Devices Containing ePHI are Covered by HIPAA

A hospital in South Carolina experienced a breach involving a device that is generally not thought of when conducting a Risk Analysis of ePHI and where it is stored. Roper St. Francis Mount Pleasant Hospital was following guidelines from the National Center for Missing and Exploited Children by photographing newborn babies. These photos can then be used for identification purposes, if necessary. The photos were known to also contained physician’s names, the baby’s birthdate, and the baby’s name. The hospital had established a security protocol for the camera, storing it in a place that was not accessible to the general public. Due to limitations of the device it was not possible to encrypt the files on the storage media.

According to a statement released by the hospital the camera was discovered to be missing. The camera was thought to contain information and photos for approximately 500 babies. Whether it was stolen or misplaced was not determined, but as far as HIPAA law is concerned it is still considered a breach. The hospital has not received any reports that any of the data that was on the device had been accessed or used in appropriately. However, according to the HIPAA law the OCR and each potentially impacted family was notified of this breach, which the hospital dutifully did do. The hospital conducted a review of and strengthened the policies and procedures to prevent a similar incident from happening in the future. It was also reported that staff members were provided with additional training on the importance of protecting ePHI regardless of the device it is stored on.

This is a good example of why it is important to be thorough when conducting your Risk Analysis. Devices that are only used occasionally but contain ePHI are the easily overlooked. When in doubt check with security professionals (like Compunet). As a part of our All in One HIPAA Solution, we offer our clients a free risk analysis for their environment. Check out our 20 question quiz to see if your practice is compliant! Compunet

September 26, 2017 HIPAA Blogs
About admin

Leave a Reply

Your email address will not be published. Required fields are marked *