Page 2 - HIPAA Guard Herald - July 2018 e-Newsletter

P. 2

HIPAA Guard HE RA L D

Y O U R MO N T H L Y N EW SL ET T E R O N SU R V IV I N G H IP A A

Though HIPAA does not explicitly prohibit the use these portable storage
3 C r itic a l Ste p s devices, once ePHI is known to have been stored on these devices, your

1. Data Access facility must :

- Your policies and procedures that cover Data Access must concentrate  track the in and out of the data and the device in your system or
on ensuring your workforce or staff only access information for which facility to prevent unauthorized access to the EPHI;
they are appropriately authorized.  include the ways to detect, mitigate and report a breach should it

happen in your risk assessment;
2. Data Storage  destroy the data/USB device (when you no longer need the ePHI) in

a such a way that any unauthorized third party won't be able to
access it; and
- Your should ensure policies and procedures that will address the  document, document and document every steps and guidelines of
security needs for such devices are in place especially if they contain the above
sensitive patient information. Note that these devices may be removed

physically from your facility thus all possible security measures must be # 2 No T h ir d Pa r ty A pps fo r
put in place.
Commu n i ca t i on or Sto r a g e of D a ta
3. Data Transmission

Third-party file sharing and storage provider i.e. Google Drive, Dropbox,

- Focus on ensuring the integrity and safety of ePHI sent over networks, etc. shall be considered Business Associates if they store ePHI on
behalf of your practice or facility, consequently warranting that they too
and those data that are directly exchanged be HIPAA compliant. Remember that HIPAA Law protects not only the
and those applications remotely accessed that might contain ePHI. data but also its accessibility and integrity. As mandated, these cloud

storage service providers must enter into a Business Associate
Agreement with the Covered Entity, as the BAA shall establish the
allowed and required uses as well as disclosures of ePHI by the cloud
storage service provider performing activities and services for the
covered entity or another business associate.

ISSUE 08
July 2018

1 2 3 4 5