The javascript used on this site for creative design effects is not supported by your browser. Please note that this will not affect access to the content on this web site.
Skip Navigation
H H S Department of Health and Human Services
U.S. Department of Health and Human Services
Health Information Technology and Quality
Improvement

A-Z Index  |  Questions?  |  Order Publications  |  HRSA Mobile

How Do I Ensure Security in Our System?

Ensuring the security of protected health information (PHI) in your health IT system requires that you institute measures to guard against unauthorized use and disclosure of PHI.  The HIPAA Standards for the Protection of Electronic Protected Health Information, known as the Security Rule, applies only to PHI in electronic form.  As with the Privacy Rule, the Security Rule requires covered entities to have contracts or other arrangements in place with their business associates to ensure that the business associates will appropriately safeguard the electronic PHI.  

Below are descriptions and overviews of the administrative, physical, and technical safeguards required for the security of PHI when using electronic health IT.  These are discussed in detail in the Privacy and Security Module of the Health IT Adoption Toolbox.  

Administrative Safeguards:

Administrative safeguards refer to the policies and procedures that exist in your practice to protect the security, privacy, and confidentiality of you patients’ PHI.  There are administrative safeguards that are required by both the HIPAA Privacy Rule and the HIPAA Security Rule.  The administrative safeguards required under the HIPAA Security Rule include:

  • Identifying relevant information systems
  • Conducting a risk assessment
  • Implementing a risk management program
  • Acquiring IT systems and services
  • Creating and deploying policies and procedures
  • Developing and implementing a sanctions policy

Assessing the risk of unauthorized use or disclosure is an important step in your overall plan for maintaining security within your system and is especially important when treating patients with HIV/AIDS.  The security risk assessment and risk management safeguards are discussed further in the response to the last question of this module, “How Do I Comply with Meaningful Use Requirements?”  

Physical Safeguards:

Physical safeguards for PHI and health IT refer to measures to protect the hardware and the facilities that store PHI.  Physical threats, whether in electronic or paper formation, affect the security of health information.  Some of the safeguards for electronic and paper-based systems are similar, but some safeguards are specific to health IT.  Policies and procedures must be put in place to physically safeguard health IT.  These elements include:  

  • Facility access controls – Limitations for physical access to the facilities where health IT is housed, while ensuring authorized personnel are allowed access.  
  • Workstation use – Specifications for the appropriate use of workstations and the characteristics of the physical environment of workstations that can access PHI.
  • Workstation security – Restrictions on access to workstations with PHI.
  • Device and media controls –Receipt and removal of hardware and electronic media that contain PHI into and out of the facility and the movement of these items within a covered entity, including disposal, reuse of media, accountability, and data backup and storage.

Technical Safeguards:

Technical safeguards are safeguards that are built into your health IT system to protect health information and to control access to it.  This includes measures to limit access to electronic information, to encrypt and decrypt electronic information, and to guard against unauthorized access to that information while it is being transmitted to others.  Procedures and policies are required to address the following elements of technical safeguards:

  • Access control - Allowing only access to persons or software programs that have appropriate access rights to data or PHI by using, for example, unique user identification protocols, emergency access procedures, automatic logoff, and encryption and decryption mechanisms.
  • Audit controls - Recording and examining activity in health IT systems that contain or use PHI.
  • Integrity - Protecting PHI from improper alteration or destruction, including implementation of mechanisms to authenticate PHI.
  • Person or entity authentication - Verifying that a person or entity seeking access to PHI is who or what they claim to be (proof of identity).
  • Transmission security - Guarding against unauthorized access to PHI that is being transmitted over an electronic communications network.

Having technical safeguards in place can protect against various intended and unintended uses and disclosures of PHI.  The table below provides examples of risks and technical safeguards.  Some of these safeguards are preventive measures to protect PHI, while others ensure that you are made aware of any unauthorized uses or disclosures.  Furthermore, you will need to conduct regular checks of your system so that you can see who accessed the PHI stored in your system and when it was accessed.

Risk

Technical Safeguard

PHI vulnerable to unauthorized disclosure, such as when PHI is left clearly visible on a computer screen after use

Ensure that computer locks and the screen disappears after a certain period of inactivity, and that only authorized users of that EHR can log back into the system.

PHI is exchanged with outside providers, reported to public health authorities, or moved to other media such as portable drives or a personal laptop

Ensure that all data are encrypted and transferred over secure data communication lines.

 

Institute specific policies restricting the movement of HIV/AIDS related PHI to portable storage devices.

Health care workers, other than those who are authorized to view a patient's PHI, use the system to review the PHI to discover that patient’s HIV/AIDS status

Require a password for access to PHI. Ensure that appropriate roles and role based access is defined and applied to staff. Conduct routine audit to see who has accessed sensitive data. Train all employees on the rules, regulations, and consequences of unauthorized access.

