PHI Removal Policy

Canon Medical Systems USA, Inc. ePHI Removal Policy


Download ePHI Removal Policy

In keeping with the widespread advancement of Information Technology (IT) within the medical imaging industry, Canon Medical Systems USA, Inc. recognizes the importance of the protection of Patient Health Information (PHI).

PHI is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. This can be the patient’s name, accession number, Patient ID or any discernible information that can be linked to a specific individual.

To comply with the Health Insurance Portability and Accountability Act (HIPAA), Canon Medical Systems, acting as a Business Associate¹, has an obligation and responsibility to our customers to properly dispose any media that contains PHI in a safe manner. Media can be Hard Drives (HDD), USB, CD’s, or parts that contain any PHI. If it is unknown if media contains PHI, the employee of Canon Medical Systems is to assume PHI is present and follow Canon Medical Systems policy for removal.

Canon Medical Systems is only responsible for PHI electronically stored on Canon Medical Systems diagnostic systems manufactured devices and where Canon Medical Systems is directly responsible for the service, sales presentation, or de-installation of the medical device. Canon Medical Systems guidelines will remove the patient data from the system following the guidelines of Canon Medical Systems Corporation. If desired, the facility may request the media that the PHI resided on for destruction as described below.

For some systems, Canon Medical Systems will use a mirroring program to backup the system state. This backup is used in cases where a software restoration is required such as software catastrophes. This backup may contain PHI. Canon Medical Systems will use care to store this backup in a safe location provided by your facility. If it is decided to not use this quick recovery method, please communicate to your local Canon Medical Systems customer engineer or email CanonMedicalSystemsSecurity@us.medical.canon

At any time, a Canon Medical Systems customer can request the HDD, solid state memory device (thumb drive), CD, or any media that contain PHI to be provided to them free of charge. The customer can then assume the responsibility of disposing the media that contains PHI. This can be requested for the following:

  • Sales presentation
    When Canon Medical Systems is responsible for a demo using PHI from a facility, most commonly used in Ultrasound presentations.
  • Removal of systems
    Applicable when Canon Medical Systems is responsible for the removal of any installed equipment.
  • Failure of media
    If any media, most common will be a HDD failure (system drive, IDD, RDD, etc.), fails or degrades and requires replacement.
  • System Upgrade
    If media is replaced during a system upgrade.
  • Creation of USB, DVD, or CD
    If Canon Medical Systems creates PHI on media such as USB, DVD, or CD (i.e., copies patient images onto a CD to be imported to PACS).
  • Mobile or temporary installation
    If Canon Medical Systems is responsible for a Mobile device or has a temporary installation, most commonly during an installation of another unit at a facility.

Contact Canon Medical Systems Security

Please email CanonMedicalSystemsSecurity@us.medical.canon with any questions or concerns.

Reference

  1. http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html