Do you operate a healthcare practice that collects, stores and/or uses Electronic Protected Health Information (EPI)? If so, you must familiarize yourself with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. All healthcare practices and other “covered entities” that use EPHI are required by law to follow this Rule. Those who do not may face fines or other penalties handed down by the Office for Civil Rights (OCR).
Don't underestimate the importance of using administrative safeguards to prevent the unauthorized use or access of EPHI. According to the official HHS website, these safeguards comprise more than half of the HIPAA Security Rule requirements, attesting to their importance. So, what are administrative safeguards? The first standard listed is Security Management Process, which is essentially a practice's policies and procedures to prevent, detect, contain and correct security violations.
Another essential administrative safeguard is risk analysis. Covered entities should routinely perform in-house audits of their systems to determine whether or not EPHI is at risk for a breach.
In addition to administrative safeguards, covered entities must also implement meaningful and appropriate physical safeguards as part of the HIPAA Security Rule. A physical safeguard is essentially any tangible practice or technique that is designed to prevent the unauthorized use or access of EPHI. This may include things like privacy screen protectors, door locks, file cabinet locks, security systems, etc. If it's tangible and is designed to protect EPH from unauthorized use, it is classified as a physical HIPAA safeguard.
Last but not least, covered entities must use technical safeguards to prevent the unauthorized use or access of EPHI. While physical safeguards are tangible, technical safeguards are intangible. The HIPAA Security Rule defines a technical safeguard as being “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” Examples may include firewalls, two-way authentication systems, encryption, virus scanners, proactive networking monitoring services, and remote data wipe functions.
To recap, covered entities must implement three types of safeguards – administrative, physical and technical – to remain compliant with the HIPAA Security Rule. Leaving out just a single type of safeguard could land you in hot water if you are ever audited by the OCR. Rather than risking the integrity of your healthcare practice, it's recommended that you implement all three safeguards.