Friday, October 26, 2007

Remote Access to PHI

Health care organizations are under significant stress to allow remote access to personal health information in the field or from the homes of health care workers. The Ontario Information and Privacy Commissioner issued her Order HO-004 which addressed the issue of PHI stored on laptop computers and directed Ontario health information custodians to employ measures such as encryption to protect PHI on laptops and other portable devices. I know that many Ontario health care organizations are struggling to implement this order while not interfering with the need to allow remote access to PHI for legitimate and important health care delivery and research purposes.

I found an excellent reference guideline on the security considerations for remote access published by the US Department of Health and Human Services titled Security Guidance for Remote Use. This is published under the auspices of the HIPAA Security Rule. What I really like about this document is that it takes a risk management approach to considering the problem of remote access. The document looks at the risks of allowing remote access and suggests possible risk mitigation strategies.

This document is HIGHLY Recommended.

No comments: