to reflect changes in the covered entity’s environment. Determine if the covered entity risk assessment has been conducted on a periodic basis. Determine if the covered entity has identified all systems that contain, process, or transmit ePHI.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

PHI Locations – Where Do I Look?

Where should you search for your PHI? Is it all accounted for in your organization? Is it all documented?

  • person-looking-searching-cleanStart at the front desk, walk through the whole office with the intent of getting PHI that you shouldn’t be able to access.
  • Where are people talking about, collecting, or using PHI?
  • Where do you store PHI (both paper and electronic)?
  • Where is it moving around your organization?
  • What other organizations are you connected to and exchanging information?

Have you considered these PHI locations?

  • fax
  • copier
  • printers
  • closest
  • providers – ask them
  • Interfaces between systems?
    • how does the data get between you and your lab or collections firm?
    • are you sending only minimum necessary?
  • Using a cloud vendor?
    • do you download reports or spreadsheets?
  • Phones and tablets
    • what do the apps really download to the devices – have you asked the vendors?
    • what info do the clinicians keep on their devices? voice memos? contact info with details?
  • How does electronic PHI get removed from all these systems?
  • Paper
    • where are people using it and storing it
    • where do they get rid of it
<strong>Links to relevant Information or Mentioned Episodes</strong>

Episode 13: What is a HIPAA Risk Analysis

Ep 39: Cybersecurity Tips From The FBI – Check Your Security

HHS OCR Audit Protocol

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: