The lack of encryption and the ability for anyone to easily copy files from portable media without leaving any evidence behind has recently been brought to light in the wake of the WikiLeaks data dumps that have generated more than their share of bad press for the United States and other world governments. Huge numbers of classified documents were allegedly (and easily) copied by a low-level Army clerk. This has caused several federal agencies, including most recently the Air Force, to ban the use of removable media devices.
These devices, which include CD- or DVD-ROMs, USB flash drives and portable external USB drives, are very useful and convenient. They can be used to temporarily store or move data from one computer device to another, take a document or a presentation from one facility to another, or to provide important files to an outside person like your CPA or a management consultant or even the physician ownership board. This makes it easy to share data.
However, pretty much every one of those uses represents a potential HIPAA Security Rule violation.
To the extent that the media may contain electronic protected health information (EPHI), it is subject to HIPAA Security Rule requirements. EPHI includes the obvious things such as the surgery scheduling or EHR or imaging database(s) themselves, plus any reports or forms produced or used by those systems, but also includes any documents or reports that contain any patient information, which may include billing statements, aging reports, post-surgery instructions (if they contain the patient name or other info), intake forms, physician referral letters, dictation files, case documentation, etc. The list of possibilities is almost endless.
There are several major problems with using these temporary media devices in an ASC. Here are just three major ones:
1. Typically these devices are not encrypted, plus access to these devices is not easily controllable. This means that anyone finding removable media lying around can pick it up, put it into virtually any computer or laptop and easily read the contents. They can quickly make a copy, which they can analyze later at their convenience, and then return the device or disk to wherever it was found without leaving any evidence that the files were accessed or that a copy was made. Section 164.312(a)(1) of HIPAA Security requires that access to EPHI be controlled by individual employee and by job function, and their access to EPHI able to be tracked. Section 164.312(b) requires procedures for monitoring and auditing users' access to EPHI.
2. The whereabouts of these devices can rarely be controlled. Section 164.310(d) of the HIPAA Security Rule requires the ASC to keep track of the location and "ownership" of all devices carrying EPHI. The portability of removable media makes this almost impossible. In addition, virtually anyone in the ASC can purchase these devices for just a few dollars and bring them into the ASC and walk out with their own copy of virtually any (or all) of the ASC's data, literally in a pocket or purse. Most people don't even need to purchase these devices — they already own several. Therefore, this convenience translates directly into risk.
3. Unless the ASC has and strictly enforces a media re-use/destruction policy (Section 164.310(d)), which requires that any media or device be carefully "wiped" of any EPHI before it is re-used or disposed of, this is an almost certain breach of the Rule. Merely deleting a file from a USB drive or overwriting a read/write CD- or DVD-ROM does not remove the EPHI, and it can be easily recovered. Portable optical disks must be shredded, and writeable media must be overwritten or erased using special software that is rarely available to or used in an ASC.
Portable media was really intended for occasional use. Unfortunately in many healthcare IT settings, including ASCs, removable media has become part of ongoing core IT operations. Portable media are frequently used as part of the routine data backup strategy, which leads to the risks and issues described above.
ASCs should review their policies concerning — and their actual use of — any and all portable media, and ensure they are in compliance with the HIPAA Security Rule. As we have said many times before, HIPAA Security Rule compliance represents good business practices. Just ask the U.S. Government.
Marion K. Jenkins, PhD, FHIMSS, is founder and CEO of QSE Technologies, which provides IT consulting and implementation services for ASCs and other medical facilities nationwide. Learn more about QSE Technologies at www.qsetech.com.
Read more from Marion Jenkins:
- Voice Recognition Software: Is It NaturallySpeaking?
- Healthcare IT Systems — Ready for Prime Time?
- Section 179 Deduction for Businesses Increased to $500,000