The third component of a HIPAA rule is the HIPAA Security rule. This became effective April 21, 2003 and must be complied with no later than April 21, 2005. While privacy is about how electronic, oral, and written PHI is used and disclosed, security is about controlling access to electronic PHI only. The security requirements become fully operative on April 21, 2005. While the final rule has been articulated by CMS, we hope that the agency will be issuing further guidance in the future that will help to clarify how the rule will be implemented. Prior to the effective date in 2005, the JCAAI will distribute a set of security recommendations based upon the final rule and any other guidance we are able to obtain from CMS or HHS.

In the meantime, some security measures should already be in place. Our recommendations for the present are as follows:

1. Password sharing should be prohibited. Your office should limit access to PHI based upon job description and by password. Unless you are a very small office and everyone needs full access to all PHI, sharing passwords should be prohibited since access restrictions will vary depending upon the individual responsibilities in the office. All employees must be aware that password sharing is prohibited. This should be periodically audited for compliance.
2. Internet access should be closed completely at night to prevent hacker access.
3. Physicians should not be allowed to download PHI remotely from a non-secure Internet providers.
4. All doors and windows must be locked at night.
5. Laptops and handheld computers must be secured when your office is closed.
6. Computer screens should be secure from unauthorized eyes. You should check the location of each computer screen in your office to ensure that it is maintained in a secure fashion as possible.
7. Files should be protected from being accessed by non authorized persons. Physicians and other authorized staff should not leave medical records on their desks when they are not physically present in the room. Any PHI that leaves the office at the end of the day for home processing of the file by the physician must be kept safe from unauthorized disclosures.
8. Building workers, including cleaning staff should have no access to your PHI files. If this is impossible, you should take reasonable steps to minimize their access to PHI. This should include no charts being left on any desk tops in the office or lying around the chart room. If necessary, the building cleaning staff may need a HIPAA training lecture to ensure they understand HIPAA Privacy requirements.
9. When any computers are disposed of, you should assure that the hard drives do not contain protected health information.
10. You should have a “Disaster Response Plan” in order to respond to emergencies such as fire, vandalism or natural disaster. This plan should focus on protection of electronic PHI. You may need to work with your software provider to ensure that you have proper file backup maintained in a secure location. At this point, you should start determining what disasters could occur and plan to deal with their effect.

NEXT>>