Most healthcare providers automatically think about privacy issues when the HIPAA law comes to mind and seem to have gone on ‘auto-pilot’ when it comes to protecting privacy. It’s not uncommon to see offices being mindful of the visibility of computer screens and paper medical records. They are generally careful not to leave PHI face-up in high-traffic areas, they limit ‘hallway conferences’ about patients, and some have even gone a little overboard, removing patient names from files and sign-in systems.
However, because of the benefits (financial, operational and quality of care) and proliferation of electronic mechanisms for receiving, creating, maintaining and transmitting PHI, the need for additional and specific protection is very great. In addition, the growing use of wireless networks and mobile devices, such as laptops, smartphones and tablets which allow providers to access PHI, mandates a whole host of other security processes that cannot be ignored.
The HIPAA Privacy Rule does contain some basic security provisions, and its guidelines cover all types of PHI, but a great number of providers don’t realize that a separate and more complex HIPAA Security Rule added specific provisions for protecting the confidentiality, integrity and availability of electronic PHI.
Where the Privacy Rule requirements appear more ‘black & white,’ the Security Rule is the complete opposite. The main concept behind the Security Rule is its ‘scalability;’ in other words, security processes must be adapted to the uniqueness of each organization and cannot have a “one-size-fits-all” approach. A practice that has primarily paper records and little electronic PHI would implement the Security Rule very differently from a practice with an electronic health record (EHR) system. The extent of the information that exists or resides in electronic systems dictates the provider’s activities with regard to security of ePHI.
The Security Rule requires a living, breathing process that must be second nature to the compliant practice. Some components of the average security program include: network configuration and security; ongoing analysis of electronic system threats and vulnerabilities; disaster and emergency policies that spell out how the provider will access PHI and continue to provide care; mechanisms for routinely testing back-ups and ensuring their integrity; and a system for anticipating, resolving and preventing security incidents, just to name a few.
It would be naïve and dangerous to believe that an annual security assessment and a policy manual on the shelf are enough to demonstrate compliance with this regulation that carries monetary and criminal penalties for violations. Monitoring security of ePHI and spotting breaches in security or issues that could potentially lead to breaches must be continuous.