HIPAA, the Health Insurance Portability and Accountability Act, directly affects all organizations that directly maintain and transmit protected health information. These include:
- health care providers
- hospitals
- physician practices
- dental practices
- health plans
- laboratories
- health care clearinghouses
- pharmacies, etc.
In addition, business associates who work with these organizations and have access to protected health information, or PHI, now also fall under the HIPAA Privacy Rule.
So what exactly is protected health information, or PHI?
According to the U.S. Department of Health and Human Services:
The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).”
Individually identifiable health information is defined as anything that identifies an individual or for which there is a reasonable basis to believe it can be used to identify an individual. This can include:
- Name
- Address
- Birthdate
- Social security number
- Past, present or future physical or mental health condition
- Provision of health care to the individual
- Past, present or future payment for the provision of health care to the individual
Organizations that are affected by the HIPAA Privacy Rule need to be vigilant about maintaining the security of PHI, including the policies and procedures for handling PHI by their business associates. To minimize risk of HIPAA violations and their associated fines, covered entities (organizations that are subject to HIPAA regulations) should have policies in place to protect PHI that is stored on electronic devices – including devices that have been taken out of service.
Do you have a data destruction plan in place for your unwanted, unused data containing devices?
Data containing devices like:
- Computer processing units
- Servers
- Laptop
- Hard drives
- Tablets
- Smart phones
may all contain stored PHI and put an organization at risk of a breach and fines if not handled properly.
If you would like to set up a comprehensive plan to manage your end-of-life data containing devices and keep your organization compliant – contact us. We would be happy to give you a free consultation to see how we might be able to serve your compliance and data destruction needs.