How many organizations can say that they completely understand where all their protected health information exists and where are the inputs and outputs of the data are? Based on current clients, very few know exactly where all protected health information is being stored and maintained. It is not uncommon to walk into an organization and hear that they have 2 or 3 systems that store or interact with PHI – then after discussion and analysis, it is determined that there are actually 9 or 10 different systems that interact with PHI within the organization. Additionally, many organizations don’t fully understand all the areas where PHI may come out of electronic systems. Example, a transcription system may automatically send a document once it is transcribed or a lab system may send information to the billing system for proper charges. Without properly understanding where all the data is being stored, what happens to the data, how those systems are protected, and where is the ePHI outputs from the systems are, it creates a challenge on effectively managing the privacy and security of protected health information. It is the key link from privacy and security to Information Governance in an electronic era.
Sure, everyone knows they have patient data within their electronic health record, stored in their lab system, or on the organization’s file server, right? Those areas may be obvious and clear; however, organizations must know and understand every system and location where protected health information is being stored. Without the knowledge of where all protected health information resides within an organization and the systems that use health information, it becomes nearly impossible to manage privacy and security of information and leaves the organization extremely vulnerable to a data breach.
Privacy and Security Officers at healthcare organizations should start a process of identification of all systems storing, transmitting, or accessing patient information – creating a knowledge and understanding of how protected health information is being stored and used within their organization. Creating a protected health information flow diagram or documentation is a complex and detailed process. It is most likely not going to happen in one day or one week. It is going to take time to understand each specific system, how it may or may not use protected health information, and what other systems it interacts with.
Some suggested steps to create this information at an organization:
- Conduct a system inventory analysis of all systems that the organizations uses
- Understand all the hardware being used in the organization and if ePHI is being stored on the hardware
- Evaluate each system identified to determine what the interaction is with any type of patient information
- If the system interacts with protected health information, determine
- What type of PHI is being stored in the system
- What is the intent of the system
- Who is the system ‘owner’
- Who has access to the system and how is access management managed
- Where the system is being stored (local server, cloud based) and backed up
- What are the inputs into the system with PHI
- What are the outputs from of PHI from the system – both automatic and manual
- If the system interfaces and interacts with other systems
- Other security measures in place to protect the information
- Other pertinent information regarding the system that is important from a security perspective
- Create documentation to support and understand all systems – Your Protected Health Information Flow!
- Assure proper management of all systems that contain PHI!!!! It is not the job on the security officer to own the systems, but it is a responsibility to ensure the systems are understood and proper security is maintained so the privacy of the data is properly secured and protected!
This is not an easy process – in some large integrated systems, they could have hundreds of different systems that interact with ePHI in some aspect!
Remember that HIPAA doesn’t just apply to an electronic health record. Electronic protected health information is any protected health information (PHI) that is produced, saved, transferred or received in an electronic form. ePHI can be found on computer hard drives, in databases, in e-mail, in the EHR, and many other locations – you need to evaluate and look at your entire system to truly understand and manage ePHI!!
Don’t get caught in an unwanted data breach due to not knowing or understanding how your data flows throughout your organization, what systems have protected health information, where the inputs are, what happens to the data in the system, and where the outputs from the system exist. Work upstream, understand your PHI data flow, and properly manage and reduce risks to PHI!