What is HIPAA? | Policies and Procedures | Physical Security | Audits
WHAT IS HIPAA?
HIPAA, the Health Insurance Portability and Accountability Act of 1996, has two relevant goals for protecting health information:
- To protect the privacy and security of individual health information
- To standarize electronic communications of patient health-related information
This act consists of two major areas for protected health information (PHI):
Privacy Rule is a set of national standards that:
- protects the privacy of health information by regulating how entities disclose individual health information.
- protects confidentialy of health information
- empowers individuals with rights concerning the disclosure of their health information
- allow for a "minimum necessary rule," to limit the disclosure of and request for health information to the minimum
Security Rule is a set of standards particular to individuals who design and host information that is maintained or transmitted electronically. This rule demands that all HIPAA entities provide a security plan for the following security areas:
Policies and Procedures
Every practice using an EHR needs to draw up a set of internal “policies and procedures” regulating EHR use. PCIP has developed some guidelines to help our practices craft regulations relevant to privacy and security.
PCIP has developed guidelines that can serve as a template to help your practice create its own policies and procedures. Many of these questions are also legal concerns, and should be brought to the attention of your attorney.
When creating your own policy, you need to consider both who is on your staff (e.g. physicians, nurses, medical assistants, front office staff, billing staff) and what information each staff member requires to do his or her job (e.g. patient clinical information, patient financial information, practice or “business” information, practice financial information).
The key to crafting a good set of policies is to determine who should get access to what. Under HIPAA, the guiding standard for information access is “minimum necessary,” meaning that staff members who do not need access to protected health information should not be able to access it.
In addition to staff and software security, it is important to think about your equipment:
Where do you place your technology in your office?
Who has access to those places?
Can these places be better secured?
Can the equipment be moved?
How is equipment tracked or accounted for?
NYC REACH members will get access to guidelines that can help you evaluate the above and create your own policies to safeguard your practice.
We also strongly recommend you talk to a qualified IT consultant to evaluate your physical and network security.
Another key mechanism for bolstering the security of your EHR is the audit function, which allows you to examine user logs to figure out which users have been accessing which information. It is recommended that practices conduct regular audits to ensure that information isn’t being viewed by the wrong people.
For detailed instructions on how to audit your EHR, become a NYC REACH member for access to documents and guides on privacy and security on our NYC REACH Resource Library.