How can you secure your organization without knowing how patient data travels?
Every privacy/security/compliance official should understand the specific details of how patient data flows in their organization. For example, the point of entry, where it flows within an organization, where it is stored, what format it's stored in, exit points for the data, and where it travels.
That’s a lot of information to keep straight, especially for large providers and hospitals with dozens of departments. How does an official keep track of that? Data flow diagrams.
Data flow diagrams are the graphical representations of PHI flow throughout your systems. They are a crucial part of every healthcare’s HIPAA security efforts, especially while creating a complete and thorough risk analysis.
See also: HIPAA Security Tip: Understand Your Data Flow
Unfortunately, lack of data flow diagrams is the #1 problem I see when auditing healthcare entities. Organizations simply don’t have them. How are you supposed to implement appropriate safeguards if you don’t know which areas to safeguard? Maintaining a current PHI flow diagram is absolutely foundational to your security program and HIPAA compliance.
Besides being a great overview of your systems, here are a few specific reasons you should be creating data flow diagrams:
Data flow diagrams can greatly enhance network security and can make your HIPAA compliance process easier.
While HIPAA doesn’t specifically state providers must provide a data flow diagram to be HIPAA compliant, the OCR Audit Protocol does state that auditors must, “determine if the covered entity has identified all systems that contain, process, or transmit ePHI.” What better way to do that then to request a healthcare provider to deliver a PHI flow diagram?
The following is a step-by-step process to help you correctly create flows in your healthcare security environment.
The first step is learning where your data resides. This is also the first part of a HIPAA Risk Analysis. (Need help with your risk analysis?) Scope is an inventory of all the places your organization accesses, creates, stores, transmits, or maintains PHI. The following may or may not be in scope (containing PHI), depending on your environment:
Take a few minutes and try to identify everything in scope.
Oftentimes, it’s simply not possible to create a data flow diagram on your own. The only way to ensure accuracy is to interview every single workforce member who has access to PHI. Your employees might know about random processes or data exits that no one else knows about. Interview process owners, web developers, sales force, physicians, third parties, etc.
See also: 5 Things You Should Know About Minimum Necessary PHI
This step is the hardest of the bunch. Trying to track down every PHI location, its flow, and what process put it there is exhausting and extremely time consuming. That’s why keeping detailed documentation of your findings is crucial to your flows…and your sanity.
In congruence with your findings from steps 1 and 2, flow diagrams further help you illustrate the location and flows of PHI. It often makes sense to have a separate diagram for each different in-flow and for each different out-flow. Once a diagram is completed, you never have to create it again! All you have to do is update it if processes change, or you change vendors.
If your organization is actively working toward its HIPAA compliance, your data flow diagram will play a crucial part in that development.
.svg)
