Posted by: Robert Markette
May 24, 2006

I was reading one of the many publications I receive each month from the ABA, and came across an article on electronic discovery in other words obtaining and using evidence that is stored on computers and other electronic media. The article itself did not have any relation to healthcare, but it did make me think about a few other issues that relate to computer security. As you all know, that relates to the HIPAA Security Rule.

The article mentioned a number of places lawyers should look when engaging in electronic discovery. The author mentioned a number of sources, including PDAs, USB (or flash) drives and Digital Cameras. In discussing flash drives, the author noted that with a USB drive, an individual can remove a large amount of information quickly, quietly, and discretely. The same idea applies to PDAs, because they can be used as USB drives, in many cases.

The first question this might raise for you as a provider is, did you consider flash drives, PDAs, or other similar forms of storage when you performed the risk analysis required by the HIPAA Security Rule?

If you did not consider flash drives and other similar forms of storage overtly, where they discussed when you consider employee activity that could lead to disclosures of electronic protected health information (EPHI)? You may have not considered them at the time for any number of reasons, including the fact that USB drives were far more expensive two years ago. (I know when I wrote the HIPAA Security Rule Compliance Resource Manual, they were not as widely used and, therefore, may not have been considered in your risk analysis.)That is no longer the case.

It may be that your network is set up in such a way that an employee couldnt steal EPHI in this fashion. (For example your clinical record software does not allow files to be stored locally.) However, even if EPHI is not a concern, what about other proprietary or trade secret information? For example, it is much easier to walk out with a large volume of documents such as marketing information, personnel policies, training manuals etc., if they are in an electronic format and stored on a USB drive. It is also harder to prove such items have been stolen. (I am told that forensic computer professionals can find evidence of such file transfers, but that can get expensive.)

I have even heard of cases involving employees installing harddrives and other peripherals onto office computers. Obviously, installing an entire harddrive makes the theft of even larger amounts of information possible. It also makes it harder to demonstrate what was stolen, if you can prove that at all. Most organizations have policies and procedures on installing software, but may not have considered an employee would install hardware of that magnitude. There are ways to secure the computer chassis to prevent the installation of an internal harddrive, but most companies sell very large capacity external harddrives that are relatively small and simply plug into a USB port.

These are examples of how as technology changes (and as certain technologies become cheaper), you will need to be aware of how these changes affect your computer security policies and procedures and be ready to adapt them accordingly.

News

Portable storage and HIPAA

News

Health Care

Topics

Recent Updates

Archives

Web Resources



	Home \| Attorneys \| Contact Us \| Site Map
	The information you obtain at this site is not, nor is it intended to be, legal advice. You should consult an attorney for individual advice regarding your own situation. Copyright © 2008 by Home Care Law Blog Gilliland & Markette LLP. All rights reserved. You may reproduce materials available at this site for your own personal use and for non-commercial distribution. All copies must include this copyright statement.