tag:blogger.com,1999:blog-22311364.post8395612673033638463..comments2024-03-29T02:13:29.411-07:00Comments on Small Biz Thoughts by Karl W. Palachuk: SOP Friday: HIPAA Part Three - DocumentationKarl W. Palachukhttp://www.blogger.com/profile/10854725002875547297noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-22311364.post-84718724236061576482013-08-10T19:40:12.765-07:002013-08-10T19:40:12.765-07:00Good question, Jason. To answer the question, look...Good question, Jason. To answer the question, look at it from a slightly different angle: If I found this laptop, would I be able to access PHI? At first glance, I see three ways that I could:<br /><br />1) Data sits unencrypted on the laptop<br /><br />2) Data is encrypted on the laptop but no passwords are required to access it<br /><br />3) No PHI data is not on the laptop, but such data is accessed through a "secure connection" whose credentials are remembered in the user profile and therefore not requested when a connection is made to the web site, Citrix connection, or RDP login.<br /><br />If this is an accurate picture of the environment, you need to develop a training for laptop users, implement a policy, document the policy, and document training. The policy might look something like this:<br /><br />"All laptop users must log on with a domain username and password, which must not be stored on the machine. <br />No protected health information may be stored on the laptop.<br />PHI may only be accessed via secure web based login to a secure citrix or RDP login. Logon credentials must not be stored or automatically entered when accessing a secure site.<br />All laptop users must receive a training on this policy and sign a verification that they have read this policy."Karl W. Palachukhttps://www.blogger.com/profile/10854725002875547297noreply@blogger.comtag:blogger.com,1999:blog-22311364.post-61079335151056873422013-08-09T09:26:29.320-07:002013-08-09T09:26:29.320-07:00This is more of a question than a comment. I have ...This is more of a question than a comment. I have several clients that are using cloud based EMR solutions. They access their EMR through a secure connection on their workstations and a few through laptops. The laptop travel outside of the clinic and are used to access the EMR solution from their home or another clinic. The login access varies from just a web based login to a secure citrix or RDP login. My question is:<br />Do these laptops still need to be encrypted since they have 'access' to PHI but don't 'store' PHI? I know encryption is not a requirement but if a laptop is encrypted and lost or stolen it does not need to be reported as a breach. I am having trouble tracking this information down. Thought you could help and point me in the right direction.Anonymoushttps://www.blogger.com/profile/10692914116215257714noreply@blogger.com