A client contacted me recently with a really interesting question. Their organization has started using video recordings as part of their EHR training with their staff to demonstrate certain workflows and best practices in their electronic health records application. I am a huge believer in the power of , so I think this is a great idea.
However, these videos contained small amounts of protected health information (PHI), which raised the question of whether there were HIPAA implications that the organization needed to consider. To answer that question requires unpacking the various elements. Are the videos produced locally only? Are cloud servers involved in saving or backing up the files? If so, are the right business associate agreements in place to prevent impermissible disclosure of PHI?
Questions like this serve as a reminder of the true purpose of HIPAA. Contrary to what some believe, HIPAA is not meant to be a bunch of red tape and bureaucracy. HIPAA guidelines are simply meant to provide guidance for healthcare providers to honor and respect the privacy of their patients. Situations like this are a reminder that people in various departments of an organization can come up with good ideas like this one, but may overlook possible HIPAA implications before they go off and running.
Meanwhile, a year or more down the road, a disclosure might be made during a risk assessment that an individual or department has inadvertently disclosed PHI to third parties through a cloud service or shadow browser extension. Worse, the improper disclosure might be uncovered during a HIPAA audit.
The take-home lesson is that IT threats are often generated through initiatives created with the best of intentions. Do you have questions about the HIPAA implications of a new program or general questions about your organization’s HIPAA compliance? Matterform can help you build a security-first cybersecurity program that is HIPAA compliant. Contact us for a free exposure analysis today.