Q: One of our healthcare professionals carries patient information in his vehicle during his daily travel between multiple physician offices, our practice’s administrative office, and his home office. This includes patient information stored on his laptop computer. Do any HIPAA provisions specify requirements that protect this traveling information? What are your suggestions for adequate protection of patient information on laptop computers?
A: HIPAA does not specifically address transportation of PHI. However, the physical safeguards provisions of the HIPAA security rule require covered entities to protect any portable media or devices, whether permanently stationed or in transit. The HIPAA privacy rule also requires covered entities to implement physical safeguards to protect all forms of PHI, including any paper charts transported between offices.
CMS has published specific guidelines pertaining to remote access. Remote login to applications and networks was their original focus, but the guidelines now also address transport of data. (Visit CMS’ Web site at www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal122806.pdf
to read the guidelines.) CMS has stated publicly that remote access guidelines will be among the criteria used during security rule audits.
When transporting PHI between facilities, lock any hardware, media, and paper documents containing PHI in a secure location in the vehicle (e.g., the trunk).Never leave PHI in plain sight—especially if stored on a laptop computer. Lock or otherwise secure boxes and folders containing paper charts and ensure that they are not visible to reduce the likelihood of theft.
Ensure that your healthcare professional follows appropriate security practices when using the laptop computer or media containing PHI at all locations. Each location represents another environment where security safeguards are necessary.
Home is often the least secure place to store patient information, unless special care is taken to store and lock the PHI when not in use. Your healthcare professional should access PHI only in areas where no individuals not privy to the information are present.