The Health Insurance Portability and Accountability Act (HIPAA) of 1996 requires covered entities (including medical practices) to implement technical, physical and administrative safeguards to protect patient information.
What Is a Technical Safeguards?
Section 164.304 of the Security Rule defines a technical safeguard as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” In other words, it's a series of technological methods used to protect patient information.
Access Controls is a HIPAA standard that falls within the Security Rule. As the name suggests, it's designed to protect patient information by restricting access to authorized personnel. If any employee in the office can access patient files, for instance, the practice could be found in violation of the Access Controls standard. Covered entities must implement a unique user identification system, which assigns a number or key to each user. In doing so, there's a record of who accessed what type of information on the system. The Access Controls standard also requires the implementation of emergency access procedures.
The Audit Controls standard requires covered entities to implement hardware, software and/or procedural mechanisms to analyze activity within the system. Long story short, it's a way for covered entities to monitor their network for signs of a cyber attack or data breach. The Security Rule does not, however, specify the type of data that must be gathered through Audi Controls, nor does it specify how often data should be gathered. This is up to the discretion of the covered entity.
While HIPAA does not require covered entities to encrypt their data, the law encourages it when implementation is “reasonable and appropriate.” Far too many medical practices send and receive protected health information (PHI) over the Internet, without the use of encryption. This places the patient's information at risk for disclosure, while also leaving the practice susceptible to breaches.
Note: encryption has become a hot topic as of late, with many lawmakers pushing to make it a requirement under HIPAA. There's still no word on when or even if this happen, but the recent breach at health insurer Anthem has spurred this discussion.
Integrity is another key standard associated with Technical HIPAA safeguards. It's defined as the “property that data or information have not been altered or destroyed in an authorized manner.” Crumbling a patient's medical records into a ball and tossing into the trash isn't an authorized way to destroy it, as someone could go “dumpster diving” for it later. Instead, it should be shredded and/or burned to ensure no one else sees it.