The convergence of digital health information and social file sharing technologies has introduced major challenges for health providers seeking to share PHI with business and clinical partners while adhering to HIPAA obligations.
The Risk
Are rules for information sharing understood by all employees?
File sharing technologies are pervasive and growing in popularity, and in research conducted by Osterman, the number of file sharing users worldwide will reach 800 million by 2017. It is estimated that one in five professionals already uses file sharing technologies for work documents.
Many hospitals suffer from a lack of standardized tools for file sharing, or have multiple solutions depending upon the source of data. Users will find their own solution unless you present them with a singular tool for all data and document sharing. Many of these tools may pose legal, financial and corporate integrity risks, not to mention delays in delivery when policies are unclear.
Hospitals today are still a hodgepodge of data silos. With multiple data controllers intrinsic to both primary platforms and individual desktops, there is little standardized governance.
Are your tools platform agnostic, or do they serve just your EMR?
Are users forced to find their own solutions to file sharing?
Consider these risks…
Employees can sync thousands of files containing PHI onto personal unprotected desktops or other devices using off the shelf file sharing technologies. Theft or exposure of these devices can cause a massive HIPAA breach.
Over one million devices are lost or stolen each week in the US, including 12,000 laptops in US airports alone. A recent survey shows that 22% of respondents lost their phones in the last year.
With these statistics a breach is virtually guaranteed.
Information escaping your firewall is impossible to recover and can multiply like a virus across multiple sites and desktops.
Most file sharing services only provide auditing for files stored on the cloud, and even then these audits don’t necessarily comply with HIPAA. Once the files are synchronized to a device or shared with external parties, they are undetectable to auditing.
Healthcare organizations must face the following dilemma: should we ban file sharing technologies, or enable it while accepting the increased legal liabilities? With little data governance or life-cycle management the latter is unacceptable.
Providers and business partners are legally obliged under HIPAA to report to the US Department of Health and Human Services every time one of your employees loses or accidentally shares information about 500 or more individuals at one time. In such a case not only can you be fined up to $1.5 million, but you are also exposed to unlimited privacy breach liabilities. Not surprisingly, over 60% of HIPAA violations reported occur as a result of lost or stolen devices. This problem is seriously exacerbated by file sharing technologies, where a single device can be synchronized to thousands of files with PHI.
Do you know your external recipients of corporate data?
Do you know all your data exit points?
Many Electronic Document Management (EDM) platforms provide a solution to control each aspect of information delivery. Meta-data from documents are collected, distribution determined, audit trails managed and reported and document life-cycle maintained with very little IT intervention. A good EDM should help you improve data security and compliance without increasing liability.
EDM’s accomplishes this task by encrypting data both at rest and in transit. Data stays behind your fire-wall, and only leaves on an exception basis.
Access is provided or revoked in real-time to any user or device. As a result, your EDM will safeguard sensitive organizational data.
Furthermore, most EDM’s should provide complete audit trails of all user and application actions from inception to data destruction. By tracking exactly which files have been exposed in the event of an incident, you can prove that no unauthorized parties have viewed sensitive data.
Interoperability and transparency are the future. Data will be freely shared securely among all providers, partners and patients, and Electronic Document Management solutions are the answer.