Where is your patient’s personal health information? Sometimes, the hardest part about HIPAA compliance is understanding where the electronic patient health information (ePHI) actually is. The database where you house ePHI is encrypted and sits behind a state of the art firewall. It looks very solid and comforting, but where else is the ePHI?
That question was the nub of the problem for the University of Massachusetts Amherst, which just agreed to pay the US Department of Health and Human Services (HHS) $650,000 because the ePHI of 1,670 individuals was discovered sitting on a workstation that had been infected by a Trojan Horse virus named “Generic” which permitted remote access to the data by hackers. The workstation was not protected by a firewall. I read that part of the HHS press release and thought, "No firewall? At a health clinic? In the 21st century?"
UMass Amherst has a university health clinic, but the medical facility is only a fraction of information technology infrastructure at this major research university. Outside the health clinic sat the Center for Language, Speech and Hearing, which offers clinical services for persons with communication disorders. That is where the exposed files were.
After UMass disclosed the potential breach, HHS investigated and discovered that UMass “failed to designate all of the health care components [on campus].” It had failed to include the Center in the university's HIPAA Security and Privacy Program. UMass left out a lot more than the Center. It did not include the student health clinic, the center for psychological counselling or other offices and systems at the university which might have held, accessed or transmitted ePHI, such as the IT department, the facilities department and the Office of the General Counsel.
That all makes the HHS fine understandable, but how did these patient files get on a computer that was not protected by a firewall at a professionally run health clinic?
I don't know the specific answer for UMass Amherst, but the settlement does illustrate an aspect of information technology that is worth keeping in mind. Data files are easy to copy and are frequently copied without leaving any evidence in the original file. ePHI can quietly proliferate outside the principal database.
When I access an attachment to an email from my phone or my personal computer, a copy of the file is downloaded to my hard drive. I look at the file, do a bit of work on it, close it and go on to the next thing, but the file is still sitting in my "downloads" folder (more current email systems permit a "view" option for attachments, which still means a second copy sits on the email server). If the attachment contains ePHI, then the security of the information is no better than the security of my phone, PC or ISP's email server, notwithstanding that awesome firewall that we have here at work. If I drop a few work files out to a thumb drive or to my cloud account or I email something interesting to my personal email address, more copies are made and potentially exposed.
Data mapping – or finding out where protected health information resides in your network – is the first task for implementing the HIPAA rules according the guidance issued by the National Institute of Standards and Technology. After that, all of your ePHI can be segregated to access controlled and security protected locations in the network.