The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, is an incredibly long and complex compilation of hundreds of rules and regulations. Every healthcare facility is required, by law, to adhere to every single aspect of this gargantuan set of regulations. As most providers know, HIPAA regulates electronic protected health information (ePHI) and how it can be stored. With so many parts to keep track of, it’s difficult to keep up to date with how new devices fit into HIPAA regulations.
According to HIPAA, ePHI is, “any protected health information that is created, stored, transmitted, or received in any electronic format or media.” This includes eighteen different points of information, which may include things like names, date of birth, financial identifiers, exam numbers, and anything that might link back to a patient. Any medical device which retains this information can prove to be a weakness in your facility’s defense of patient ePHI. It’s particularly important to know if your TEE probe cleaner disinfector stores this data and if it allows users to access that data and store it on a portable device, such as a USB drive.
Although being able to transport data on a USB is very convenient, it can lead to serious trouble. According to HIPAA Journal, “The loss of a USB drive containing PHI is a reportable breach and one that could potentially result in a significant regulatory fine… Covered entities still using these small portable devices to store PHI should consider banning the use of the devices...” The theft of a USB drive with ePHI on it in 2011 compromised the private information of over two thousand people and cost the company $2.2 million in fines.
HIPAA requires that healthcare providers review and modify security policies and procedures regularly, making changes when necessary; USB drives, in particular, are an area of growing concern. How can this risk be mitigated with regards to your probe cleaner disinfector?
Ensure that your probe cleaner disinfector does not retain or allow users to access any of the eighteen forms of ePHI:
- 1. Name
- 2. Address (including street address, city, county, or zip code)
- 3. Any dates (except years) directly related to an individual (birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89)
- 4. Telephone number
- 5. Fax number
- 6. Email address
- 7. Social Security number
- 8. Medical record number
- 9. Health plan beneficiary number
- 10. Account number
- 11. Certificate/license number
- 12. Vehicle identifiers, serial numbers, or license plate numbers
- 13. Device identifiers or serial numbers
- 14. Web URLs
- 15. IP address
- 16. Biometric identifiers such as fingerprints or voice prints
- 17. Full-face photos
- 18. Any other unique identifying numbers, characteristics, or codes
Fortunately, TEEClean Automated TEE Probe Cleaner Disinfector users can breathe a sigh of relief. TEEClean does not ask for or retain any form of ePHI whatsoever. What TEEClean does retain are records of each and every cleaning and disinfection cycle and all device maintenance events. In short, TEEClean remembers just the information required for an audit and nothing more, preserving patients’ private information and keeping your facility safe from regulatory fines.