Health care workers, authorized to have access to a patient's PHI but not authorized to know the patient's HIV/AIDS status, inadvertently come across HIV/AIDS status when looking through the patient's EHR

Segregate HIV-related information into another section of the EHR that cannot be accessed unintentionally or intentionally by those without authorization. Ensure that role based access is configured and activated in the IT system. This would include any information related to HIV/AIDS status, such as test results, treatments, and participation in clinical trials or research.

Passwords are left in open areas, or passwords become vulnerable to theft from outside sources seeking to acquire patient data illegally

Institute a system for user authentication. Examples include using additional security codes to log in, requiring answers to a set of questions before log in, or fingerprint or iris scanning technology. Adopt a clear policy on passwords and educate staff on the policy.

 

 

While these risks exist with both health IT and paper record systems, computer-based systems can have security features built into the software to protect against unauthorized use or disclosure.  Many health IT systems have built-in security protections.  Also, EHRs that are certified by ONC for Meaningful Use must meet ONC Standards and Certification Criteria.  An EHR must meet nine security criteria to be certified for the first stage of Meaningful Use.  

Below are the nine security protection capabilities required for EHR certification and the one optional capability.  These are the minimum capabilities necessary; some EHRs will have additional security capabilities.   

  • Access control: permit only authorized users to access electronic health information
  • Emergency access: permit authorized users to access electronic health information during an emergency
    Automatic log-off: end an electronic session after a predetermined time of inactivity
  • Audit log:
    • Record actions related to electronic health information
    • Enable a user to generate an audit log for a specific time period and to sort entries
  • Integrity: verify that electronic health information has not been altered in transmission and detect the alteration of audit logs
  • Authentication: verify that a person seeking access to electronic health information is the one claimed and is authorized to access the information
  • Encryption for general information
  • Encryption when exchanging electronic health information
  • Accounting of disclosures [optional]: record disclosures made for treatment, payment, and health care operations

While a certified EHR provides considerable security capabilities, you will still need to comply with the other administrative and technical safeguards to ensure the privacy and security of your patients with HIV/AIDS.  In addition, you and your staff should be trained to comply with these protections.  Online tools and resources (see Related Resources below) can be used to develop one-on-one or group training.  In addition, the HITECH Act funds technical assistance and training programs to support meaningful use of EHR technologies.  Two of these programs offer privacy and security compliance training and will assist you to implement privacy and security protections:

Regional Extension Centers (RECs) – ONC has funded 62 RECS across the country to support the adoption and meaningful use of EHRs.  The RECs provide outreach, education, and technical assistance to help providers adopt EHRs and use them in a meaningful way. All RECs are required to educate providers on best practices related to privacy and security.  In addition, ONC has worked collaboratively with the RECs to develop tools related to risk identification and mitigation both during and after implementation.  The RECs focus their technical assistance on primary care clinicians and will assist clinicians working in safety net and community health center environments.  State-by-state REC contact information is included on this website.  

Strategic Healthcare IT Advanced Research Projects on Security (SHARPS) go to exit disclaimer– SHARPS is a four-year research project supported by ONC aimed at reducing security and privacy barriers to the meaningful use of health IT.  The project is led by the University of Illinois at Urbana-Champaign.  The SHARPS website contains a list of publications by members of the team on a range of health IT security topics.

Related Resources:

HIPAA Security Series – This CMS series includes seven educational documents designed to give HIPAA entities insight into the Security Rule and assistance with implementation of the security standards.  Topics include:  Security 101 for Covered Entities; Administrative Safeguards; Physical Safeguards; Technical Safeguards; Organizational, Policies and Procedures and Documentation Requirements; Basics of Risk Analysis and Risk Management; and Security Standards: Implementation for the Small Provider.   
Reassessing Your Security Practices in a Health IT Environment: A Guide for Small Health Care Practices – This ONC guide assists small health care practices to reassess their existing health information security policies for adopting and implementing EHRs.  It includes frequently asked questions to help your practice identify appropriate safeguards and conduct risk assessments to secure electronic health information.   
Technical Guidance for HIV/AIDS Surveillance Programs:  Security and Confidentiality Guidelines (PDF - 2.2 MB)  – This Centers for Disease Control and Prevention (CDC) document for State and other governmental staff provides a set of guidelines for HIV/AIDS Surveillance Programs on confidentiality and security while conducting HIV/AIDS surveillance.  Included is a Security and Confidentiality Program Requirement Checklist.  
Ensuring Security of High-Risk Information in EHRs go to exit disclaimer– This article discusses security precautions when dealing with sensitive protected health information.
HIV/AIDS Confidentiality and Data Security Guidance go to exit disclaimer– This guidance document is targeted to local health departments and community based organizations that are developing, implementing, and maintaining policies and procedures to protect HIV/AIDS client confidentiality and medical records.  

Developed by the Health Resources and Services Administration as a resource for health centers and other safety net and ambulatory care providers who are seeking to implement health IT.
About
Health Information Technology Toolboxes help health centers, safety net providers, and ambulatory care providers with electronic and online resources and technical assistance to improve patient care.  More>
Stay Informed