How Do I Ensure Security in Our System?
Ensuring the security of protected health information (PHI) in your health IT system requires that you institute measures to guard against unauthorized use and disclosure of PHI. The HIPAA Standards for the Protection of Electronic Protected Health Information, known as the Security Rule, applies only to PHI in electronic form. As with the Privacy Rule, the Security Rule requires covered entities to have contracts or other arrangements in place with their business associates to ensure that the business associates will appropriately safeguard the electronic PHI.
Below are descriptions and overviews of the administrative, physical, and technical safeguards required for the security of PHI when using electronic health IT.
Administrative safeguards refer to the policies and procedures that exist in your practice to protect the security, privacy, and confidentiality of you patients’ PHI. There are administrative safeguards that are required by both the HIPAA Privacy Rule and the HIPAA Security Rule. The administrative safeguards required under the HIPAA Security Rule include:
Assessing the risk of unauthorized use or disclosure is an important step in your overall plan for maintaining security within your system and is especially important when treating patients with HIV/AIDS. The security risk assessment and risk management safeguards are discussed further in the response to the last question of this module, “How Do I Comply with Meaningful Use Requirements?”
Physical safeguards for PHI and health IT refer to measures to protect the hardware and the facilities that store PHI. Physical threats, whether in electronic or paper formation, affect the security of health information. Some of the safeguards for electronic and paper-based systems are similar, but some safeguards are specific to health IT. Policies and procedures must be put in place to physically safeguard health IT. These elements include:
Technical safeguards are safeguards that are built into your health IT system to protect health information and to control access to it. This includes measures to limit access to electronic information, to encrypt and decrypt electronic information, and to guard against unauthorized access to that information while it is being transmitted to others. Procedures and policies are required to address the following elements of technical safeguards:
Having technical safeguards in place can protect against various intended and unintended uses and disclosures of PHI. The table below provides examples of risks and technical safeguards. Some of these safeguards are preventive measures to protect PHI, while others ensure that you are made aware of any unauthorized uses or disclosures. Furthermore, you will need to conduct regular checks of your system so that you can see who accessed the PHI stored in your system and when it was accessed.
PHI vulnerable to unauthorized disclosure, such as when PHI is left clearly visible on a computer screen after use
Ensure that computer locks and the screen disappears after a certain period of inactivity, and that only authorized users of that EHR can log back into the system.
PHI is exchanged with outside providers, reported to public health authorities, or moved to other media such as portable drives or a personal laptop
Ensure that all data are encrypted and transferred over secure data communication lines.
Institute specific policies restricting the movement of HIV/AIDS related PHI to portable storage devices.
Health care workers, other than those who are authorized to view a patient's PHI, use the system to review the PHI to discover that patient’s HIV/AIDS status
Require a password for access to PHI. Ensure that appropriate roles and role based access is defined and applied to staff. Conduct routine audit to see who has accessed sensitive data. Train all employees on the rules, regulations, and consequences of unauthorized access.
Health care workers, authorized to have access to a patient's PHI but not authorized to know the patient's HIV/AIDS status, inadvertently come across HIV/AIDS status when looking through the patient's EHR
Segregate HIV-related information into another section of the EHR that cannot be accessed unintentionally or intentionally by those without authorization. Ensure that role based access is configured and activated in the IT system. This would include any information related to HIV/AIDS status, such as test results, treatments, and participation in clinical trials or research.
Passwords are left in open areas, or passwords become vulnerable to theft from outside sources seeking to acquire patient data illegally
Institute a system for user authentication. Examples include using additional security codes to log in, requiring answers to a set of questions before log in, or fingerprint or iris scanning technology. Adopt a clear policy on passwords and educate staff on the policy.
While these risks exist with both health IT and paper record systems, computer-based systems can have security features built into the software to protect against unauthorized use or disclosure. Many health IT systems have built-in security protections. Also, EHRs that are certified by ONC for Meaningful Use must meet ONC Standards and Certification Criteria. An EHR must meet nine security criteria to be certified for the first stage of Meaningful Use.
Below are the nine security protection capabilities required for EHR certification and the one optional capability. These are the minimum capabilities necessary; some EHRs will have additional security capabilities.
While a certified EHR provides considerable security capabilities, you will still need to comply with the other administrative and technical safeguards to ensure the privacy and security of your patients with HIV/AIDS. In addition, you and your staff should be trained to comply with these protections. Online tools and resources (see Related Resources below) can be used to develop one-on-one or group training. In addition, the HITECH Act funds technical assistance and training programs to support meaningful use of EHR technologies. Two of these programs offer privacy and security compliance training and will assist you to implement privacy and security protections:
Regional Extension Centers (RECs) – ONC has funded 62 RECS across the country to support the adoption and meaningful use of EHRs. The RECs provide outreach, education, and technical assistance to help providers adopt EHRs and use them in a meaningful way. All RECs are required to educate providers on best practices related to privacy and security. In addition, ONC has worked collaboratively with the RECs to develop tools related to risk identification and mitigation both during and after implementation. The RECs focus their technical assistance on primary care clinicians and will assist clinicians working in safety net and community health center environments. State-by-state REC contact information is included on this website.
Strategic Healthcare IT Advanced Research Projects on Security (SHARPS) – SHARPS is a four-year research project supported by ONC aimed at reducing security and privacy barriers to the meaningful use of health IT. The project is led by the University of Illinois at Urbana-Champaign. The SHARPS website contains a list of publications by members of the team on a range of health IT security topics.
HIPAA Security Series – This CMS series includes seven educational documents designed to give HIPAA entities insight into the Security Rule and assistance with implementation of the security standards. Topics include: Security 101 for Covered Entities; Administrative Safeguards; Physical Safeguards; Technical Safeguards; Organizational, Policies and Procedures and Documentation Requirements; Basics of Risk Analysis and Risk Management; and Security Standards: Implementation for the Small Provider.
Reassessing Your Security Practices in a Health IT Environment: A Guide for Small Health Care Practices – This ONC guide assists small health care practices to reassess their existing health information security policies for adopting and implementing EHRs. It includes frequently asked questions to help your practice identify appropriate safeguards and conduct risk assessments to secure electronic health information.
Technical Guidance for HIV/AIDS Surveillance Programs: Security and Confidentiality Guidelines (PDF - 2.2 MB) – This Centers for Disease Control and Prevention (CDC) document for State and other governmental staff provides a set of guidelines for HIV/AIDS Surveillance Programs on confidentiality and security while conducting HIV/AIDS surveillance. Included is a Security and Confidentiality Program Requirement Checklist.
Ensuring Security of High-Risk Information in EHRs – This article discusses security precautions when dealing with sensitive protected health information.
HIV/AIDS Confidentiality and Data Security Guidance – This guidance document is targeted to local health departments and community based organizations that are developing, implementing, and maintaining policies and procedures to protect HIV/AIDS client confidentiality and medical records.
E-mail the HealthIT e-mail box: firstname.lastname@example.org