|Home | About | Journals | Submit | Contact Us | Français|
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is known primarily for its rules protecting the confidentiality of health information, but it also includes separate requirements to ensure the physical security of that information. Physician practices that have been required to comply with the HIPAA Privacy Regulations since April 14, 2003, have also been required to comply with the HIPAA Security Regulations since April 20, 2005.1
As a general rule, physician practices are required to
The regulations have three categories of standards that must be met: administrative safeguards, physical safeguards, and technical safeguards. For each standard, certain implementation specifications are required, and other implementation specifications are “addressable.”
If a specification is addressable, the practice has flexibility in whether to implement it. The practice must implement the addressable specification if doing so is reasonable and appropriate under the circumstances. When deciding what is reasonable and appropriate, the following factors are to be considered:
If the addressable specification is not reasonable and appropriate under the circumstances, the practice must implement an alternative security measure that is reasonable and appropriate.
The list of standards and implementation specifications in the regulations is quite lengthy, and practices should review them in detail. Educational materials are available on the Centers for Medicare & Medicaid Services' Web site.2 The following paragraphs summarize highlights of the regulations' requirements.
The practice must appoint someone as the security official, and that person must assess security risks, implement appropriate security policies including sanctions for violations by the staff, and evaluate the effectiveness of the office's security procedures. Required policies include procedures for ensuring that electronic protected health information is accessed by only authorized persons and providing procedures for data backup and disaster recovery. Business associate agreements with vendors who create, receive, maintain, or transmit protected electronic health information while performing services for a physician practice must be amended to include security protections.
The practice must limit physical access to information systems containing protected electronic health information and the facility in which they are located, while ensuring that properly authorized access is allowed. There also must be policies on disposal of computer hardware and electronic media that ensure against the inadvertent release of protected electronic health information. Software programs used by the practice should have mechanisms to ensure that transmission of electronic protected health information is secure.
Access to electronic protected health information must be protected by passwords and other mechanisms. Practices also must have a procedure and mechanisms to access the information in an emergency.
Violations of the HIPAA Security Regulations are punishable by civil money penalties. A provider is entitled to 30 days to correct a violation without penalty, however, if the failure to comply was due to reasonable cause and not willful neglect. Therefore, it is important that physician practices appoint a security official, assess each of the HIPAA Security Regulations' specifications, and document the decisions about what is reasonable and appropriate for each of the addressable specifications.