From the day employees are hired to the end of the project, their health and safety is a priority. Although you do everything in your power to avoid injuries occurring, when one does occur, having medics with the right equipment nearby can keep your employees healthy and reduce recordables. Even so, there are times you may need to take your employee offsite to treat the injury and their patient information is no longer in your control.
Following HIPAA standards offsite can involve digital files, photos, and emails between providers. Here at Remote Medical International, we ensure all digital information about our patients follows HIPAA standards and we care about your patients’ right to privacy, and your ability to access necessary information, too. Here’s what we’ve found to be the best way to handle patient information legally with digital devices.
What is Protected Health Information (PHI)?
HIPAA protects the privacy and security of Protected Health Information (PHI). Anything from written documents, spoken word, data shared on the computer, telephone conversations, and information transferred on data networks is PHI. If the patient’s injury will affect their work, HSE personnel are allowed to access their patient information. However, if it is not work related, the patient’s health information is protected and cannot be shared with anyone other than their medical providers.
If you are working with patient records, you should designate a privacy and security officer that maintains all PHI to abide by HIPAA privacy regulations. Having a single point of contact means that there is a centralized source to respond to questions if an issue occurs.
How should you handle online security?
Access to the server where PHI electronic records are stored is only granted to persons who need medical information. This includes medical personnel providing treatment.
You can promote the security of PHI by training all employees that have access to any records on how to keep passwords secure, change passwords every 120 days, and how to select strong passwords. Security officers should also check the security of passwords to make sure they are secure.
All users must also be authenticated before they are allowed access to PHI and each user must have his or her own personal password and username. It is not good practice to allow   the sharing of passwords under any circumstances.
Along with password security, reviewing IT records and incident tracking reports can help make sure the PHI is secure, and the online security process is effective.
How should you handle mobile devices?
All mobile devices must have the same security as the desktop servers. However, on mobile devices, you must require two forms of ID, including an individual’s thumbprint, to access PHI.
The most important tool to protect PHI on mobile devices is education. Training all personnel on the best ways to secure their mobile devices will help keep PHI safe.
How should you handle emails regarding PHI?
When it comes to emails, it is important to never copy multiple people to a distribution list if the email contains PHI. The best policy is to only send records containing PHI to actual need-to-know persons in accordance with the permitted disclosures under HIPAA.
When sending images of injuries or wounds to a medical provider for diagnosis, which is often used in telemedicine, there should be no imagery that identifies the person injured or their PHI. Telemedicine often requires medics to share information digitally because it is sometimes difficult to diagnose an injury with just a written description.
Should you fax information?
If the original record or mail-delivered copies cannot reach a recipient, you can send information by fax. The best practice is to notify the recipient in advance that the fax will be transmitted and request that the recipient wait by the fax machine for receipt of the documents. You can also fax information if the patient urgently needs their information or third party payor needs the PHI for a patient that is hospitalized.
While you can send PHI by fax in these situations, you should require fax machines to be in secure areas and have a security officer limit the access to the fax machines that are used for transferring PHI.
Do not send documents through fax that contain PHI, which includes mental health and developmental disability information, alcohol and drug abuse information, and sexually transmissible disease information without written authorization from the patient.
What should you do with reusable media?
Reusable media includes thumb drives, or hard drives and you should make sure to erase or destroy each reusable media before it is discarded to ensure all PHI is protected.
All hardware and software must be current and documented so it can be rebuilt in case of emergency.
In all these cases, your team should also be aware of not sharing PHI while traveling abroad. Although international areas may have different policies, we recommend treating each incident the same under HIPAA guidelines, no matter where you’re operating.
Since digital information is accessible anywhere and anytime, it’s difficult to know what is protected by HIPAA. Remote Medical International hopes these tips will help keep your employees safe and protect their private information, while also giving you clarity on what information you can and cannot legally access.
To learn more about how Remote Medical International can fulfill your health and safety needs, please call us at +1 (206) 686-4878 or send a note to government@remotemedical.com.