With the increased use of information technology in health care, your medical office must continue to find ways to maintain the security of the protected health information (PHI) of the patients they serve.
HIPAA security refers to establishing safeguards for PHI in any electronic format. This includes any information used, stored or transmitted electronically. Any facility defined by HIPAA as a covered-entity has the responsibility to ensure the privacy and security of its patient’s information as well as maintaining the confidentiality of their PHI.
The rules for maintaining HIPAA security include safeguards for three key areas.Administrative Safeguards
- Develop a formal security management process including the development of policies and procedures, internal audits, contingency plan and other safeguards to ensure compliance by medical office staff.
- Assign responsibility of security to a designated person to manage and supervise the use of security measures and the conduct of the staff.
- Implement features that ensure the staff has proper training and proper authorization to access PHI.
- Define levels of access for all staff and how it is granted
- Require that all medical office staff including management undergo security training and have periodic reminders, and user education.
- File PHI in a secure location and workspace for employees (this includes the use of locks, keys, and badges that unlock doors) that restrict access to unauthorized persons and intruders.
- Develop policies for verifying access authorizations, equipment control, and handling visitors. Develop and provide documentation including instructions on how your medical office can help to protect PHI (for example, logging off the computer before leaving it unattended)
- Provide protection against fire and other hazards
- Establish unique user identification including passwords and pin numbers
- Adopt an automatic logoff control
- Record and examine system activity for auditing purposes
- Utilize encryption controls to protect transmitted data over a network