Compliance and Privacy Spotlight: Transporting Protected Health Information (PHI)

PHI

At Texas Children’s, we recognize some workforce members are required to transport Protected Health Information (PHI) as part of their roles within the organization. However, we must always remember that moving PHI within or outside Texas Children’s requires special care.

What is PHI?

PHI is any individually identifiable patient health information. PHI may be contained in paper records, laptop computers, mobile phones, thumb drives, etc. PHI identifiers include: patient name, social security number, date of birth, address, phone number, insurance information, social history, diagnosis information, treatment information, photographic images, and email address.

How Does this Affect Me?

It’s our duty to our patients and Health Plan members to safeguard their PHI. It’s also the law. When we have a breach, we are required to notify the affected patients and families, which damages the trust they have in Texas Children’s. We are also required to notify the Health & Human Services Office of Civil Rights (OCR), which could lead to regulatory fines and penalties.
The OCR has recently increased its enforcement activities. As an example, a recent OCR investigation at Oregon Health & Science University (OHSU) involving the loss of unencrypted laptops and an unencrypted thumb drive resulted in OHSU paying $2.7M to settle potential HIPAA violations. OHSU was also required to implement a comprehensive three-year corrective action plan.
Best Practices for Transporting PHI

Transporting Paper PHI

  • Paper PHI that is hand-carried must be reasonably concealed
  • Place the PHI in a sealed envelope, a closed box/bag, or secured in your arms, assuring that the PHI is not visible to anyone
  • Never leave PHI unattended

Transporting Electronic PHI (ePHI)

  • All laptops and portable devices containing ePHI must be encrypted
  • Never leave ePHI unattended

Specific Guidance for Transporting PHI Off-Site

We recommend that PHI not be transported outside Texas Children’s owned or leased locations, but if you must do so, follow these guidelines:

  • Only transport PHI off-site if absolutely necessary, and with your supervisor’s approval
  • Only transport the minimum amount of PHI necessary for your work purpose
  • Keep the PHI in your possession and secure at all times
  • Do not leave PHI in an unattended vehicle (e.g., while picking up a child from daycare, or while getting gas)
  • Return the PHI to Texas Children’s for secure storage or secure destruction as soon as possible

Key Takeaways and Tips

  • Do not remove PHI (including census and other patient/member lists) from Texas Children’s unless you have your leadership’s approval to do so
  • Workforce members must properly secure PHI when transporting it within or outside Texas Children’s
  • Never leave PHI in unattended vehicles
  • To avoid transporting paper PHI, consider creating a patient list in Epic
  • Do not leave PHI in an unlocked room or unsecure area
  • Immediately report the loss or theft or PHI to the Compliance and Privacy Office

If you have questions about transporting PHI, please contact the Compliance and Privacy Office (Ext. 4-2085 or compliance@texaschildrens.org).

Applicable Policies and Procedures
Disposal of Confidential Proprietary Information HIM Procedure
Handling of Confidential and Proprietary Information Procedure
Transporting Protected Health Information (PHI) Policy
Transporting Protected Health Information (PHI) Procedure