Summary
As tech service providers, we make every effort to ensure the protection of financial, health, education, and other personal confidential data. This document relates to the protection of health records.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes guidelines to protect and secure patient health information. The agency overseeing HIPAA compliance is the U.S. Department of Health & Human Services. [HHS.gov]
Primary Entities
Agencies, businesses, organizations, and healthcare providers directly interacting with patient records are required to comply with these guidelines. [Source: HHS.gov]
Business Associates
Sometimes these primary healthcare entities rely on secondary entities which are referred to as Business Associates. [Source: HHS.gov] These Business Associates are also required to comply with the guidelines.
The HHS provides examples of Business Associates as:
- A third party administrator that assists a health plan with claims processing.
- A CPA firm whose accounting services to a health care provider involve access to protected health information.
- An attorney whose legal services to a health plan involve access to protected health information.
- A consultant that performs utilization reviews for a hospital.
- A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.
- An independent medical transcriptionist that provides transcription services to a physician.
- A pharmacy benefits manager that manages a health plan’s pharmacist network.
All of the above examples describe access to medical records. In other words, individuals and entities that directly handle, view, and work with patient information. The CDC has a helpful chart that explains HIPAA and FERPA compliance. [View]
Tech Support Provider Expectations
Remote and on-site tech support providers have access to computers that hold medical data. However, they do not and should not have or need actual access to patient information. That information will be protected by practice management and patient care software that is encrypted and and password protected. A properly secured HIPAA compliant system will not be accessible by anyone but authorized personnel.
When a tech support person is diagnosing a printer problem, and prints a test page, no patient records will be used. Instead, a sample document from Microsoft Word or the Windows printer test page would be used.
If a computer display is defective, the technician will not need to see the defect by having patient records displayed. A non-confidential image can be used.
Power cords, computer monitors, keyboards, printers, network cables, and a variety of other equipment can be replaced without the support person needing any access to patient information.
For these reasons, the U.S. Department of Health and Human Services is focused on those directly handling and interacting with patient records.
All tech support providers should avoid any situations that require them to see or work with confidential and protected information “in the clear” (plain text) since it is not required for them to complete their work.
Best Practices
It’s assumed that HIPAA compliance and precautions only apply to medical offices. However, any computers or devices used in homes or businesses can and most likely do contain a variety of confidential and protected data such as:
- Account Information — Computers can have passwords and other account information that needs to be protected. These are like keys to repositories of other information.
- Education Information — This information is protected by FERPA, a Federal law that protects the privacy of student education records. [Source: U.S. Department of Education]
- Employment Information — This information is often a combination of financial records and personally identifiable information.
- Financial Information — This information is sensitive because if exposed it could result in financial fraud. Computers sometimes have credit card information either through typed notes or scanned images.
- Health Records — This information is protected by the Health Insurance Portability and Accountability Act (HIPAA).
- Personally Identifiable Information (PII) — This information is sensitive because if exposed, it could be used for identity fraud. It includes SSN, birthday, address, and similar information. Computers sometimes contain scanned images or photos of driver licenses or passports.
Regardless of the device or place of use, precautions should always be taken with the assumption that all equipment and devices may contain the above information.
Device Disposal
Proper precautions should be followed when disposing of old devices. [Read More]
Hard Drive Disposal
The disposal of hard drives requires some additional care and precaution. [Read More]