BMN Blog

MAR 26
Where’s Your Patient Data Hiding?

They were surprised, and you likely be will, too. Of the hundreds of healthcare organizations I’ve helped document HIPAA and meet compliance requirements, most are unaware that their Patient Health Information (PHI) is exposed in some way. If a cyber attacker took advantage of this situation, it could cause damage to your patients, bring giant HIPAA fines, and a loss of reputation.



Patient data can be stored in unlikely or unnoticed places. Here are a few hiding places I’ve helped organizations identify:

  • Shortcuts – The management at your office has been diligent about HIPAA compliance efforts. Your entire team knows the process for keeping patient data safe. But the managers don’t know about the folder on the desktop of their intake manager’s laptop. She’s been using it as a shortcut for getting patients into the system more quickly. A HIPAA audit today would find more than 300 patients’ PHI on this one laptop. Imagine the shortcuts taken by other employees in the organization - the amount of exposed data could be staggering.
  • Email - I know what you’re thinking. You know the email you send and receive is secure because that was a priority when your team was looking for the best email option. And I salute you for being so diligent! However, there is a piece that is often overlooked. At any given time, the Sent Folder on your email users' phones and PCs can be riddled with patient data that is not protected.
  • Scans - Some photocopiers automatically save copies of scanned documents on their hard drives. If a copier is returned to the leasing company without the data being properly removed, that’s a HIPAA violation.


These opportunities for exposed PHI are not surprises for the Department of Health & Human Services’ Office for Civil Rights (OCR). That’s why they require a true Healthcare Security Risk Analysis, which includes a thorough risk assessment of patient data, review of policies and procedures, employee interviews for a HIPAA-HITECH audit, an analysis of operational threats, and more. And, remember, any business associate who comes in contact with your patient data is also accountable for protecting it. You have a responsibility to make sure those associates are also diligently protecting your PHI.

Robbie Morris is TekLinks' VP of Healthcare and Security Solution Services. Contact him at

Bookmark and Share
Powered by Bondware
News Publishing Software

The browser you are using is outdated!

You may not be getting all you can out of your browsing experience
and may be open to security risks!

Consider upgrading to the latest version of your browser or choose on below: