Those two words should bring a cold sweat to most medical practices….unless you are setup correctly.
St. Francis Hospital in Wilmington, Del. is sweating today as they had to notify almost 500 patients that a thumbdrive was lost.
This thumbdrive was actually lost in the spring, but nobody realized it – careless.
This thumbdrive had PHI on it.
This thumbdrive was not password protected – though this would matter.
This thumbdrive was not encrypted – this is the real issue.
Without a policy in place for staff members to follow you have nothing.
Without a policy for staff members to follow, you will have a difficult time disciplining them.
Without a policy in place for encrypting portable devices you are playing with fire and asking for trouble.
But what should I do??
- Have a policy in place for encrypting portable storage devices
- Train your staff so they understand what data needs to be encrypted
- Have a tracking mechanism to ensure when someone puts PHI on a portable device, you know where it is.
It is complete and utter carelessness for your patients and your business and your staff to not have a policy, that is enforced and trained, so your staff fully understand what it is they are required to do when it comes to PHI on a portable storage device.