Health care entities must protect patient data throughout its lifecycle

When referring to the health care industry, it’s assumed that it includes hospitals, health care providers and other frontline services.

What may not be commonly known is that, in the eyes of the law, business associates of the covered entities — vendors, outsourced partners — are also part of the industry, and the retention regulations vary state by state.

That makes it important for health care entities to ensure that their business partners are doing all they can to guard protected health information (PHI) that is exchanged during the normal course of business. Otherwise, there can be significant penalties.

Smart Business spoke with Douglas C. Williams, CEO of Williams Data Management about PHI and guarding it through its lifecycle.

What does the lifecycle look like for the data being managed by these entities?

The lifecycle of PHI is quite long. For instance, pediatric files must be kept until the individual turns 21. Adult medical records must be held for at least 10 years, though subject to the discretion of the physician, it may be held longer.

If a records storage facility is holding boxes of records that contain sensitive or protected information for a hospital, both the federal laws and the internal governance rules of the hospital are at play.

So, essentially the lifecycle is whatever the hospital wants it to be. In this scenario, the records storage facility is the business associate and is subject to identical regulatory conditions as the covered entity, which makes the storage facility subject to the notification protocols in the event of a breach.

What legal consequences are at play when it comes to PHI?

In the event that a company loses PHI through theft, unauthorized disclosure, improper disposal or a hack, the company would need to notify anyone who was affected and disclose what information was lost.

Then the company would need to determine who stole the information and what information was lost, and ascertain how it might be recovered. If that information can’t be recovered, the company must notify those affected that their private information is potentially in the public domain.

In addition to the civil penalties, criminal penalties may be imposed ranging from a fine of $50,000 and a year in prison to fines of $250,000 and up to 10 years in prison. These criminal penalties may be imposed on specific individuals as well as the covered entity.

In addition, the Department of Health and Human Services has the authority to exclude from participation in Medicaid any covered entity that was not compliant with the transaction and code set standards.

What are the challenges related to keeping PHI secure?

Security threats can include hacks, thefts and improper disposal of sensitive information, but also multiple data sources/applications, information silos, inadequate policies and procedures, poor employee training, audits and access controls.

Protections against hacks include breach security and anti-hacking software, firewalls and multi-level passwords. On the physical side, key card readers, biometric scans and security clearance measures are used to limit access to sensitive information.

To protect against human oversight, make sure anyone handling sensitive information understands proper protection protocols. Change the passwords that guard protected information every 60 days and quickly block access of workers who are no longer employed at the company.

What should happen to PHI that reaches the end of its lifecycle?

Destroy all hard copies of the information using a certified shredding service. These providers pulverize documents into unrecognizable pieces. The same thing can be applied to hard drives, CDs and other electronic media storage devices.

Destroying digital information is a little more difficult because of the redundancy that’s often inherent in computer networks. That means it’s up to IT and compliance personnel to locate and permanently delete all sources of the data that’s due to be destroyed.

Should that information get shared outside of a company’s protected network there’s very little anyone can do.

Insights Compliance & Information Governance is brought to you by Williams Data Management.