A. Not allowing the use of USB drives in company workstations is becoming more and more common. What is also increasingly common is limiting the use of USB drives and requiring encryption for all USB drives. There is significant risk associated with USB drives, as with all other portable media, if they are not properly managed. The loss of an unencrypted USB drive storing PHI can get very expensive, very quickly.
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLP, in Portland, Ore., answered this question for HCPro’s Briefings on HIPAA newsletter. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Send your HIPAA questions to Editor Jaclyn Fitzgerald at firstname.lastname@example.org.
HHS has teamed up with the Health Information Trust Alliance (HITRUST) in Frisco, Texas, to offer monthly security threat briefings for the healthcare industry. The free, online briefings provide information about “recent, ongoing and prospective cyber threats and events, as well as any lessons learned,” according to the HITRUST website.
The information provided in the briefings is intended to be appropriate for organizations of all sizes. The first 60–75 minute briefing should be available this month.
In a recent HIPAA Q&A, our HIPAA expert mentioned that it was appropriate to send emails containing PHI as long as your organization’s server is secured. In instances where a server is not secured, patients should be de-identified. For example, you could refer to someone as “the patient in room 301-A” because a room number is not considered an identifier under HIPAA. In response, one of our readers submitted a follow-up question about identifiers.
Q: My organization views a patient’s room number as an identifier because we think this is information that someone could use to identify the patient. Please explain why this is not considered an identifier?
A: A patient’s room number is not considered “identifiable” under the HIPAA Privacy Rule. PHI is considered identifiable if it contains any one of 18 identifiers of individuals and their family members, employers, or household members, including:
- Geographic subdivisions smaller than a state
- All elements of dates (except for year) for birth, admission, discharge, and death
- All ages over 89, including year
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers
- Device identifiers
- IP addresses
- Biometric identifiers, including fingerprints and voiceprints
- Full-face photographs
While a room number may help a facility’s staff to identify a particular patient, it’s not likely that anyone outside the organization could identify a specific patient based on the room number. Most healthcare organizations regularly move patients from room to room, so I don’t have any concerns about room numbers being patient-identifiable information. The organization may choose to treat the room number as an identifier, but it is not required by HIPAA.
Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of health information at Baylor Scott & White Health in Temple, Texas, answered this question for HCPro’s Briefings on HIPAA newsletter. Submit your HIPAA questions to Editor Jaclyn Fitzgerald at email@example.com and we will work with our experts to provide you with the information you need.
The number of patients affected by a February break-in at Sutherland Healthcare Solutions in Torrance, Calif., has nearly doubled as the investigation progresses, the Los Angeles Times reported. Sutherland handles billing and collections for the county’s Department of Health Services and Department of Public Health.
On March 19, HIPAA Update reported that the PHI of 168,500 Los Angeles County medical facility patients was compromised when a thief stole eight computers from Sutherland. The total number of affected patients was upped to 338,700.
Three class action lawsuits have been filed against Los Angeles County as a result of the breach. The county is reviewing Sutherland’s security practices, the Los Angeles Times reported.
Stanford Hospital & Clinics in California and two of its vendors could pay more than $4.1 million to settle a class action lawsuit that stems from HIPAA violations, San Jose Mercury News reported.
A Los Angeles County Superior Court judge tentatively approved the settlement March 19, 2014. Shana Springer filed suit against the hospital and its vendors, Multi-Specialty Collection Services LLC and Corcino & Associates LLC in September 2011.
In an October 2011 post, HIPAA Update reported that the hospital released a notice stating that its vendor posted an electronic file that included certain patient information on a student homework website. The file included PHI of more than 20,000 patients treated at the hospital’s emergency room from March 1, 2009, through August 31, 2009.