The HIPAA security standard is kind of a sub-set or compliment to the HIPAA privacy standard. Where the HIPAA policy privacy requirements apply to all patient Protected Health Information (PHI), HIPAA policy security laws apply more specifically to electronic PHI.
These standards provide guidance for developing and implementing policies and procedures to guard and mitigate compromises to security. The Electronic Protected Health Information (EPHI) provider’s use is critical to their business and important to patient care.
The HIPAA policy procedure for security standards define three safeguard compliance categories; administrative, physical, and technical. The following descriptions apply more to smaller practices. The descriptions were taken straight from the HIPAA security policy and procedure, number 7 of the security series white papers. The text in quotes is the actual wording from the HIPAA security standard.
Security Management Process – “Implement policies and procedures to prevent, detect, contain, and correct security violations.”
- Identify EPHI that you create, receive, or transmit. This may be on computer workstations, laptops, or PDA’s. Insure that security measures are in place. These may be administrative, physical, or technical – like locking doors to rooms containing EPHI, password protection of workstations or files, and facing monitors away from public areas.
- The practice should also develop and implement policies that define specific actions when security is violated. This could be sanctions or disciplinary action against employees or vendors who don’t comply.
Workforce Security – “Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, and to prevent those workforce members who do not have access from obtaining access to electronic protected health information.”
- Do people (employees, vendors) who should have access actually have the appropriate access? Are those who should not prevented from accessing EPHI?
Security Awareness and Training – Implement a security awareness and training program for all members of its workforce (including management).”
- Employee training should address topics such as not sharing passwords with each other, not writing passwords down and leaving in the open, etc.
Contingency Plan – “Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.”
- This would apply to electronic information from sources that should be backed up such as practice management software, accounting systems, electronic medical records, digital recordings of diagnostic images, electronic test results, or other electronic documents containing EPHI. This information should preferably be backed up to a physically separate location.
Business Associate Contracts and Other Arrangements – “A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances that the business associate will appropriately safeguard the information.”
- This would mean having written contracts with the provider’s vendors that documents their compliance with HIPAA security standard. Typically this would apply to software vendors, billing services, etc.
Facility Access Control – “Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.”
- The provider office should have means to prevent unauthorized physical access, tampering, or theft of EPHI. This would include locking doors, warning signs, surveillance cameras, alarms, identification numbers, and security cables on computers. It is also suggested that the practice document specifically how modifications to the facility or building protect EPHI.M
Workstation Use – “Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.”
- This would involve having security measures to protect workstations with EPHI such as having privacy screens, password protection screen savers, and logging off the workstation when not present.
Device and Media Controls – “Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.”
- The HIPAA security standard requires destruction of EPHI on equipment or media that is no longer used. An example would be software to erase hard drives when upgrading computers. Other provisions of this standard require creation of a retrievable exact copy of EPHI files before the equipment it is stored on is moved.
Access Control – “Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4).”
- Each user of the practice management (or other EPHI systems) should have a unique user identifier so the user activity can be tracked/logged by the system to comply with the HIPAA security standard. The system should automatically log-off users after inactivity to ensure unauthorized users don’t have access.
Person or Entity Authentication – “Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”
- System should require that each person having access have a unique PIN or password prior to granting access.
Transmission Security – “Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”
- Is encryption necessary to protect EPHI information transmitted between the provider’s office and outside organizations? If not, what measures are in place to the information such as password protection of documents, or prohibiting transmission of EPHI via email.
In summary, compliance with the HIPAA security standard can be demanding even for the small practice. A good idea is to become familiar with these standards and conduct an assessment of the practice (or business if it’s a business associate) systems to identify areas where changes need to be made in to meet the intent of the HIPAA security standard.