Jan 08 2016 by Don Lawrence

Keep Your PHI to Yourself



Blog

We did it.  We built the first social/clinical network for sharing medical images and thoughts with those you trust, and we did it while exceeding the government guidelines related to HIPAA security in the HITECH Act.  Regardless of these standards, please do not put Protected Health Information in our system.  It’s not worth the risk for you or your organization.

We built this system to allow individuals in private communities to share potentially sensitive images like X-rays and scans with each other without all the hassle typically associated with this task.  As a collaboration platform centered on medical images, there is no reason for anyone to include a patient’s personal information.  Our members participate in thousands of discussions in our network, the vast majority of which take place without a hint of who the patient is because it simply is not relevant to the conversation that’s taking place.

When someone joins eRounds, we advise them of our no-PHI policy.  When they follow the first user experience, they must demonstrate how to remove PHI.  Whenever images are uploaded to a post, users are prompted to stop and review the images for any traces of PHI.  They are then provided with user-friendly tools to destroy (not mask) any PHI.  When cases are uploaded, there is no PHI remaining on their device (unless it was already there), and they are stored in an encrypted, protected format.  We don’t even have to protect a user’s data “at rest” because the data is clean of protected information.  But just in case you were wondering, we do so anyway.

HIPAA violations can result in fines that range anywhere from $100 if the user was unaware they revealed PHI to as much as $50,000 per violation and a total of $1.5 million dollars in a calendar year.  If the offense is deemed “willful neglect,” the offender could also face criminal charges and jail time.  (http://bit.ly/1Rfg9hR)

Now, we don’t know about you, but we think that’s a risk you, your organization, or eRounds shouldn’t take.  So what happens if someone disregards all of our warnings and tools?  Well, this is where our community of users and moderators comes in.  Anyone in the community can flag a post or comment for containing PHI.  Once it is flagged, it is removed from the system.  Some of our private communities even have live moderation, which means that posts containing PHI won’t even hit the system because they will be denied.  If someone can’t take a hint and continues to upload content that contains PHI, they will be removed from our network.  We know who saw it and for how long, so if the offending user must disclose their breach, eRounds has the logs to help.

So yes, we take data security seriously.  We don’t allow PHI and we give members the tools to destroy it.  But in the unlikely event that it does make it into our system, we have thousands of community members itching to flag someone and we will have a really handy log of potential viewers in the meantime.  So please… keep your PHI to yourself.