HIPAA violation through the back door.
Sigmund Software maintains multiple state of the art HIPAA compliant data centers to secure and protect the data of their clients and the patients in their care. But often, HIPAA violations occur by the most mundane of methods. Literally, through the back door.
Once entered into a secure EHR, data becomes immediately available to authenticated users of that system for retrieval and analysis. Patients may access it via electronic portals, other healthcare providers may access it across interoperable systems, treatment plans are shared with teams, and in the case of Sigmund Software, our proprietary Target Behavior Tracking system monitors changes in patient symptoms over time by correlating all relevant patient data to assess the effectiveness of treatment. These are just some of the major strengths of modern electronic systems, contributing incalculably toward both productivity, accuracy, and patient outcomes. Though in newer systems (such as Sigmund’s own Aura) data is entered electronically, in many older or hybrid systems patient data routinely starts life in physical form, as written notes, printed forms, charts, or X-rays, to mention just a few of the more common document formats. After all this data has been input to the system, those documents then need to be either stored or destroyed.
Whether the raw data is entered electronically or via paper documents, there are other considerations. Printed reports. All that data can be organized and collated to produce treatment plans, patient histories, medication lists and much, much more. The automation of document production is another major benefit of an electronic system, saving untold hours of labour. However, the print outs and reports produced are yet more documents which need to be managed. Even the most modern all-electronic health record system produces a lot of paperwork. PHI paperwork.
Paper documents are routinely handled according to the risk analysis procedures of the issuing organization. Archiving requires resources which in turn incur considerable costs to maintain, in the form of security guards, access control, cameras, and ever increasing amounts of valuable (and expensive) floor space. Many organizations elect instead to destroy materials that they are not legally required to maintain, thereby minimizing if not eliminating entirely the cost of document archival. This is both logical and efficient. However, the method of this destruction can prove problematic and open the door to inadvertent HIPAA violations.
Though some organizations manage their document destruction internally, it is more common to procure the services of dedicated paper shredding or document destruction companies. These take on the responsibility of removing documents and disposing of them by incineration or other method, collecting at regular intervals just like trash collectors. An arrangement of this kind would fall under the heading of Business Associate for HIPAA purposes, and be managed accordingly. But mistakes and accidents can and do happen. As the ultimate owner of the PHI data in that documentation, failures at any point of the destruction process fall at the feet of the issuing organization. If something happens, your organization pays.
Lawsuits abound surrounding accidental oversights and failure to enforce adequate procedures, to ensure patient health information is sufficiently protected. Boxes of documents have gone astray, been dumped on roadsides, fallen off trucks, and even in one case were delivered to the wrong address. Each single document could pertain to a single patient. Each single document represents a potential physical breach that left through your back door. Each physical document could be a law suit.
In this time of high profile electronic breaches, the hacking of electoral parties, state level cyberwarfare and compromised email servers, it is easy to overlook the more mundane form that data breaches often take. Paper trails are not inherently more secure than electronic ones. In many ways, less so, since their complete obliteration is assumed until they resurface as media headlines. As part of ongoing due diligence, it is incumbent upon healthcare providers to remain vigilant and work closely with their chosen Business Associate to maintain and audit compliance with approved document disposal procedures. Beyond an ethical obligation to the organization and the patients in its care, regular monitoring is good practice. Make sure your paper-based patient PHI does not come back to haunt you. Make sure that back door is firmly closed.