It is especially important for smaller practices to be mindful of Electronic Protected Health Information (ePHI) security regulations – a breach of ePHI can lead to costly notification requirements and potential monetary penalties under the HITECH Act. Managing physicians of small independent practices hold many responsibilities, including the duty to comply with the Security Rule within HIPAA regulations. This article provides a brief overview of federal ePHI compliance safeguards required in a practice. While not meant to be a comprehensive discussion of all requirements, it highlights legal considerations and safeguards a practice must implement to comply with HIPAA ePHI regulations. The federal Security Rule under HIPAA requires a health care provider (typically known as a Covered Entity) to have the minimum ePHI safeguards, listed below.
Before diving into required safeguards, a practice should first understand the scope of ePHI. ePHI is formally defined as “all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form.” ePHI is protected under the Security Rule, which “applies to health plans, health care clearinghouses, and any health care provider who transmits health information in electronic form in connection with covered entities and business associates.” The Security Rule works to protect individuals’ health information in a modern, technologically advanced world. It is meant to be flexible to work among various kinds of health care providers, ranging anywhere from small independent practices to large multistate hospital systems. The Security Rule requires covered entities to “1) ensure the confidentiality, integrity, and availability of all ePHI [practices] create, receive, maintain or transmit; 2) identify and protect against reasonably anticipated threats to the security or integrity of the information; 3) protect against reasonably anticipated uses or disclosures; and 4) ensure compliance by their workforce.” As more health care providers routinely use electronic means to document and store patient records, ePHI policies and procedures are critical to implement and follow in order to comply with HIPAA.
a. Administrative Safeguards. HIPAA defines administrative safeguards as policies and procedures “to manage the selection, development, implementation, and maintenance of security measures to protected electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.” The following is a list of selected administrative safeguards required by the Security Rule for all covered entities:
b. Physical Safeguards. Physical safeguards under the Security Rule are “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” The following are required under the physical safeguard prong of the Security Rule:
While possibly commonsense, it is very important for clinics to implement physical safeguards, such as workstation and device control, to ensure that access to technology containing ePHI is secure and that outdated technology containing ePHI is safeguarded when disposed of or repurposed.
c. Technical Safeguards. Not only does a practice need physical safeguards in protecting ePHI, but it also need to have policies and procedures that limit software programs access to only those with authorized access. Technical safeguards are defined as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” A practice must have the following technical safeguards:
It is important to note on all three of these requirement topics that the HHS Office of Civil Rights understands and allows that each covered entity is different and thus, are evaluated on several considerations:
Compliance with the Security Rule will depend on a number of factors, including those identified in § 164.306(b)(2):
‘(i) The size, complexity, and capabilities of the covered entity.
(ii) The covered entity's technical infrastructure, hardware, and software security capabilities.
(iii) The costs of security measures.
(iv) The probability and criticality of potential risks to EPHI.’
Based on these considerations, each ePHI safeguard requirement may look different for each practice in application.
Additionally, practices often contract with third parties that specialize in system practice and ePHI management. Using a vendor like this can be valuable to a practice – it often cuts costly and time-consuming requirements from a practice to be able to turn over to third parties. When contracting with these vendors, a practice must execute a Business Associate contract under HIPAA to remain in compliance with the Security Rule. In other words, to protect a practice’s ePHI when working with a third party, the practice must ensure that the third party is acting within the parameters set out in the Security Rule by executing a contract that it will abide by such laws.
As each HIPAA requirement (even beyond ePHI) can become complicated and convoluted for a new practice, it is recommended that a physician wanting to open a healthcare practice consult with a specialized health care attorney on these matters. Moreover, a specialized consultant can ensure that the practice reasonably and appropriately complies with HIPAA requirements. Not only are ePHI safeguards required by federal law, they also play a critical and vital role to maintaining security to sensitive health data. ePHI security is guaranteed to play an increasing role in healthcare as technology continues to advance.
1 HITECH Act § 1320d-5.
2 Covered Entities and Business Associates, HHS.gov (June 16, 2017), https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html.
3 45 C.F.R. § 160.103.
4 Summary of the HIPAA Security Rule¸ HHS.gov (July 26, 2013), https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html.
5 45 C.F.R. § 164.306(a).
6 Security Standards: Administrative Safeguards, HIPAA Security Series (March 2007), https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf; see Elizabeth Snell, A Review of Common HIPAA Administrative Safeguards, HealthIT Security (July 17, 2015);
7 45 C.F.R. § 164.308(a)(1).
8 45 C.F.R. § 164.308(a)(2).
9 45 C.F.R. 164.308(a)(4).
10 45 C.F.R. § 164.308(a)(3).
11 45 C.F.R. 164.308(a)(8).
12 Security Standards: Physical Safeguards, HIPAA Security Series (March 2007), https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf.
13 45 C.F.R. § 164.304.
14 45 C.F.R. § 164.304; § 164.312(a)(2)(i); § 164.312(a)(2)(ii).
15 45 C.F.R. § 164.312(b).
16 45 C.F.R. § 164.304.
17 45 C.F.R. § 164.312(d).
18 45 C.F.R. § 164.312(e)(1).
19 Security Standards: Administrative Safeguards, HIPAA Security Series (March 2007), https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf.
20 Business Associate Contracts, HIPAA (Jan. 25, 2013), https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.
21 See id.
You may not be getting all you can out of your browsing experience
and may be open to security risks!
Consider upgrading to the latest version of your browser or choose on below: