§ 530 (c) of the HIPAA regulations provides, with regard to safeguards, that “a covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.” We typically think of “safeguards” as a security issue, and therefore related mainly to electronic PHI. However, twice in the last three weeks, we’ve had to deal with patients photographing and posting pictures of PHI that was unprotected – once a screenshot and another a paper form. One was meant to embarrass the provider as revenge for making the patient wait. Another was simply meant to illustrate the provider’s laxness. Both incidents were troublesome to resolve.
The lesson from these events is that HIPAA’s requirement to secure PHI is not simply an IT responsibility. Providers should also continually monitor and evaluate their precautions regarding paper records, exposed computer screens, etc.
Written by: Gregory D. Frost