NYC Health + Hospitals announced last month that, as part of its Data Loss Prevention (DLP) Program, it now has the capability to monitor the downloading of electronic protected health information (ePHI) from the H + H database onto USB storage devices, including flash drives, thumb drives and portable hard drives.
“Reminder: the use of USB devices to transmit ePHI is being monitored,” the H + H notice says. “Staff will not be blocked from doing so, but they will be monitored in the background…When a user transfers a file that contains ePHI to a USB device, they will receive a notification popup in the lower right-hand corner of their screen.”
The monitoring capability is part of H + H’s effort to ensure that the system’s clinical staff complies with the federal law that protects personal medical information, known as HIPAA (Health Insurance Portability and Accountability Act – Privacy Rule).
“The point to stress is that staff will not be blocked from using USB devices,” says David Hoffman, PAGNY’s Chief Compliance Officer. “But they have to exercise diligence in choosing when to share data and how to do so. The computer system isn’t acting as a privacy nanny, but the system is monitoring the data and if it detects ePHI being transferred to a flash drive, it has the capability of informing the user that the activity has been detected.”
Mr. Hoffman said this capability is important to maintaining patient trust “because the loss of a physical storage device can put a patient’s confidential information at risk of unauthorized disclosure.”
For questions about the use of USB devices, H + H recommends contacting the Enterprise Service Desk at 877-934-8442 or firstname.lastname@example.org.