Security Standards & Planning   

As prepared by Dunlap & McDowell for 2/28/03 Pragmatics of HIPAA Training

Standards for Security of Protected Health Information (PHI) under HIPAA were issued on 2-20-03, and published in the Federal Register.

Here is a link to the text version in  the Federal Register: February 20, 2003 (Volume 68, Number 34)] [Rules and Regulations] [Page 8333-8381]

Here is a link to the same document in .pdf format.

Security standards  take into account the scale and nature of your practice.  

You will need to create and document the processes that protect client information at all levels.  

You will need to think through and document the answers to the following security issues:

  1. Who has access to protected health information (PHI.) Yourself? Trainees? Staff?
  2. Who will be your designated  “privacy official”?
  3. To whom will PHI be disclosed or available as part of your doing business?  Answering service? Billing Service? Cleaning staff?  Accountant? Salaried secretary or office clerk? Who else?
  4. How are these people be trained to protect the PHI for which you are responsible?
  5. If your billing person, your computer help, those who answer your phone, etc. are not employees but contractors or businesses they have access to PHI and you will need to have “Business Associate” agreements with them.
  6. How is protected health information (PHI) stored?
  7. How is PHI protected from fire, flood, theft, etc.?
  8. If you store PHI in a computer or computers, how do you back it up?  How will you protect it from un-authorized access?  How will you recover PHI if your machine crashes?  How is it protected from contamination by computer viruses?  From invasion by snooping electronic programs?  Are you aware that your old computer hard drive can never be "really" cleaned.  To protect your patients, destroy the hard drive before you give away or throw away an old computer that has any patient related information.
  9. If your practice uses a networked computer system each authorized access person must have a unique identifier code for access to the information. If your communication network is “open” to access by others (as, for example, when data travels over the Internet) PHI data must be encrypted.   If your practice is operating at this level of sophistication you will need to control access, security, verify that data has not been corrupted or altered, and have audit systems that track your computer security.   There are proposals in process for the development of “electronic signatures” which will increase the capability of uniquely identifying who creates, sends, receives PHI via electronic transmittal systems.
  10. What happens to the PHI for which you have accountability in the event of your death or incapacity?  Though not specifically a part of HIPAA rules, your review of Security practices ethically needs to include a clear plan for what will happen to the PHI in your keeping if you are no longer able to protect it.