Where’s Your Patient Data Hiding?

By Robbie Morris on Feb 6, 2018 8:27:26 AM

They were surprised, and you likely be will, too.

Of the hundreds of healthcare organizations I’ve helped document HIPAA and meet compliance requirements, most are unaware that their Patient Health Information (PHI) is exposed in some way. If a cyber attacker took advantage of this situation, it could cause damage to your patients, bring giant HIPAA fines, and a loss of reputation. 

How can you protect YOUR PHI if you don’t know where it lives?

Patient data can be stored in unlikely or unnoticed places. Here are a few hiding places I’ve helped organizations identify:

  • Shortcuts – The management at your office has been diligent about HIPAA compliance efforts. Your entire team knows the process for keeping patient data safe. But the managers don’t know about the folder on the desktop of their intake manager’s laptop. She’s been using it as a shortcut for getting patients into the system more quickly. A HIPAA audit today would find more than 300 patients’ PHI on this one laptop. Imagine the shortcuts taken by other employees in the organization - the amount of exposed data could be staggering.
  • Email - I know what you’re thinking. You know the email you send and receive is secure because that was a priority when your team was looking for the best email option. And I salute you for being so diligent! However, there is a piece that is often overlooked. At any given time, the Sent Folder on your email users' phones and PCs can be riddled with patient data that is not protected.
  • Scans - Some photocopiers automatically save copies of scanned documents on their hard drives. If a copier is returned to the leasing company without the data being properly removed, that’s a HIPAA violation.

The OCR Knows

These opportunities for exposed PHI are not surprises for the Department of Health & Human Services’ Office for Civil Rights (OCR). That’s why they require a true Healthcare Security Risk Analysis, which includes a thorough risk assessment of patient data, review of policies and procedures, employee interviews for a HIPAA-HITECH audit, an analysis of operational threats, and more. And, remember, any business associate who comes in contact with your patient data is also accountable for protecting it. You have a responsibility to make sure those associates are also diligently protecting your PHI.

Robbie Morris is TekLinks' VP of Healthcare and Security Solution Services. Contact him at

Topics: Healthcare, Security

WHO IS TEKLINKS? A national leader in cloud computing, managed services, engineering services, and value-added resale. We’re a team of expert techies and business professionals who are passionate about building valuable relationships and getting things done right. Simply put: We make IT work for business.

New call-to-action
New call-to-action
New call-to-action
New call-to-action

Sign Up for Blog Updates

Popular Posts: