- About
- Donate or Volunteer
- Programs & Services
- Events & Activities
- Call Center
- Highbrook Lodge
- Resources
HIPAA 2019 - PHI on Digital Devices
Cleveland Sight Center Policy about Protected Health Information (PHI) on Laptops, Mobile Devices, and Storage Media
Cleveland Sight Center (CSC) recognizes its responsibility to protect individually identifiable health information under the regulations implementing HIPAA (the Health Insurance Portability and Accountability Act of 1996, as amended). Health information is any information that is created or received by a health provider and relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.
Protected Health Information (PHI) includes names, geographical identifies smaller than a state (including street address, city, county, precinct, zip code and their equivalent geocodes), all elements of dates (except year) for dates directly related to an individual (including birth date, admission date, discharge date, and date of death), phone numbers, fax numbers, email addresses, social security numbers, medical record numbers, health insurance beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers and serial numbers including license plate numbers, device identifiers and serial numbers, website URLs, Internet Protocol (IP) address numbers, biometric identifiers including finger, retinal and voice prints, full face photographic images and any comparable images, and any other unique identifying number, characteristic, or code except the unique code assigned.
All employees of CSC are required to secure Protected Health Information (PHI) under HIPAA as well as the general confidentiality of CSC’s business practices.
Specifically, this policy requires the following:
- Protected Health Information (PHI) will not be maintained by CSC staff on a laptop’s hard drive (neither a laptop issued to CSC staff nor a personal laptop). If electronic PHI must be transported outside CSC facilities for purposes of client work, it will be saved on a CSC-issued encrypted flash drive which requires CSC staff to enter a password before accessing the files. CSC staff will request an encrypted flash drive if one has not yet been issued or it has been lost, etc. (If a laptop or flash drive is lost, it must be reported to the Chief Information Officer and HIPAA Compliance Officer immediately.)
- Email communications containing PHI between CSC employees using the CSC email system will be permitted.
- PHI shall not be transmitted in the subject line of an email message.
- When emailing PHI (or other confidential information), Zixmail (an email encryption service) must be utilized.
- Specially protected PHI (i.e., HIV/AIDS information, substance abuse treatment information, and mental health information) will not be communicated by email.
- If PHI can be accessed from a smart phone or other mobile device (including but not limited to client names on an electronic calendar or emails containing PHI), the phone must have its password encryption enabled. If CSC staff is unsure whether the encryption is enabled, CSC staff will disable access until such time as approval can be obtained from CSC’s IT Department. PHI will not be transmitted via SMS text message.