If you are a doctor, physician, dentist or any other healthcare provider operating in the US, you should familiarize yourself with the nuances of the Health Insurance Portability and Accountability Act (HIPAA). Originally signed into effect in 1996, HIPAA consists of several Rules that all healthcare providers must follow. Failure to follow HIPAA's Rules could result in fines or other consequences handed down by the Department of Health and Human Services (HHS).
The Security Rule Only Applies to EPHI
There are two forms of Protected Health Information (PHI), as recognized by the HHS: paper PHI, which may consist of manila folders, paper files, and other tangible documents, and Electronic PHI (or EPHI), which consists of Protected Health Information in the form of digital documents. When speaking about HIPAA's Security Rule, only EPHI is governed.
Are you controlling access to Protected Health Information? HIPAA requires all covered entities to implement meaningful and appropriate measures to safeguard their PHI from unauthorized use. One such measure that's specifically mentioned is the use of access controls. This may include providing healthcare workers with unique usernames and passwords so there's a record of who accesses PHI, as well as a time stamp of when this activity.
Most healthcare providers are fully aware of the importance of using technical safeguards to protect their PHI, but many overlook the importance of physical safeguards. Physical safeguards, as the name suggests, consist of tangible measures to prevent the unauthorized use of PHI. The most common type of physical safeguard used by healthcare providers is locked doors, but others may include privacy screen protectors, privacy walls, and locked file cabinets.
If you plan on doing business with one or more third parties, you'll need to create a Business Associates Agreement (BAA) to dictate what type of PHI will be used, and how it will be used. HIPAA requires all covered entities to create a BAA with each of their third-parties with whom they do business.
Healthcare providers should use caution when sending faxes. According to some privacy experts, faxing is one of the most common causes of PHI ending up in the wrongs hands. If your practice uses faxes to send PHI, you must have a system in place to track transmissions. Furthermore, HIPAA requires covered entities to verify the recipient and provide regular monitoring of faxing security.