Many organizations have access to, or store PHI (Personal Health Information). Not all of them are aware that they have legislated responsibilities to protect that personal information on behalf of their clients.
Personal Health Information can be defined as any health information related to an individual which can be used to identify that individual, or there is a reasonable basis to believe that the information could identify the individual. It could be health conditions, medications or even payments for health services.
Here are some of the best things you can do to protect PHI:
- Ensure your staff are trained to understand the implications of working with PHI, and their responsibilities to protect it
- Ensure your policies state that PHI must be protected, and that there could be discipline applied should they lose or otherwise distribute PHI without an appropriate purpose
- Ensure that only the minimum of PHI is collected for the purpose for which it will be used, and ensure that it is only used for the intended purpose
- Ensure that you have a solid Consents Process in place, including informing clients of their rights, and your policies and practices to protect their personal information
- Ensure that PHI is encrypted, especially when transmitting or receiving. This is also critical when storing PHI on removable media such as USB keys.
Of course, there are many other things you could do, such as making sure access is only given to those who require it, and putting contracts and agreements in place with any third parties who also have access to PHI. However, if you get the basics done, you will have a solid foundation on which to build.
If your organization accesses or stores PHI, and you are unsure if you are taking the appropriate measures to protect it, give us a call to do a high-level review of your policies, procedures and practices.