Defining PHI locations in your organization is the first step to completing a risk analysis.  It is also the only way to be sure you are protecting the information with proper safeguards.  PHI locations can seem obvious at first thought, but once you begin to consider all the different areas of your organization where you may be creating, receiving, maintaining, or transmitting PHI, you will be surprised at what comes up.

Audit Protocol Instructions for Risk Analysis
Inquire of management as to whether formal or informal policies or practices exist to conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Obtain and review relevant documentation and evaluate the content relative to the specified criteria for an assessment of potential risks and vulnerabilities of ePHI. Evidence of covered entity risk assessment process or methodology considers the elements in the criteria and has been updated or maintained to reflect changes in the covered entity’s environment. Determine if the covered entity risk assessment has been conducted on a periodic basis. Determine if the covered entity has identified all systems that contain, process, or transmit ePHI.

PHI Locations – Where Do I Look?

Where should you search for your PHI? Is it all accounted for in your organization? Is it all documented?

  • person-looking-searching-cleanStart at the front desk, walk through the whole office with the intent of getting PHI that you shouldn’t be able to access.
  • Where are people talking about, collecting, or using PHI?
  • Where do you store PHI (both paper and electronic)?
  • Where is it moving around your organization?
  • What other organizations are you connected to and exchanging information?

Have you considered these PHI locations?

  • fax
  • copier
  • printers
  • closest
  • providers – ask them
  • Interfaces between systems?
    • how does the data get between you and your lab or collections firm?
    • are you sending only minimum necessary?
  • Using a cloud vendor?
    • do you download reports or spreadsheets?
  • Phones and tablets
    • what do the apps really download to the devices – have you asked the vendors?
    • what info do the clinicians keep on their devices? voice memos? contact info with details?
  • How does electronic PHI get removed from all these systems?
  • Paper
    • where are people using it and storing it
    • where do they get rid of it