Transporting Protected Health Information

From University of Nebraska Medical Center
Jump to navigation Jump to search
Human Resources   Safety/Security   Research Compliance   Compliance   Privacy/Information Security   Business Operations   Intellectual Property


Identification Card | Secure Area Card Access | Privacy/Confidentiality | Computer Use/Electronic Information | Confidential Information | Protected Health Information (PHI) | Notice of Privacy Practices | Access to Designated Record Set | Accounting of PHI Disclosures | Patient/Consumer Complaints | Vendors | Fax Transmissions | Psychotherapy Notes | Facility Security | Conditions of Treatment Form | Informed Consent for UNMC Media | Transporting Protected Health Information

Policy No.: 6073
Effective Date: 01/30/12
Revised Date:
Reviewed Date:

Transporting Protected Health Information Policy

Policy:

All Protected Health Information (PHI) in paper and electronic form must be transported and stored in a secure manner to safeguard it against improper disclosure and/or loss. Confidential information will be stored or transported outside secure network servers only as necessary. Whenever possible, workforce members should remotely access PHI via virtual private network (VPN) instead of physically transporting PHI. Only the minimum amount of PHI necessary to accomplish the purpose of the use/disclosure should be transported.

Definitions:

Transport means to physically move PHI (whether on paper, or on mobile digital devices and electronic storage device such as a laptop computer, smartphone, USB/thumb drive or a disk) from one location to another, by any means including by foot, motor vehicle including courier, airplane or other means of transportation. For example: moving a medical record from one clinic to another, from one department to another, from an external research source back to the facility, or from the office to home.

Protected health information means information that relates to past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for health care to an individual, which identifies the individual or as to which there is a reasonable basis to believe could be used to identify the individual.

Procedures:

  1. PHI that is being transported within a facility, such as from one department to another, will be attended or supervised at all times, or otherwise secured to avoid unauthorized access, loss and/or tampering.
  2. Additional measures must be taken to secure PHI that is being transported outside of a facility to assure confidentiality and integrity in the event of an accident, theft, or other unforeseen event. PHI that is transported by motor vehicle:
    1. should be transported in a secure container such as a locked box or briefcase whenever possible; and
    2. should be transported without stops that involve leaving the vehicle unattended if possible. If stops must be made do not leave the PHI in the vehicle. Remove it and secure it so that others who do not have a need to know it cannot access it.
  3. Additional measures must be taken to secure PHI that is taken home or to another location or accessed remotely via VPN:
    1. Remote access into the organization's computer network via VPN is preferable to taking PHI home. To obtain remote access, complete the form.
    2. If PHI is being accessed from or taken home to work during off-hours, employees' manager/director should be notified and approve such work at home off-hours.
    3. PHI in the home must be secured from access or view by family members and others. Workforce members shall log out of information systems immediately after use and shall secure their login and password so that others cannot use it.
  4. Mobile devices must be password protected and encrypted. For additional information, refer to the End User Device Procedure for security of mobile devices such as laptops, USB/thumb drives, etc.
  5. If PHI is lost, stolen or improperly accessed by others, immediately notify the ITS Help Desk, Privacy Officer or Information Security Officer. Immediately notify UNMC Security and file a police report if PHI is stolen.
  6. Contact the HIPAA Privacy Office for additional guidance.

For additional information, please contact the Privacy Officer or see UNMC Policy #6051, Computer Use and Electronic Information Security Policy, or UNMC's HIPAA information pages.

This page maintained by dkp.