Healthcare professionals work with an astounding amount of Protected Health Information (PHI) every day. In this age of technology and interconnectivity, much of that information is electronic Protected Health Information (ePHI) in a digital format. The technology has brought its benefit of vastly shortened timeframes in sending, receiving and accessing information. Its caveat is the potentially increased visibility and risk for exposure or retention.
Technology has facilitated and quickened communication. Email is the backbone of most companies’ communication stream, inside the medical community or not. And unfortunately, email and ePHI can be a volatile combination without proper technical safeguards and personnel training.
The Final Rule provides only two safe harbors for ePHI: encryption and deletion. The Final Rule also removed the notion of affirmative defense, meaning the situation of ‘could not have known, did not know’ is no longer a viable defense or explanation for any potential incidents involving Protected Health Information.
Given the above two take-aways from the Final Rule’s clarification to HIPAA, it is critical that healthcare professionals have tools for encrypting data as well as the knowledge for how to correctly employ those tools and safeguards. Understanding how to properly handle ePHI is paramount to protecting the data as well as a requirement of the law.
Take the following example: a healthcare worker receives an email containing a long, threaded conversation chain with a question as to procedure for care, and then forwards that email for answers. If the person forwarding didn’t scroll through the message and notice ePHI buried down in the email, they may have potentially violated HIPAA if they didn’t forward with encryption. Certainly, the original sender would have been the responsible party initiating the incident, but every person thereafter would have perpetuated the potential for a breach and exposure.
As highly prized as ePHI is on the black markets, it is our call to action to be as diligent and careful as humanly possible with the information entrusted to our care. ePHI is often a more complete and up-to-date target for hackers and identity thieves than banking or financial sites. A credit card number can be cancelled and re-issued; a person’s life history and medical information cannot.
In our age of technology and hyper-connected systems, we have a multitude of tools to help keep patient data protected. The most powerful of those is the human mind, as no technology or Artificial Intelligence can replace the discernment of a well-trained professional.