Documentation also discusses that providers who use technology-based services make reasonable efforts to protect and maintain the confidentiality of the patient’s protected health information (PHI). PHI may include patient names, addresses, phone numbers, email addresses, dates of birth, social security numbers, licenses, medical record number, digital identifiers, or biometric identifies (e.g., fingerprints, voice prints; Sivilli, 2018). Efforts to maintain confidentiality should include specific data security measures.
While a majority of the responsibility may fall to the provider, the patient should also be coached so that they can implement safeguards within their own settings.
When using technology in clinical care, a range of potential data security issues can arise. As such, the provider should take extra caution and consideration of not only the methods being used to interact with the patient (e.g., email, videoconferencing, telephone), but the recorded data itself (e.g., notes in an EHR). Ultimately, the provider wants to restrict unintended access and disclosure of any PHI through physical safeguards (e.g., locks), technical safeguards (e.g., password systems), and administrative safeguards (e.g., trained staff).
Disposal of Data and Hardware
While basic storage of PHI is important, proper disposal of old data is also essential, as one cannot simply “shred” the digital information. Guiding documentation highlights the importance of making reasonable efforts to dispose of data, as well as the technological devices used to store the PHI in a way that prevents unauthorized access. This remains true whether the software (i.e., computer programs) or hardware (i.e., the computer or computer component such as a hard drive) will be reused or completely destroyed. Providers are encouraged to develop policies and procedures that adhere to any federal, state, or organization’s regulations for proper destruction of the technology and data. These policies could include self-completed destruction, or the hiring of a third-party company specializing in the destruction of confidential information. Finally, the provider should document the steps they took for proper protection of the data.