Storing and backing up electronic PHI, Confidential Information, and other files


If you have an encrypted hard drive, you may store Confidential or PHI on that drive while you are using it.  Move the file to your SkyDrive on SharePoint for primary storage and backups at least once per day, and when you’re done with the file, securely delete it.


ALL electronic PHI and Confidential Information MUST be moved to and stored on Sharepoint on re|solution PCs.  Any local copies that exist on either re|solution or personally owned computers must be securely deleted ( instructions on Secure Delete ).  After an initial purge, this process must be completed before ending a work session or moving to another location.  If this cannot be accomplished for any reason, such as a lack of an internet connection, then all PHI and Confidential files must be zipped and password protected at the end of each work session.


SharePoint is also our primary backup system for all other files (non-PHI or Confidential), so always use SharePoint as your primary file storage site.


If you are using any external backup or public cloud services (such as Google Docs, DropBox, Box.com, or others), external hard drives (including any backups), or flash drives, move all documents to SharePoint and delete any copies from those storage areas.


Detailed guidance on purging your computer of PHI is HERE and will cover any computer you may have used during your time with re|solution (such as another family member’s) as well as purging backup files, flash drives, or external hard drives.


 

Storing hard copy PHI or Confidential Information


All hard copy PHI and Confidential Information must be in a locked file cabinet prior to leaving your workspace.

When no longer needed, hard copy PHI and Confidential Information must be destroyed by shredding.

 

The most important part …

Think!


Now that you have a sense of our fundamental responsibilities, think about what you are doing and proactively act as good custodians.  We cannot ever anticipate all possible scenarios and define procedures around them.


As you come across conditions that are not covered in the procedures above, let us know and we will consider the applicability of those conditions for other facilities and create new procedures accordingly.


Always bear in mind that our actions on these topics are driven by a desire to minimize the risk of any breach, or to mitigate the seriousness of any breach that does occur.  Each of you have a responsibility to help us constantly refine our operations to achieve that goal.