How Must HIPAA Protected Health Information be Safeguarded?

The HIPAA Security Rule requires covered entities to protect against reasonably anticipated threats to the security of PHI.  Covered entities must implement safeguards to ensure the confidentiality, integrity, and availability of PHI, although HIPAA is not technology specific and the exact safeguards that should be implemented are left to the discretion of the covered entity.

HIPAA requires physical, technical, and administrative safeguards to be implemented. Technologies such as encryption software and firewalls are covered under technical safeguards. Physical safeguards for PHI data include keeping physical records and electronic devices containing PHI under lock and key. Administrative safeguards include access controls to limit who can view PHI information and security awareness training.

How do you determine what a reasonably anticipated threat to PHI is?

All covered entities and business associates are required to conduct frequent risk analyses in order to identify threats to the integrity of PHI. If the threats could be reasonably anticipated, covered entities and business associates have to implement measures to protect against the threats, or mitigate the consequences if the threats were to materialize.

In the office, keep client records closed after use, never leave any PHI on
desks or open areas. This includes notes, labels or forms with patient names. When records are not in use, they should be stored in a locked cabinet or locked room.

Proper disposal of PHI: Private health information such as copies of medical records or billing records must be shredded or incinerated if it is no longer in use or needs to be destroyed. Any paper with PHI on it such
as post it notes or scrap paper should be shredded as well.

If you are seeing several clients in one day, take only the paperwork or assignment sheet of the client you are visiting to the meeting, and leave the other records locked out of sight. During your meeting, be careful not to leave private health information out where family members or others may see it. Any medical record should be kept in your line of sight during the visit. That means close to you so that you can see it at all times.

Documenting PHI communicated by telephone: When you give PHI to a caller authorized to receive it, document it in your notes, giving the name of the caller, the date of the call and a brief description of the request and information shared.

Computer security: When you are at the office, make sure that your computer monitor is turned away from public view to protect client information. Using a privacy filter on your monitor will decrease its visibility to others. Only 10% of computer security is technical; 90% relies upon the person who is using the computer. In other words, you are the most important part of keeping electronic information secure.

Password protection is essential to computer security. Never share your computer password. Memorize your password, never keep a paper record.

Laptops and Personal Digital Assistants: When using a lap top computer, keep it with you at all times or lock it safely in the car out of sight.When not in use, lock your PDA in your car out of sight just as you would lock any protected health information.

Faxes: When faxing send only the minimum PHI needed and avoid sending sensitive health information such as information regarding HIV or sexually transmitted diseases. Verify the fax number before sending it.
Always use a fax cover sheet that includes a confidentiality statement. Do not include any PHI on the fax cover sheet.
Take reasonable precautions to ensure that the intended recipient is either available to receive the fax as it arrives or has exclusive access to the fax machine. Retrieve documents from the fax machine promptly.

Answering machines: Do not leave messages regarding private health information on an answering machine unless the client or patient has given you permission.

Safeguarding your Reception Desk