They were surprised, and you likely be will, too.
Of the hundreds of healthcare organizations I’ve helped document HIPAA and meet compliance requirements, most are unaware that their Patient Health Information (PHI) is exposed in some way. If a cyber attacker took advantage of this situation, it could cause damage to your patients, bring giant HIPAA fines, and a loss of reputation.
How can you protect YOUR PHI if you don’t know where it lives?
Patient data can be stored in unlikely or unnoticed places. Here are a few hiding places I’ve helped organizations identify:
- Shortcuts – The management at your office has been diligent about HIPAA compliance efforts. Your entire team knows the process
forkeeping patient data safe. But the managers don’t know about the folder on the desktop of their intake manager’s laptop. She’s been using it as a shortcut for getting patients into the system more quickly. A HIPAA audit today would find more than 300 patients’ PHI on this one laptop. Imagine the shortcuts taken by other employees in the organization - the amount of exposed data could be staggering.
- Email - I know what you’re thinking. You know the email you send and receive is secure because that was a priority when your team was looking for the best email option. And I salute you for being so diligent! However, there is a piece that is often overlooked. At any given time, the Sent Folder on your email users' phones and PCs can be riddled with patient data that is not protected.
- Scans - Some photocopiers automatically save copies of scanned documents on their hard drives. If a copier is returned to the leasing company without the data being properly removed, that’s a HIPAA violation.
The OCR Knows
These opportunities for exposed PHI are