Jump/Thumb Drives and PHI Don’t Mix
It is very common for the staff of small and medium sized healthcare organizations to store patient data on USB Flash Drives (a.k.a. Jump Drives or Thumb Drives). This is universally a bad idea and guarantees non-compliance with HIPAA. Below, I will discuss why and suggest some alternatives to accomplish the same ends.
While this article discusses USB Flash drives in particular, the same arguments hold for all portable media — full sized USB hard drives, writable CDs and DVDs, laptops, etc.
Why store PHI / Patient Data on a USB Flash Drive?
In organizations where use of USB drives and other portable media for patient data is not explicitly forbidden (as it should be), practitioners are left to their own devices and seek solutions to make their work as efficient as possible. USB drives are extremely cheap, extremely portable, and extremely easy to use. Practitioners commonly use them to:
- Transport patient data from their office to/from the locations where they are meeting with their patients
- Transport patient data to/from home for storage and/or analysis
- Store permanent or temporary records for specific patients
- Make backup copies of patient data
So, What’s Wrong With That?
While USB Drives make things quick and easy, there are a few significant issues that warrant their complete non-use in a health care environment (at least for PHI).
- Loss. Once you start carrying around these small drives, it becomes excessively easy to lose or misplace one. You could take it home by accident, lose your purse or bag which contains a drive, leave it on a shelf where anyone could pick it up, etc.
- HIPAA Security Rule. PHI stored on a USB Drive is “ePHI” (electronic Protected Health Information) and automatically subject to a slew of requirements in terms of storage, transport, and destruction of that data. Most of these requirements are unknown to or not met by the casual healthcare practitioner … leaving them automatically out of compliance.
Loss = Breach
A lost of stolen USB drive with ePHI on it is an automatic breach of HIPAA which can and will subject your organization to fines, negative publicity, and possibly criminal charges if willful negligence of HIPAA is determined.
This is not a joke — companies are already being fined millions of dollars for breaches involving even just one lost or stolen hard drive. It is so much easier to lose a USB drive than to have a regular-sized portable hard drive stolen from a car.
HIPAA requires all breaches to be reported, all affected patients to be notified, and the media to be notified (if the breach is large enough). Failure to report a breach would be even worse — should the breach be discovered later — as that would be “willful negligence” and you would not want to have that laid on you (see HIPAA penalties).
The “Onerous” HIPAA Security Rule
Ok – so you will be very careful so your Jump Drive is not lost of stolen? Then HIPAA says that you must be sure to:
- Follow all the normal rules required by HIPAA for PHI in general. See our Compliance Checklist.
- Ensure that the PHI on your USB drive can only be accessed via username and password and that that access is logged. (This is not normal and requires extra software or special hardware).
- The data on the USB Flash Drive should be encrypted. See for example: GolddKey.
- Log the movements of your USB Drive — i.e. you must keep a written record of everywhere it is moved to (this is best not done in a little notebook kept with the drive…)
- When you are done with the USB Drive, you must dispose of it in a way that prevents any data from being recovered from it by a third party (that doesn’t mean just simply breaking it or dipping it in liquid… see How–and Why–to Destroy Old Flash Drives).
- Ensure that ALL computers that you use to access the USB drive meet HIPAA requirements for Workstation Use themselves (e.g. software running, virus checkers, access controls, logging, etc.)
- A careful reading of the HIPAA Security rule will reveal finer nuances as well.
So, while use of a Thumb Drive is possible in a healthcare setting, such use requires a lot of planning, special software, drives with built in encryption, and careful tracking and logging. Even with all that, if the drive gets lost it can still be a breach, even if the data on it is encrypted (though that will help mitigate how much trouble you are in).
Alternatives to USB Drives?
Ok – so you are ready to kick the portable drive habit. What you use instead really depends on what you are trying to accomplish, exactly, with the Flash Drives. In any and all cases, you should start with:
- Getting HIPAA Compliance going in general: Checklist
- Ensuring that all computers used for PHI are up to HIPAA standards
Then, you need to have a way to communicate your files between these computers in a compliant way without carrying them with you. There are many ways to do this.
- Online File Storage: Use an outsourced, online file storage system that is HIPAA compliant (such as LuxSci WebAide Documents). Note that services like Google Docs and Dropbox are NOT HIPAA compliant and should never be used for this kind of thing.
- Email: Keep the files in email archives and folders with a HIPAA compliant provider.
- EMR: Purchase and use a specialized EMR/PM system (electronic medical record/practice management) to tracking patient data and more.
- Local File Storage: Use a server in your own office network for custom secure file storage. Unlike with outsourced services, you have much more responsibility to ensure that the servers and access are up to snuff for HIPAA. So, this option is recommended only for organizations with “advanced IT skills” and the time and money to implement.
The first two options – outsourced email or file storage – are least expensive and involve perhaps the least HIPAA knowledge and risk on your part. An EMR is useful if you have more general needs and can afford such a system … though you can get many aspects of an EMR though use of outsourced email, file storage, and collaboration software (such as that provided by LuxSci). Local File Storage requires the most knowledge and risk and a fair amount of cost, but it can grant the most flexibility if your requirements are specialized.