This is the last installment in our five-part series on the Basics of HIPAA. So far, we’ve reviewed the history behind the HIPAA law, who is required to comply with it, and what exactly is protected under this law. Today, we’ll take a look at electronic information and HIPAA’s protection of this ever-growing field that affects health care.
Security
Although the Privacy Rule contains some security provisions, and its guidelines cover all types of PHI, the federal government added the HIPAA Security Rule to the existing regulation in 2003. This area of HIPAA added specific provisions for protecting the confidentiality, integrity and availability of electronic PHI. Electronic PHI (or ePHI) is defined as individually identifiable health information that exists or is transmitted in electronic form.
Because of the proliferation of electronic mechanisms for receiving, creating, maintaining and transmitting PHI, the need for additional and specific protection is very great.
Where the Privacy Rule appears to be more “black & white” with regard to its specific requirements, the Security Rule is the complete opposite. The main concept behind the Security Rule is its ‘scalability;’ in other words, Security Rule processes must be adapted to the uniqueness of each organization and cannot have a “one-size-fits-all” approach. A provider that has primarily paper records and very little electronic PHI would implement the Security Rule very differently from a practice with an electronic medical record (EMR) system. The extent of the information that exists or resides in electronic systems dictates the provider’s activities with regard to security of ePHI.
Many practices have gone on ‘auto-pilot’ when it comes to protecting privacy. It’s not uncommon to see offices being mindful of the visibility of computer screens and paper medical records. They are generally careful not to leave PHI face-up in high-traffic areas and actually, some offices have gone a little overboard, removing patient names from files and sign-in systems. (This is unnecessary, by the way.)
The Security Rule, on the other hand, is a living, breathing process that must become second nature to the compliant provider organization. It would be naïve and dangerous for you to believe that an annual security assessment and a policy book on the shelf are enough to demonstrate compliance with this regulation. Monitoring security of ePHI and spotting breaches – or issues that could potentially lead to breaches – in security must be continuous.
Well, that concludes our five-part blog series on the Basics of HIPAA. By now, we hope you feel more knowledgeable about some of the nuances of this important legislation. Remember that as a healthcare worker – and as patient yourself – HIPAA offers protection and control of healthcare information and that compliance is a team effort. If you have any general HIPAA questions or need any clarification, feel free to call our office, or speak with your supervisor.