Last modified: May 10, 2012
Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) includes any individually identifiable health information. Identifiable refers not only to data that is explicitly linked to a particular individual (that is identified information). It also includes health information with data items that reasonably could be expected to allow individual identification.
At Medicalis, we recognize that, in the course of our duties, we may need to handle PHI. For example, our efforts to understand the effects of decision support in radiology necessitate data mining efforts, potentially on repositories that contain PHI. During Support or Deployment activities, we may need access to PHI for investigative efforts or site analysis and configuration. We handle access to sensitive information in a secure and consistent manner.
This PHI policy applies specifically to how data is handled outside of any production environments, including ones we may be hosting for customers. Access to PHI inside protected production environments is limited to specific Medicalis Support Team personnel. Temporary access is granted on a limited basis for those people assisting Support or engaged in Deployment activity. Protected production environments are hosted either at the customer location or in a world class SAS 70 audited data center that ensures compliance to all Sarbanes-Oxley and HIPAA access and security controls.
All requests for obtaining or receiving data outside of our production environments that may contain PHI must come through Medicalis Support. A support case will be opened and only closed once any patient information in the PHI repository is de-identified and/or deleted. A repository could be a flat file, word processing document, spreadsheet, or a database.
When obtaining a repository Support engages in several steps:
In some cases, de-identification is not practical. For example, when patient details are required for a Support case investigation, or a limited set of PHI is required for data mining in these cases, the repository will remain in the PHI secure server environment, and access is restricted to investigators only. All data will be wiped immediately once the specific need is covered.
All laptops are required to have password-protected drive encryption implemented. No PHI repository should exist on a laptop computer. However, we may need to, on limited occasions, access production web sites or handle an individual's specific PHI for a Support case. Traces of this data, which the Operating System may store in temporary files or browser caches, must be protected via encryption.
When re-purposing or de-commissioning laptops and servers, all hard drives are wiped using multi-pass overwriting technology or are physically destroyed. At no time will Medicalis engage in the long-term storage of PHI repositories outside of customer production environments