The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is designed to protect the privacy of healthcare patients and customers. If you keep up with our blog, you're probably well aware of the Rules implemented by the HHS in an effort to achieve this. As part of HIPAA, all doctors, physicians, chiropractors, dentists and other covered entities must follow HIPAA's Rules to remain compliant. But how does this relate to the HHS' Systems of Records Notices.
Also known as “SORNs,” Systems of Records Notices are any document or set f documents that consists of a collection/grouping of information about an individual. A defining characteristic of SORN is the ability to search and retrieve the respective record by searching for the individual's name, account number or some other unique identifier.
“The Privacy Act of 1974 requires that agencies create and maintain, as necessary, System of Records Notices (SORN) as defined in the Privacy Act. A system of records consists of any item, collection, or grouping of information about an individual, where those records can be retrieved by the name of the individual or by some other type of identifier unique to the individual,” wrote the Department of Health and Human Services (HHS).
It should come as no surprise that System of Records Notices typically fall under the category of Protected Health Information (PHI), meaning covered entities must implement meaningful and appropriate measures to safeguard it from unauthorized use or access. If your business stores PHI in the form of SORN, you are required by law (under HIPAA) to take steps to secure it. Otherwise, you could be found in violation of HIPAA.
So, how can you protect SORN and other PHI from unauthorized use? HIPAA's Rules lay out several measures, including the implementation of physical, technical and administrative safeguards. We've seen a disturbing uptick in the number of cyber attacks on healthcare organizations in recent years – a trend that experts believe will continue. Covered entities should protect themselves and their patients' data by implementing firewalls, virus scanners, authentication, user logins, and other cyber tactics, most of which fall under the category of technical safeguards.
Physical safeguards also play a key role in the security of patients' data. Unlike technical safeguards, physical safeguards include something tangible, such as locked doors, locked windows and the use of privacy screens on computers.